Azure Active Directory single sign-on
Note:
Since July 2023, Microsoft has renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. In this document, any reference to Azure Active Directory, Azure AD, or AAD now refers to Microsoft Entra ID.
Citrix Federated Authentication Service (FAS) provides single sign-on (SSO) to domain-joined Virtual Delivery Agents (VDAs). FAS achieves SSO by supplying the VDA with a user certificate, which the VDA uses to authenticate the user to Active Directory (AD). Once you sign on to the VDA session, you can access AD resources without reauthentication.
It’s common to implement Microsoft Entra ID (ME-ID) with synchronization between your AD and Microsoft Entra ID, which creates hybrid identities for both users and computers. This article describes the additional configuration required to achieve SSO to Microsoft Entra ID from within your VDA session when using FAS, which allows the user to access Microsoft Entra ID-protected applications without reauthentication.
Note:
- You don’t require any special configuration for FAS to use SSO for Microsoft Entra ID.
- You don’t require the FAS in-session certificates.
- You can use any version of FAS.
- You can use any version of the VDA that supports FAS.
The techniques for Microsoft Entra ID SSO are summarized in the following table:
| ME-ID authentication type | VDA is domain joined | VDA is hybrid joined |
|---|---|---|
| Managed | Use ME-ID seamless SSO | Use ME-ID Certificate Based Authentication |
| Federated to Active Directory Federation Services (ADFS) | Enable Windows Authentication at ADFS | Ensure that the WS-Trust certificatemixed endpoint is enabled |
| Federated to a third party identity provider | Use a third party solution | Use a third party solution |
-
A managed Microsoft Entra ID domain is one where the user authentication happens at Microsoft Entra ID, sometimes referred to as native Microsoft Entra ID authentication.
-
A federated Microsoft Entra ID domain is one where Microsoft Entra ID is configured to redirect authentication elsewhere. For example, to ADFS or to a third party identity provider.
-
A hybrid joined VDA is AD joined and Microsoft Entra ID joined.
Domain-joined VDAs
For domain-joined VDAs, achieve SSO to Microsoft Entra ID using Windows Authentication (traditionally called Integrated Windows Authentication, or Kerberos). Authentication to Microsoft Entra ID happens when the user accesses an Microsoft Entra ID-protected application from within the VDA session. The following diagram shows the authentication process on a high-level:
The exact details vary depending on whether the Microsoft Entra ID domain is managed or federated.
For information on the managed Microsoft Entra ID domain setup, see Seamless single sign-on.
For an Microsoft Entra ID domain federated to ADFS, enable Windows Authentication at the ADFS server.
For an Microsoft Entra ID domain federated to a third party identity provider, a similar solution exists. Contact your identity provider for help.
Note:
You can also use the solutions listed for the domain-joined VDAs for hybrid-joined VDAs. But an Microsoft Entra ID Primary Refresh Token (PRT) isn’t generated when using FAS.
Hybrid-joined VDAs
Hybrid-joined VDAs are joined to AD and Microsoft Entra ID at the same time. When the user signs in to the VDA, the following artifacts are created:
- A Kerberos Ticket Granting Ticket (TGT), to authenticate to AD resources
- A Primary Refresh Token (PRT), to authenticate to Microsoft Entra ID resources
The PRT contains information about both the user and the computer. This information is used in an Microsoft Entra ID conditional access policy if necessary.
Since FAS authenticates the user by supplying a certificate to the VDA, a PRT can only be created if certificate-based authentication for Microsoft Entra ID is implemented. The following diagram shows the authentication process on a high-level:
The exact details vary depending on whether the Microsoft Entra ID domain is managed or federated.
For a managed Microsoft Entra ID domain, configure Microsoft Entra ID CBA. For more information, see Overview of Azure AD certificate-based authentication. The VDA uses Microsoft Entra ID CBA to authenticate the user to Microsoft Entra ID with the user’s FAS certificate.
Note:
The Microsoft documentation describes sign in with a smart card certificate, but the underlying technique applies when signing in with a FAS user certificate.
For an Microsoft Entra ID domain federated to ADFS, the VDA uses the ADFS server’s WS-Trust certificatemixed endpoint to authenticate the user to Microsoft Entra ID with the user’s FAS certificate. This endpoint is enabled by default.
For an Microsoft Entra ID domain federated to a third party identity provider, a similar solution may exist. The identity provider must implement a WS-Trust certificatemixed endpoint. Contact your identity provider for help.