Product Documentation

Single sign in with Azure Active Directory

XenMobile Service supports single sign-in with Azure Active Directory credentials for the following scenarios:

  • User enrollment through Citrix Secure Hub (Android or iOS)
  • For the RBAC User role, authentication to the XenMobile Self Help Portal
  • Administrator authentication to the XenMobile console
  • For XenMobile Service, administrator authentication to the XenMobile Public API for REST Services by using a token retrieved through the Citrix Cloud API.
  • For more information, see section 3.3.2, Login (Cloud Credentials), in the XenMobile Public API for REST Services PDF.

XenMobile Service uses the Citrix Cloud service, Citrix Identity Platform, to federate with Azure Active Directory. Citrix Identity Platform is an identity provider (IDP) service.

To set up this service, you configure Citrix Cloud to use Azure Active Directory as your Identity Provider. Then, configure Citrix Identity Platform as the IDP type for XenMobile Server. Users can then log on to Secure Hub with their Azure Active Directory credentials. Secure Hub uses client certificate authentication for MAM devices.

Citrix recommends that you use Citrix Identity Platform instead of a direct connection to Azure Active Directory.

Prerequisites for single sign in with Azure Active Directory

  • XenMobile Server, configured in MDM, MAM-only, or Enterprise mode
  • NetScaler Gateway, configured for certificate-based authentication
  • Secure Hub 10.7.20 (minimum version)
  • Azure Active Directory user credentials

Configure Citrix Cloud to use Azure Active Directory as your Identity Provider

To configure Azure Active Directory in Citrix Cloud:

  1. Go to https://citrix.cloud.com and sign in to your Citrix Cloud account.

  2. From the Citrix Cloud menu, go to the Identity and Access Management page and connect to Azure Active Directory.

    Image of Citrix Cloud screen

  3. Type your administrator sign-in URL and then click Connect.

    Image of Citrix Cloud screen

  4. After you sign in, your Azure Active Directory account connects to Citrix Cloud. The Identity and Access Management > Authentication page shows which accounts to use to sign in to your Citrix Cloud and Azure AD accounts.

    Image of Citrix Cloud screen

Configure Citrix Identity Platform as the IDP type for XenMobile Server

After you configure Azure Active Directory in Citrix Cloud, configure XenMobile Server as follows.

  1. In the XenMobile console, go to Settings > Identity Provider (IDP) and then click Add.

  2. In the Identity Provider (IDP) page, configure the following:

    Image of IDP configuration screen

    • IDP Name: Type a unique name to identify the IDP connection that you are creating.
    • IDP Type: Choose Citrix Identity Platform.
    • Auth Domain: Choose the Citrix Cloud domain. If you aren’t sure which one to choose, your domain appears on the Citrix Cloud Identity and Access Management > Authentication page.
  3. Click Next. In the IDP Claims Usage page, configure the following:

    Image of IDP configuration screen

    • User Identifier type: This field is set to userPrincipalName.
    • User Identifier string: This field is automatically filled.
  4. Click Next, review the Summary page, and then click Save.

    Secure Hub users, XenMobile console, and Self Help Portal users can now sign in with their Azure Active Directory credentials.

XenMobile administrator and user authentication flow

The sign-in screen for the XenMobile console and the XenMobile Self Help Portal includes the link Sign in with my company credentials.

Image of XenMobile sign in

Click that link to enter your Azure Active Directory credentials. After successfully authenticating you, XenMobile doesn’t require you to sign in for future access.

If you sign in to the XenMobile console or self-help portal from domain joined devices and click the Sign in with my company credentials link: XenMobile provides a single sign-on experience. No authentication prompt appears.

Secure Hub authentication flow

With XenMobile configured to use Citrix Identity Platform as its IDP, the Secure Hub authentication flow is as follows for a device enrolled through Secure Hub:

  1. A user starts Secure Hub.
  2. Secure Hub passes the authentication request to Citrix Identity Platform, which passes the request to Azure Active Directory.
  3. The user types their user name and password.
  4. Azure Active Directory validates the user and sends a code to Citrix Identity Platform.
  5. Citrix Identity Platform sends the code to Secure Hub, which sends the code to XenMobile Server.
  6. XenMobile obtains an ID token by using the code and secret, and then validates the user information that’s in the ID token. XenMobile returns a session ID.

Users of domain-joined devices can use their Azure Active Directory credentials for a single sign-on experience. For XenMobile local accounts, single sign-on isn’t available.