Enable single sign-on for workspaces with Citrix Federated Authentication Service (Technical Preview)

Note:

Using Federation Authentication Service with Citrix Cloud is currently in Technical Preview. Citrix recommends using technical preview features only in test environments or limited production environments.

Citrix Federated Authentication Service (FAS) supports single sign-on to virtual apps and desktops in Citrix Workspace. Within each resource location, you can connect multiple FAS servers to Citrix Cloud for load balancing and failover purposes. You can use the same FAS server for both on-premises and Citrix Cloud with proper rule configuration.

FAS server request flow with Citrix Cloud

Subscribers signing in to their workspaces through Azure AD enter their credentials only once to access their apps and desktops. When subscribers launch a virtual app or desktop in their workspace, Citrix Cloud selects a FAS server in the same resource location as the VDA that is being launched. Citrix Cloud contacts the selected FAS server to obtain a ticket that grants access to a user certificate stored on the FAS server. To authenticate the subscriber, the VDA connects to FAS and presents the ticket.

Important:

  • When you enable single sign-on through FAS, single sign-on is active only in the resource locations where you have connected FAS servers. If there are no FAS servers in a resource location, single sign-on is not active for resources in that resource location.
  • When you enable FAS in your resource location, the Federated Authentication Service is active for all virtual app and desktop launches from Citrix Workspace.

For an overview of the Federated Authentication Service for Citrix Workspace, view this Tech Insight video:

Citrix Federated Authentication Service for Citrix Workspace

Requirements

FAS server

For complete requirements for the FAS server, see the System Requirements section of the FAS product documentation.

If you don’t already have a FAS server in your on-premises Virtual Apps and Desktops environment or you want to upgrade an existing FAS server, see Install and configure FAS in this article.

If your existing FAS server is Version 10.0 or later, proceed to Connect a FAS server to Citrix Cloud.

Citrix Workspace

You must have the Virtual Apps and Desktops service provisioned and enabled in Workspace. By default, the Virtual Apps and Desktops service is enabled in Workspace Configuration after you subscribe to the service. However, the service requires that you deploy Citrix Cloud Connectors to allow Citrix Cloud to communicate with your on-premises environment.

Cloud Connectors

Citrix Cloud Connector enables communication between your resource location (where the FAS server resides) and Citrix Cloud. You need at least two servers on which to install the Cloud Connector software to ensure high availability. These servers must meet the following requirements:

  • Meets the system requirements described in Cloud Connector Technical Details
  • Has no other Citrix components installed, is not an Active Directory domain controller, and is not a machine critical to your resource location infrastructure.
  • Joined to the domain where your FAS server resides.

For more information about deploying Cloud Connectors, refer to the following articles:

Install and configure FAS

Install and configure one or more FAS servers if:

  • You don’t already have a FAS server in your on-premises environment.
  • Your existing FAS server is older than Version 10.0 and you want to upgrade it in-place so you can connect to Citrix Cloud.

If your existing FAS server is Version 10.0 or later, proceed to Connect a FAS server to Citrix Cloud.

Important:

When you enable single sign-on through FAS, single sign-on is active only in the resource locations where you have connected FAS servers. If there are no FAS servers in a resource location, single sign-on is not active for workspace subscribers connecting through that resource location.

Guidance for installing and configuring FAS

Installing and configuring a FAS server follows the same process as described in the FAS documentation, with the following exceptions:

  • Configuration steps for StoreFront or the Delivery Controller are not required.
  • The FAS administration console might look different to the FAS product documentation. However, the functionality is the same.
  • The FAS administration console does not require you to specify which FAS server you want to connect. It connects to the local FAS service by default. If needed, you can connect to a remote service using Connect to another server in the top right of the console.

To install and configure a FAS server, you perform the following tasks:

  1. Download and install the latest version of the FAS server software from Citrix.
  2. Configure FAS rules. FAS server rules dialog

    When you configure a FAS rule, you can specify which StoreFront servers are allowed to use the rule. However, when a rule is used with Citrix Cloud, the StoreFront access permissions are ignored. You can use the same rule with Citrix Cloud and with an on-premises StoreFront deployment. StoreFront access permissions are still applied when the rule is used by an on-premises StoreFront. If you are using the FAS server only with Citrix Cloud, you don’t have to perform this task.

  3. Configure Group Policy even if you are using your FAS deployment with Citrix Cloud only. FAS server Group Policy dialog with DNS address

    The order of DNS addresses of your FAS servers in the list must be consistent as seen by:

    • VDAs
    • StoreFront servers (if present)
    • FAS servers

    This is because an index (integer) into the list is used by the VDA to locate the FAS server chosen for a virtual app or desktop launch.

Download the FAS software

The latest version of the FAS sofware is available from the Citrix Downloads web site at https://www.citrix.com/downloads/citrix-cloud/betas-and-tech-previews/federated-authentication-service–fas-.html.

To access the Federated Authentication Service downloads page from within the Citrix Cloud console:

  1. From the Citrix Cloud menu, select Resource Locations.
  2. Select the FAS Servers tile and then click Download. Resource Locations page with FAS server tile highlighted FAS download screen

After downloading, you can launch the installer and follow the wizard to configure FAS rules and group policies and connect to Citrix Cloud.

Connect a FAS server to Citrix Cloud

This section assumes your existing FAS server is installed and configured as described in the FAS documentation.

  1. From the FAS installer, ensure the Initial Setup tab is selected. FAS installer with Connect button highlighted
  2. In Connect to Citrix Cloud, select Connect.
  3. When prompted, sign in to Citrix Cloud, select the customer account, if applicable, and select the resource location where you want to connect the FAS server.

After you complete the installation, Citrix Cloud registers the FAS server and displays it on the Resource Locations page in your Citrix Cloud account.

Resource Locations page with FAS server added

If you already have the Resource Locations page loaded in your browser, refresh the page to display the registered FAS server.

Enable federated authentication for workspaces

  1. From the Citrix Cloud menu, select Workspace Configuration and then select Authentication.
  2. Click Enable FAS. This change might take up to five minutes to be applied to subscriber sessions.

Workspace Configuration page with Enable FAS button highlighted

Afterward, the Federated Authentication Service is active for all virtual app and desktop launches from Citrix Workspace.

Workspace Configuration page with FAS enabled

When subscribers sign in to their workspace and launch a virtual app or desktop in the same resource location as the FAS server, the app or desktop starts without prompting for credentials.

Note:

If a FAS server is down or in maintenance mode, application launches succeed, but single sign-on is not active. Subscribers are prompted for their AD credentials to access each application or desktop.

Remove a FAS server

  1. From the Citrix Cloud menu, select Resource Locations.
  2. Locate the resource location you want to manage and then select the FAS Servers tile.
  3. Locate the FAS server you want to remove, click the ellipsis button, and then select Remove FAS Server. Remove FAS Server menu command
  4. On the FAS Administration console (on your on-premises FAS server), in Connect to Citrix Cloud, select Disable. Alternatively, you can uninstall FAS. FAS Administration console with Disable command highlighted

Troubleshooting

If the FAS server is not available, a warning message appears on the FAS Servers page.

FAS Servers console page

To diagnose the problem, open the FAS Administration console on your on-premises FAS server and inspect the status. For example, the FAS server is not present in the FAS server GPO:

FAS Server not available in FAS Server Administrator console

If the FAS Administration console indicates that the server is operating properly, but there are still VDA logon problems, consult the FAS Troubleshooting Guide.

Additional help and support

For troubleshooting help, questions, or to provide feedback about federated authentication for workspaces, visit the Federated Authentication Service for Workspace Preview support forum to talk with Citrix experts and other members of the Citrix Cloud community.

Enable single sign-on for workspaces with Citrix Federated Authentication Service (Technical Preview)