PoC Guide: Configuring Google Cloud Identity and Microsoft Active Directory in Citrix DaaS

Overview

Google Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups. Google Cloud Identity can be configured to federate identities between Google and other identity providers, such as Active Directory and Azure Active Directory. Using the Google Cloud Identity provider in Citrix DaaS requires planning the deployment to ensure success.

This POC Guide focuses on using Google Cloud Identity and Microsoft Active Directory.

Microsoft Active Directory

There is no way to synchronize users from Google Cloud to Microsoft Active Directory. The synchronization is from Microsoft Active Directory to Google Cloud.

Configure Citrix DaaS

In this first step, configure Citrix DaaS by creating a resource location, deploying Citrix Cloud Connectors, and creating a Machine Catalog and Delivery Group. Lastly, validate the deployment using LDAP authentication so that everything works as expected.

1. Deploy two new domain-joined Windows Server 2022 virtual machines.

2. Configure the Resource Location in Citrix DaaS.

3. Create an on-premises Resource Location.

   

4. On your Windows Server 2022 virtual machines created, download, and install Citrix Cloud Connector.

   

5. Configure the Hosting Connection.

   

6. Create a Machine Catalog named "Windows 10 MCS Google IdP" with 2 VDAs.

   

7. Create a Delivery Group named "Windows 10 MCS Google IdP".

8. Publish Desktop "Windows 10 MCS Google IdP".

   

9. Change the Workspace URL.

   

10. Validate access using LDAP.

    

    

    

Connect Google as an Identity provider to Citrix Cloud

It is assumed here that you already use Google Cloud IdP and have users created in Google Cloud.

Create a service account

To complete this task, you need a Google Cloud Platform developer account.

1. Sign in to Google Cloud Console.

2. From the Dashboard sidebar, select IAM & Admin and then choose Service Accounts.

   

   

   

3. Select Create service account.

   

4. Under Service account details, enter the service account name and service account ID.

   

5. Select Done.

Create a service account key

1. On the Service Accounts page, select the service account you created.

2. Select the Keys tab, then select Add key > Create new key.

   

3. Leave the default JSON key type option selected.

4. Select Create. Save the key to a secure location that you can access later. You enter the private key in the Citrix Cloud console when you connect Google as an identity provider.

   

Configure domain-wide delegation

1. Enable the Admin SDK API:

2. Select APIs & Services > Enabled APIs & services from the Google Cloud Platform menu.

   

3. Select Enable APIs and services near the top of the console. The API Library home page appears.

   

4. Search for Admin SDK API and select it from the results list.

   

5. Select Enable.

   

6. Create an API client for the service account:

7. Select IAM & Admin > Service Accounts from the Google Cloud Platform menu, and then select the service account you created earlier.

   

8. From the service account's Details tab, expand Advanced settings.

   

9. Under Domain-wide Delegation, copy the Client ID and select View Google Workspace Admin Console.

   

10. If applicable, select the Google Workspace administrator account you want to use. The Google Admin console appears.

11. From the Google Admin sidebar, select Security > Access and data control > API controls.

    

12. Under Domain wide delegation, click Manage Domain Wide Delegation.

    

13. Select Add new.

    

14. In Client ID, paste the client ID for the service account you copied in Step C.

    

15. In OAuth scopes, enter the following scopes in a single comma-delimited line:

https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly

1. Select Authorize.

Add a read-only API user account

Create a Google Workspace user account with read-only API access for Citrix Cloud in this task. This account is not used for any other purpose and has no other privileges.

1. From the Google Admin menu, select Directory > Users.

   

2. Select Add new user and enter the appropriate user information.

   

3. Select Add new user to save the account information.

   

4. Create a custom role for the read-only user account:

5. From the Google Admin menu, select Account > Admin roles.

   

6. Select Create new role.

   

7. Enter a name for the new role. Example: API-ReadOnly

   

8. Select Continue.

9. Under Admin API privileges, select the following privileges:

   • Users > Read
   • Groups > Read
   • Domain Management

   

10. Select Continue and then select Create role.

    

11. Assign the custom role to the read-only user account that you created earlier:

12. From the custom role details page, in the Admins pane, select Assign users.

    

13. Start typing the name of the read-only user account and select it from the user list.

1. Select Assign role.

   

2. To verify the role assignment, return to the Users page (Directory > Users) and select the read-only user account.
3. The custom role assignment is displayed under Admin roles and privileges.

Connect Google to Citrix Cloud

The next step is configuring Citrix DaaS to use Google Cloud as Identity Provider. The first step is to configure Google Cloud Identity globally.

1. Sign in to Citrix Cloud.

2. From the Citrix Cloud menu, select Identity and Access Management.

   

3. Locate Google and select Connect from the ellipsis menu.

   

4. Select Import File and then select the JSON file you saved when you created the key for the service account. This action imports your private key and the email address for the Google Cloud service account that you created.

   

5. In Impersonated User, enter the name of the read-only API user account.

6. Select Next. Citrix Cloud verifies your Google account details and tests the connection.

   

7. Review the associated domains that are listed. If they're correct, select Confirm to save your configuration.

Enable Google for workspace authentication

Now that Google Cloud Identity is configured switch the Workspace configuration to use it.

1. From the Citrix Cloud menu, select Workspace Configuration > Authentication.

   

2. Select Google. When prompted, select I understand the impact on the subscriber experience, then click Save.

   

Configure Google Cloud Directory Sync

We must configure Google Cloud Directory Sync to synchronize users from Microsoft Active Directory to Google Cloud.

1. Download the tool from Google Cloud Directory Sync.
2. Install GCDS Tool.

3. Open the tool and configure it.

   

4. In Google Domain Configuration:

5. Provide a Google Domain name and click Authorize Now. A webpage will open and ask you to authenticate with your admin account and accept changes.

   

6. In LDAP Configuration:

7. Select the connection Type, provide the host name, define the port, and provide credentials. Click Test connection to validate.

   

8. In General Settings:

9. Have Users Accounts, Groups, and Custom Schemas checked.

   

10. In User Accounts:

11. In the User Attributes Tab: Click Use defaults, and select Don't suspend or delete Google domain users not found in LDAP.

    

12. In User Accounts:

13. In the Additional User Attributes Tab: Click Use defaults.

    

14. In User Accounts:

15. In Search Rules Tab: Click Use defaults.

    

16. In Groups:
17. In Search Rules Tab: Click Use defaults.

18. In Custom Schemas, click Add Schema.

    

19. Select Use rules defined in "User Accounts" and provide Schema Name citrix-schema.

    

20. Click Add Field and create the following

    

21. Click OK.

    

22. Click Sync and click Sync & apply changes.

Note:

Save your configuration by clicking the menu File > Save as. This creates an XML file. When you close the GCDS Tool, the configuration does not save by default. Select the menu File > Open Recent > youfile.xml on the next opening to retrieve your saved configuration.

Configure Google Password Sync

Now we configure Password Sync to synchronize passwords from Microsoft Active Directory to Google Cloud. This tool must be installed on all your Microsoft Active Directory Domain Controllers.

1. Download Google Password Sync
2. Install Google Password Sync.

3. Open Google Password Sync.

   

4. Click Next.

   

5. Provide Admin email address and select Load Credentials. When prompted, select the JSON File. Click Next.

   

6. Click Next.

   

7. Click Finish.

Note:

After Password Sync is installed and configured, it sends updated passwords to Your Google Account each time an Active Directory user changes his password in AD. To force synchronization of your Active Directory passwords to Google, restart the Password Sync service from the Services console:

A script can also be created to restart it with the following line: net stop "password Sync" && net start "password sync"

Sync user in Google

Now configure Google Cloud Directory Sync.

1. Click Sync & apply changes.

   

2. Click Continue.

   

3. Click Close.

Change user setting

When created by default, a new Google account user has a setting to change the password on the first login. If you do not change it, the AD and Google Passwords will differ after the initial login. To avoid this, please follow the steps below.

1. In the admin console, select the created user.

   

2. Ensure citrix-schema is present and information is filled (to ensure access to published resources).

   

3. Under Security, edit the Require password change.

   

4. Change from ON to OFF and Save.

   

Validation

1. Connect to the workspace URL. You get redirected to Google Authentication. Provide your email address and click Next.

   

2. Provide your password and click Next.

   

3. Click I understand.

   

4. The published resources appear. Click your desktop.

   

5. Desktop launch with SSO.

   

Connect Google to Citrix Cloud

Now, configure Citrix DaaS to use Google Cloud as Identity Provider. The first step is to configure Google Cloud Identity globally.

1. Sign in to Citrix Cloud.

2. From the Citrix Cloud menu, select Identity and Access Management.

   

3. Locate Google and select Connect from the ellipsis menu.

   

4. Select Import File and then select the JSON file you saved when creating the service account key. This action imports your private key and the email address for the Google Cloud service account that you created.

   

5. In Impersonated User, enter the name of the read-only API user account.

6. Select Next. Citrix Cloud verifies your Google account details and tests the connection.

   

7. Review the associated domains that are listed. If they're correct, select Confirm to save your configuration.

Enable Google for workspace authentication

Now that Google Cloud Identity is configured, we can switch the Workspace configuration to use it.

1. From the Citrix Cloud menu, select Workspace Configuration > Authentication.

   

2. Select Google. Select *I understand the impact on the subscriber experience, then click Save.

   

Create a Machine Catalog

There is no Microsoft Active Directory in this use case, so the VDAs are non-domain joined. More details can be found here

Validation

1. Connect to the workspace URL. You get redirected to Google Authentication. Provide your email address and click Next.

   

2. Provide your password and click Next.

   

3. Click I understand.

   

4. The published resources appear. Click Desktop.

   

5. Desktop launch with SSO.