SSO Authentication

Citrix VDA for macOS now support SSO (Single Sign-on) experience you normally found in Windows and Linux VDA; by authenticated and launching the Citrix VDA for macOS session in Workspace or StoreFront, you will be taken directly to the macOS user account without the need to input your credential again.

Supported SSO credential types

The SSO experience is provided in conjunction with Citrix control plane DaaS/CVAD components, currently we only support following workflow & credential types.

Workspace/StoreFront authentication type

Citrix Workspace app users should log into their Storefront/Workspace using a username & password pair (or the pair can be retrieved from a device such as Touch ID); Currently, we do not support other types of credentials,e.g., FAS, smart card.

Authentication Method

Your macOS account can be a local account or an Active Directory (AD) account:

  • macOS local account

    A local account is created and managed directly on the macOS device. If you are using a local account on macOS, SSO will authenticate you using the macOS local account database. Please ensure the local account username and password is configured the same as SF/SF Cloud (username is the short ID without domain prefix)

  • Active Directory (AD) authentication

    An AD account is managed by Active Directory, a directory service developed by Microsoft for Windows domain networks. If you are using an Active Directory (AD) account, SSO will facilitate authentication through the Active Directory to which the Citrix VDA for macOS device is connected.

Note:

If the same account name exists in both the local and AD account databases, we only support authentication with the local account database.

Limitation

When the Mac device is connected by wifi, it must be connected to a shared network connection, rather than a per-user wifi configuration.

Compatibility

When the Citrix VDA for macOS SSO feature is enabled, your macOS system’s default login UI will be replaced with a Citrix VDA for macOS-customized version. We do not support the cases in which the system login process has already been customized by other software including Jamf PRO/Connect. (Refer to the troubleshooting section for instructions on how to determine if your system login process has been customized.)

How to enable SSO

The configuration varies depending on the type of account.

MacOS local authentication Steps

  1. Create a local user account.

    In macOS System Settings, create a local user account or update an existing one to have the same username and password as the account you use to log into the storefront / workspace. Please refer to Apple’s documentation for creating a new local user account or changing an existing user account.

  2. Enable SSO.

    Enable with VDA Configuration App.

    SSOLocalAccount

    Or run below apple script to enable SSO.

    sudo osascript /opt/Citrix/VDA/bin/ctxsso.scpt -option 1

    sudo osascript /opt/Citrix/VDA/bin/ctxsso.scpt -option 1 -silent

    Note:

    This mode is particularly useful for scripting and automation purposes

Note:

For local authentication, you need to synchronize local credentials with storefront / workspace credentials manually if password will be changed due to security update needs.

Active Directory (AD) authentication

You must bind your Citrix VDA for macOS machine to the domain where your storefront or workspace account resides. Steps:

  1. Bind your Citrix VDA for macOS device to the domain with macOS’s built-in tool, Directory Utility ( You can ignore this step if your device has already been connected to the domain ). Refer to Apple’s documentation Configure domain access in Directory Utility on Mac.

  2. Enable SSO. Enable SSO with VDA Configuration App

    SSO AD

    Or enable SSO function with apple script.

sudo osascript /opt/Citrix/VDA/bin/ctxsso.scpt -option 2

sudo osascript /opt/Citrix/VDA/bin/ctxsso.scpt -option 2 -silent

Note:

This mode is particularly useful for scripting and automation purposes.

How to disable SSO

  1. Disable SSO with VDA Configuration App

    Disable SSO

Or run below apple script to disable SSO. sudo osascript /opt/Citrix/VDA/bin/ctxsso.scpt -option 0

Troubleshooting

  1. How to check if you system default login process has been modified.

Run below command in terminal:

security authorizationdb read system.login.console

Check if string “loginwindow:login” exists in output, if not, we do not support this case, as it may already been customized by other software

<key>mechanisms</key> <array> <string>builtin:prelogin</string> <string>builtin:policy-banner</string> <string>loginwindow:login</string> <string>builtin:login-begin</string> <string>builtin:reset-password,privileged</string> <string>loginwindow:FDESupport,privileged</string> </array>

Known Issues

  • If your VDA device is connected to multiple networks, registration with the DDC may be lost for a while due to disconnection or logoff.

    • Workaround: Wait for the registration to be ready before launching the session again. After VDA lost registration, it will do registration again immediately, User can try to launch session again after failure.

    • Solution: Maintain a single shared network connection for the Citrix VDA for macOS device.

  • If you install Citrix VDA for macOS via terminal (outside of a user session), you may be prompted to manually enter your password upon first login.

SSO Authentication