Enable single sign-on for workspaces with Citrix Federated Authentication Service

Citrix Federated Authentication Service (FAS) supports single sign-on to virtual apps and desktops in Citrix Workspace. Within each resource location, you can connect multiple FAS servers to Citrix Cloud for load balancing and failover purposes. You can use the same FAS server for both on-premises and Citrix Cloud with proper rule configuration.

FAS server request flow with Citrix Cloud

Subscribers signing in to their workspaces through a federated idp (such as Azure AD, Okta, SAML, etc.) enter their credentials only once to access their apps and desktops. When subscribers launch a virtual app or desktop in their workspace, Citrix Cloud selects a FAS server in the same resource location as the VDA that is being launched. Citrix Cloud contacts the selected FAS server to obtain a ticket that grants access to a user certificate stored on the FAS server. To authenticate the subscriber, the VDA connects to FAS and presents the ticket.

Important:

  • When you enable single sign-on through the cloud admin portal, single sign-on is active only in the resource locations where you have connected FAS servers. If there are no FAS servers in a resource location, single sign-on is not active for resources in that resource location.
  • When you enable FAS in your resource location, the Federated Authentication Service is active for all virtual app and desktop launches from Citrix Workspace.

For an overview of the Federated Authentication Service for Citrix Workspace, view this Tech Insight video:

Citrix Federated Authentication Service for Citrix Workspace

Requirements

Connectivity requirements

Use the FAS administration console to connect a FAS server to Citrix Cloud. You can use this console to configure a local or remote FAS server. To enable single sign-on for workspaces with FAS, the FAS administration console and FAS service access the following addresses using the console user’s account and the Network Service account, respectively.

  • FAS administration console, using the console user’s account
    • *.cloud.com
    • *.citrixworkspaceapi.net
    • Addresses required by a third party identity provider, if one is used in your environment
  • FAS service, using the Network Service account: *.citrixworkspaceapi.net

If your environment includes proxy servers, configure the user proxy with the addresses for the FAS administration console. Also, ensure the address for the Network Service Account is configured as appropriate for your environment.

FAS server

Complete requirements for the FAS server are described in the System Requirements section of the FAS product documentation.

FAS servers in your on-premises Virtual Apps and Desktops environment must have Federated Authentication Service 2003 (Version 10.1) or later installed. To upgrade an existing FAS server, see the FAS Install and configure documentation. The same FAS server can be used for Workspace and on-premise deployments.

Citrix Workspace

You must have the Virtual Apps and Desktops service provisioned and enabled in Workspace. By default, the Virtual Apps and Desktops service is enabled in Workspace Configuration after you subscribe to the service. However, the service requires that you deploy Citrix Cloud Connectors to allow Citrix Cloud to communicate with your on-premises environment.

Cloud Connectors

Citrix Cloud Connector enables communication between your resource location (where the VDAs reside) and Citrix Cloud. You need at least two servers on which to install the Cloud Connector software to ensure high availability. These servers must meet the following requirements:

  • Meets the system requirements described in Cloud Connector Technical Details
  • Has no other Citrix components installed, is not an Active Directory domain controller, and is not a machine critical to your resource location infrastructure.
  • Joined to the domain where your FAS server resides.

For more information about deploying Cloud Connectors, refer to the following articles:

Install and configure FAS

Important:

When you enable single sign-on through FAS, single sign-on is active only in the resource locations where you have connected FAS servers. If there are no FAS servers in a resource location, single sign-on is not active for workspace subscribers connecting through that resource location.

Follow the FAS installation and configuration process described in the FAS documentation, apart from the configuration steps for StoreFront and the Delivery Controller which are not required.

Note:

You can download Federated Authentication Service MSI installer from the Citrix Cloud console:

  1. From the Citrix Cloud menu, select Resource Locations.
  2. Select the FAS Servers tile and then click Download.

Connect a FAS server to Citrix Cloud

After installing and configuring your FAS server, use the FAS administration console to Connect to Citrix Cloud as described in the FAS documentation.

After you complete the Connect to Citrix Cloud configuration step, Citrix Cloud registers the FAS server and displays it on the Resource Locations page in your Citrix Cloud account.

Resource Locations page with FAS server added

If you already have the Resource Locations page loaded in your browser, refresh the page to display the registered FAS server.

Enable federated authentication for workspaces

  1. From the Citrix Cloud menu, select Workspace Configuration and then select Authentication.
  2. Click Enable FAS. This change might take up to five minutes to be applied to subscriber sessions.

Workspace Configuration page with Enable FAS button highlighted

Afterward, the Federated Authentication Service is active for all virtual app and desktop launches from Citrix Workspace.

Workspace Configuration page with FAS enabled

When subscribers sign in to their workspace and launch a virtual app or desktop in the same resource location as the FAS server, the app or desktop starts without prompting for credentials.

Note:

If all FAS servers in a resource location are down or in maintenance mode, application launches succeed, but single sign-on is not active. Subscribers are prompted for their AD credentials to access each application or desktop.

Remove a FAS server

  1. From the Citrix Cloud menu, select Resource Locations.
  2. Locate the resource location you want to manage and then select the FAS Servers tile.
  3. Locate the FAS server you want to remove, click the ellipsis button, and then select Remove FAS Server. Remove FAS Server menu command
  4. On the FAS administration console (on your on-premises FAS server), in Connect to Citrix Cloud, select Disable. Alternatively, you can uninstall FAS. FAS Administration console with Disable command highlighted

Troubleshooting

If the FAS server is not available, a warning message appears on the FAS Servers page.

FAS Servers console page

To diagnose the problem, open the FAS administration console on your on-premises FAS server and inspect the status. For example, the FAS server is not present in the FAS server GPO:

FAS Server not available in FAS Server Administrator console

If the FAS administration console indicates that the server is operating properly, but there are still VDA logon problems, consult the FAS Troubleshooting Guide.

Enable single sign-on for workspaces with Citrix Federated Authentication Service