Enable single sign-on for workspaces with Citrix Federated Authentication Service

Citrix Federated Authentication Service (FAS) supports single sign-on to virtual apps and desktops in Citrix Workspace. Within each resource location, you can connect multiple FAS servers to Citrix Cloud for load balancing and failover purposes.

Citrix Cloud supports using FAS servers in the following scenarios:

  • FAS servers connected with a single resource location: If your resource locations contain varied infrastructure (for example, different resource locations contain different Active Directory forests (AD forests), you deploy FAS servers to the same resource location where your VDAs reside. Single sign-on is active only in resource locations where one or more FAS servers are connected.
  • FAS servers connected with multiple resource locations: If you have network connectivity between your resource locations and they contain similar infrastructure (for example, they reside within a single AD forest), you can connect your FAS servers with multiple resource locations. Single sign-on is active for workspace subscribers who connect to virtual apps and desktops in those resource locations. In this scenario, there’s no need to connect separate FAS servers to each resource location.

In both scenarios, subscribers signing in to their workspaces through a federated identity provider (such as Azure AD, Okta, SAML, and so on) enter their credentials only once to access their apps and desktops.

When subscribers launch a virtual app or desktop, Citrix Cloud selects a FAS server in the same resource location as the app or desktop that is being launched. Citrix Cloud contacts the selected FAS server to obtain a ticket that grants access to a user certificate stored on the FAS server. To authenticate the subscriber, the VDA connects to the FAS server and presents the ticket.

You can use the same FAS server for both on-premises and Citrix Cloud with proper rule configuration.

FAS server request flow with Citrix Cloud

Failover priority for multiple resource locations

When using FAS servers with multiple resource locations, FAS servers in one resource location can provide failover to FAS servers in other resource locations. When you add FAS servers to other resource locations, you designate each server as primary or secondary. When subscribers launch a virtual app or desktop, Citrix Cloud uses this designation in the following manner to select a FAS server:

  • FAS servers that are designated as primary in the given resource location are considered first.
  • If no primary servers are available, FAS servers that are designated as secondary are considered.
  • If no secondary servers are available, the launch continues but single sign-on doesn’t occur.

Video overview

For an overview of the Federated Authentication Service for Citrix Workspace, view this Tech Insight video:

Citrix Federated Authentication Service for Citrix Workspace

Requirements

Connectivity requirements

Use the FAS administration console to connect a FAS server to Citrix Cloud. You can use this console to configure a local or remote FAS server. To enable single sign-on for workspaces with FAS, the FAS administration console and FAS service access the following addresses using the console user’s account and the Network Service account, respectively.

  • FAS administration console, using the console user’s account
    • *.cloud.com
    • *.citrixworkspacesapi.net
    • Addresses required by a third party identity provider, if one is used in your environment
  • FAS service, using the Network Service account: *.citrixworkspacesapi.net

If your environment includes proxy servers, configure the user proxy with the addresses for the FAS administration console. Also, ensure the address for the Network Service Account is configured as appropriate for your environment.

FAS system requirements

The requirements in this section apply to all FAS servers that you plan to connect with Citrix Cloud.

Complete system requirements for the FAS server are described in the System Requirements section of the FAS product documentation.

FAS servers in your on-premises Citrix Virtual Apps and Desktops environment must have Federated Authentication Service 2003 (Version 10.1) or later installed. For more information about upgrading an existing FAS server, see Install and configure in the FAS product documentation. The same FAS server can be used for Workspace and on-premise deployments.

Citrix Workspace

You must have the Citrix Virtual Apps and Desktops service provisioned and enabled in Workspace. By default, the Virtual Apps and Desktops service is enabled in Workspace Configuration after you subscribe to the service. However, the service requires that you deploy Citrix Cloud Connectors to allow Citrix Cloud to communicate with your on-premises environment.

Cloud Connectors

Citrix Cloud Connectors enable communication between your resource location (where the VDAs reside) and Citrix Cloud. Deploy at least two Cloud Connectors to ensure high availability. The servers on which you install the Cloud Connector software must meet the following requirements:

  • System requirements as described in Cloud Connector Technical Details
  • No other Citrix components are installed, the server is not an Active Directory domain controller, and is not a machine critical to your resource location infrastructure.
  • Joined to the domain where your VDAs reside.

For more information about deploying Cloud Connectors, refer to the following articles:

Setup overview

  1. If you are deploying new FAS servers, review the Requirements and follow the instructions in Install and configure FAS in this article.
  2. Connect your FAS server to Citrix Cloud as described in Connect a FAS server to Citrix Cloud in this article. Completing this task connects your FAS server to a single resource location.
  3. If you plan to connect your FAS server to multiple resource locations, add the FAS server as described in Add a FAS server to multiple resource locations in this article.

Install and configure FAS

Follow the FAS installation and configuration process described in the FAS product documentation. The configuration steps for StoreFront and the Delivery Controller are not required.

Tip:

You can also download the Federated Authentication Service installer from the Citrix Cloud console:

  1. From the Citrix Cloud menu, select Resource Locations.
  2. Select the FAS Servers tile and then click Download.

Connect FAS servers to Citrix Cloud

Use the FAS administration console to connect your FAS server to Citrix Cloud as described in Install and configure in the FAS product documentation.

After you complete the Connect to Citrix Cloud configuration step, Citrix Cloud registers the FAS server and displays it on the Resource Locations page in your Citrix Cloud account.

Resource Locations page with FAS server added

If you already have the Resource Locations page loaded in your browser, refresh the page to display the registered FAS server.

Add a FAS server to multiple resource locations

  1. From the Citrix Cloud menu, select Resource Locations and then select the FAS Servers tab.
  2. Locate the FAS server you want to manage, click the ellipsis (…) at the right side of the entry, and then select Manage Server. FAS Servers tab with Manage server menu option highlighted
  3. Select Add to a resource location and then select the resource locations that you want. Manage Servers dialog with Add to resource location option highlighted
  4. Select Primary or Secondary for the FAS server’s failover priority in each selected resource location.
  5. Select Save Changes.

To view the added FAS server, select Resource Locations from the Citrix Cloud menu and then select the FAS Servers tab. A list of all FAS servers for all connected resource locations appears. To display FAS servers for a specific resource location, select the resource location from the dropdown list.

Change a FAS server’s failover priority

  1. From the Resource Locations page, select the FAS Servers tile for the resource location you want to manage.
  2. Select the FAS Servers tab.
  3. Locate the FAS server you want to manage, click the ellipsis at the right side of the entry, and then select Manage server.
  4. Locate the resource location with the priority you want to change and select the new priority from the dropdown list. Manage FAS Servers with priority dropdown highlighted
  5. Select Save Changes.

Enable federated authentication for workspaces

  1. From the Citrix Cloud menu, select Workspace Configuration and then select Authentication.
  2. Click Enable FAS. This change might take up to five minutes to be applied to subscriber sessions.

Workspace Configuration page with Enable FAS button highlighted

Afterward, the Federated Authentication Service is active for all virtual app and desktop launches from Citrix Workspace.

Workspace Configuration page with FAS enabled

When subscribers sign in to their workspace and launch a virtual app or desktop in the same resource location as the FAS server, the app or desktop starts without prompting for credentials.

Note:

If all FAS servers in a resource location are down or in maintenance mode, application launches succeed, but single sign-on is not active. Subscribers are prompted for their AD credentials to access each application or desktop.

Remove a FAS server

To remove a FAS server from a single resource location:

  1. From the Resource Locations page, select the FAS Servers tile for the resource location you want to manage.
  2. Select the FAS Servers tab.
  3. Locate the FAS server you want to manage, click the ellipsis at the right side of the entry, and then select Manage server.
  4. Locate the resource location you want to remove and then click the X icon. Manage FAS Servers with remove icons highlighted

To remove a FAS server from all connected resource locations:

  1. From the Citrix Cloud menu, select Resource Locations.
  2. Locate the resource location you want to manage and then select the FAS Servers tile.
  3. Locate the FAS server you want to remove, click the ellipsis at the right side of the entry, and then select Remove FAS Server. Remove FAS Server menu command
  4. On the FAS administration console (on your on-premises FAS server), in Connect to Citrix Cloud, select Disconnect. Alternatively, you can uninstall FAS. FAS Administration console with Disable command highlighted

Troubleshooting

If the FAS server is not available, a warning message appears on the FAS Servers page.

FAS Servers console page

To diagnose the problem, open the FAS administration console on your on-premises FAS server and inspect the status. For example, the FAS server is not present in the FAS server GPO:

FAS Server not available in FAS Server Administrator console

If the FAS administration console indicates that the server is operating properly, but there are still VDA logon problems, consult the FAS Troubleshooting Guide.

Enable single sign-on for workspaces with Citrix Federated Authentication Service