Secure workspaces

As an administrator, you can choose to have your subscribers authenticate to their workspaces using one of the following authentication methods:

  • Active Directory (AD)
  • Active Directory plus token
  • Azure Active Directory (AAD)
  • Citrix Gateway
  • Google
  • Okta
  • SAML 2.0

These authentication options are available to any Citrix Cloud service. For more information, see Tech Brief: Workspace Identity.

Citrix Workspace also supports using Citrix Federated Authentication Service (FAS) to provide single sign-on (SSO) to Citrix DaaS. SSO with FAS removes the need for subscribers to authenticate to DaaS after already signing in to their workspaces using a federated authentication method. For more information, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.

Choose or change authentication methods

After configuring your identity providers, you choose or change how subscribers authenticate to their workspace in Workspace Configuration > Authentication > Workspace Authentication.

Workspace authentication settings

Important:

Switching authentication modes can take up to five minutes and causes an outage to your subscribers during that time. Citrix recommends limiting changes to periods of low usage. If you do have subscribers logged on to Citrix Workspace using a browser or Citrix Workspace app, advise them to close the browser or exit the app. After waiting approximately five minutes, they can sign in again using the new authentication method.

Active Directory (AD)

By default, Citrix Cloud uses Active Directory (AD) to manage subscriber authentication to workspaces.

To use AD, you must have at least two Citrix Cloud Connectors installed in the on-premises AD domain. For more information on installing the Cloud Connector, see Cloud Connector Installation.

Active Directory (AD) plus token

For greater security, Citrix Workspace supports a time-based token as a second factor of authentication to AD sign-in.

For each login, Workspace prompts subscribers to enter a token from an authentication app on their enrolled device. Before signing in, subscribers must enroll their device with an authentication app that follows the Time-Based One-Time Password (TOTP) standard, such as Citrix SSO. Currently, subscribers can enroll only one device at a time.

For more information, see Tech Insight: Authentication - TOTP and Tech Insight: Authentication - Push.

Requirements for AD plus token

Active Directory plus token authentication has the following requirements:

  • A connection between Active Directory and Citrix Cloud, with at least two Cloud Connectors installed in your on-premises environment. For requirements and instructions, see Connect Active Directory to Citrix Cloud.
  • Active Directory + Token authentication enabled in the Identity and Access Management page. For information, see To enable Active Directory plus token authentication.
  • Subscriber access to email to enroll devices.
  • A device on which to download the authentication app.

First-time enrollment

Subscribers enroll their devices using the enrollment process described in Register devices for two-factor authentication.

During first-time sign-in to Workspace, subscribers follow the prompts to download the Citrix SSO app. The Citrix SSO app generates a unique one-time password on an enrolled device every 30 seconds.

Important:

During the device enrollment process, subscribers receive an email with a temporary verification code. This temporary code is used only to enroll the subscriber’s device. Using this temporary code as a token for signing in to Citrix Workspace with two-factor authentication isn’t supported. Only verification codes that are generated from an authentication app on an enrolled device are supported tokens for two-factor authentication.

Re-enroll a device

If a subscriber no longer has their enrolled device or needs to re-enroll it (for example, after erasing content from the device), Workspace provides the following options:

  • Subscribers can re-enroll their devices using the same enrollment process described in Register devices for two-factor authentication. Because subscribers can enroll only one device at a time, enrolling a new device or re-enrolling an existing device removes the previous device registration.

    Device removed message

  • Administrators can search for subscribers by Active Directory name and reset their device. To do that, go to Identity and Access Management > Recovery. During the next sign-on to Workspace, the subscriber experiences the first-time enrollment steps.

    Recovery tab

Azure Active Directory

Use of Azure Active Directory (AD) to manage subscriber authentication to workspaces has the following requirements:

  • Azure AD with a user who has global administrator permissions. For more information on the Azure AD applications and permissions that Citrix Cloud uses, see Azure Active Directory Permissions for Citrix Cloud.
  • A Citrix Cloud Connector installed in the on-premises AD domain. The machine must also be joined to the domain that is syncing to Azure AD.
  • VDA version 7.15.2000 LTSR CU VDA or 7.18 current release VDA or higher.
  • A connection between Azure AD and Citrix Cloud. For information, see Connect Azure Active Directory to Citrix Cloud.

When syncing your Active Directory to Azure AD, the UPN and SID entries must be included in the sync. If these entries aren’t synchronized, certain workflows in Citrix Workspace fail.

Warning:

  • If you’re using Azure AD, don’t make the registry change described in CTX225819. Making this change might cause session launch failures for Azure AD users.
  • Adding a group as a member of another group (nesting) is supported with the DSAuthAzureAdNestedGroups feature enabled. You can enable DSAuthAzureAdNestedGroups by submitting a request to Citrix Support.

After enabling Azure AD authentication:

  • Added security: For security, users are prompted to sign in again when launching an app or a desktop. The password information flows directly from user’s device to the VDA that is hosting the session.
  • Sign-in experience: Azure AD authentication provides federated sign-in, not single sign-on (SSO). Subscribers sign in from an Azure sign-in page, and might have to authenticate again when opening Citrix DaaS.

For SSO, enable the Citrix Federated Authentication Service in Citrix Cloud. See Enable single sign-on for workspaces with Citrix Federated Authentication Service for more information.

You can customize the sign-in experience for Azure AD. For information, see the Microsoft documentation. Any sign-in customizations (the logo) made in Workspace Configuration do not affect the Azure AD sign-in experience.

The following diagram shows the sequence of Azure AD authentication.

Diagram of Azure AD authentication sequence

Citrix Gateway

Citrix Workspace supports using an on-premises Citrix Gateway as an identity provider to manage subscriber authentication to workspaces. For more information, see Tech Insight: Authentication - Citrix Gateway.

Requirements for Citrix Gateway

Citrix Gateway authentication has the following requirements:

  • A connection between your Active Directory and Citrix Cloud. For requirements and instructions, see Connect Active Directory to Citrix Cloud.
  • Subscribers must be Active Directory users to sign in to their workspaces.
  • If you’re performing federation, your AD users must be synchronized to the federation provider. Citrix Cloud requires the AD attributes to allow users to sign in successfully.
  • An on-premises Citrix Gateway:
    • Citrix Gateway 12.1 54.13 Advanced edition or later
    • Citrix Gateway 13.0 41.20 Advanced edition or later
  • Citrix Gateway authentication enabled in the Identity and Access Management page. This generates the client ID, secret, and redirect URL required to create the connection between Citrix Cloud and your on-premises Gateway.
  • On the Gateway, an OAuth IdP authentication policy is configured using the generated client ID, secret, and redirect URL.

For more information, see Connect an on-premises Citrix Gateway as an identity provider to Citrix Cloud.

Subscriber experience of Citrix Gateway

When authentication with Citrix Gateway is enabled, subscribers experience the following workflow:

  1. The subscriber navigates to the Workspace URL in their browser or launches Workspace app.
  2. The subscriber is redirected to the Citrix Gateway logon page and is authenticated using any method configured on the Gateway. This method can be MFA, federation, conditional access policies, and so on. You can customize the Gateway logon page so that it looks the same as the Workspace sign-in page using the steps described in CTX258331.
  3. After successful authentication, the subscriber’s workspace appears.

Google

Citrix Workspace supports using Google as an identity provider to manage subscriber authentication to workspaces.

Requirements for Google

  • A connection between your on-premises Active Directory and Google Cloud.
  • A developer account with access to the Google Cloud Platform console. This account is required for creating a service account and key, and enabling the Admin SDK API.
  • An administrator account with access to the Google Workspace Admin console. This account is required for configuring domain-wide delegation and a read-only API user account.
  • A connection between your on-premises Active Directory domain and Citrix Cloud, with Google authentication enabled in the Identity and Access Management page. To create this connection, at least two Cloud Connectors are required in your resource location.

For more information, see Connect Google as an identity provider to Citrix Cloud.

Subscriber experience with Google

When authentication with Google is enabled, subscribers experience the following workflow:

  1. The subscriber navigates to the Workspace URL in their browser or launches the Workspace app.
  2. The subscriber is redirected to the Google sign-in page and is authenticated using the method configured in Google Cloud (for example, multifactor authentication, conditional access policies, and so on).
  3. After successful authentication, the subscriber’s workspace appears.

Okta

Citrix Workspace supports using Okta as an identity provider to manage subscriber authentication to workspaces. For more information, see Tech Insight: Authentication - Okta.

Requirements for Okta

Okta authentication has the following requirements:

  • A connection between your on-premises Active Directory and your Okta organization.
  • An Okta OIDC web application configured for use with Citrix Cloud. To connect Citrix Cloud to your Okta organization, you must supply the Client ID and Client Secret associated with this application.
  • A connection between your on-premises Active Directory domain and Citrix Cloud, with Okta authentication enabled in the Identity and Access Management page.

For more information, see Connect Okta as an identity provider to Citrix Cloud.

Subscriber experience with Okta

When authentication with Okta is enabled, subscribers experience the following workflow:

  1. The subscriber navigates to the Workspace URL in their browser or launches the Workspace app.
  2. The subscriber is redirected to the Okta sign-in page and is authenticated using the method configured in Okta (for example, multifactor authentication, conditional access policies, and so on).
  3. After successful authentication, the subscriber’s workspace appears.

Okta authentication provides federated sign-in, not single sign-on (SSO). Subscribers sign in to workspace from an Okta sign-in page, and might have to authenticate again when opening Citrix DaaS. For SSO, enable the Citrix Federated Authentication Service in Citrix Cloud. See Enable single sign-on for workspaces with Citrix Federated Authentication Service for more information.

SAML 2.0

Citrix Workspace supports using SAML 2.0 to manage subscriber authentication to workspaces. You can use the SAML provider of your choice, provided it supports SAML 2.0.

Requirements for SAML 2.0

SAML authentication has the following requirements:

  • SAML provider that supports SAML 2.0.
  • On-premises Active Directory domain.
  • Two Cloud Connectors deployed to a resource location and joined to your on-premises AD domain.
  • AD integration with your SAML provider.

For more information about configuring SAML authentication for workspaces, see Connect SAML as an identity provider to Citrix Cloud.

Subscriber experience with SAML 2.0

  1. The subscriber navigates to the Workspace URL in their browser or launches Citrix Workspace app.
  2. The subscriber is redirected to the SAML identity provider sign-in page for their organization. The subscriber authenticates with the mechanism configured for the SAML identity provider, such as multifactor authentication or conditional access policies.
  3. After successful authentication, the subscriber’s workspace appears.

Citrix Federated Authentication Service (FAS)

Citrix Workspace supports using Citrix Federated Authentication Service (FAS) for single sign-on (SSO) to Citrix DaaS. Without FAS, subscribers using a federated identity provider are prompted to enter their credentials more than once to access their DaaS.

For more information, see Citrix Federated Authentication Service (FAS).

Subscriber sign-out experience

Use Settings > Log Off to complete the sign-out process from Workspace and Azure AD. If subscribers close the browser instead of using the Log Off option, they might remain signed in to Azure AD.

Important:

If Citrix Workspace times out in the browser due to inactivity, subscribers remain signed in to Azure AD. This prevents a Citrix Workspace timeout from forcing other Azure AD applications to close.

More information

Secure workspaces