PoC Guide: Configuring Non-Domain Joined Desktops in Citrix DaaS with Google IdP

Overview

Google Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups. Google Cloud Identity can be configured to federate identities between Google and other identity providers, such as Active Directory and Azure Active Directory. However, many organizations need to support non-domain joined solutions (not managed through Active Directory), and with Citrix DaaS support for Google Cloud Identity authentication, this is achievable.

The following guide will provide the requirements, and step-by-step instructions to create and configure a Windows and Linux non-domain joined virtual machines, machine catalog, and delivery group using Citrix DaaS.

Requirements and Prerequisites

• A current Citrix DaaS subscription.
• Single session Windows 10/11 and supported Linux virtual machines.
• Citrix VDA 2203 or later.
• Rendezvous v2 must be enabled.
• Cloud Connectors: Only required if you plan to provision machines on on-premises hypervisors.
• Google Cloud Platform developer account.

Note

Service continuity is not supported for non-domain joined VDAs.

Connect Google as an Identity provider to Citrix Cloud

It is assumed that you already use Google Cloud and have users created in it.

Create a service account

To complete this task, you need a Google Cloud Platform developer account.

1. Sign in to Google Cloud Console.

2. From the Dashboard sidebar, select IAM & Admin and then choose Service Accounts.

   

   

   

3. Select Create service account.

   

4. Under Service account details, enter the service account name and service account ID.

   

5. Select Done.

Create a service account key

1. On the Service Accounts page, select the service account you created.

2. Select the Keys tab, then select Add key > Create new key.

   

3. Leave the default JSON key type option selected.

4. Select Create. Save the key to a secure location that you can access later. You enter the private key in the Citrix Cloud console when you connect Google as an identity provider.

   

Configure domain-wide delegation

1. Enable the Admin SDK API:

2. Select APIs & Services > Enabled APIs & services from the Google Cloud Platform menu.

   

3. Select Enable APIs and services near the top of the console. The API Library home page appears.

   

4. Search for Admin SDK API and select it from the results list.

   

5. Select Enable.

   

6. Create an API client for the service account:

7. Select IAM & Admin > Service Accounts from the Google Cloud Platform menu, and then select the service account you created earlier.

   

8. From the service account's Details tab, expand Advanced settings.

   

9. Under Domain-wide Delegation, copy the Client ID and select View Google Workspace Admin Console.

   

10. If applicable, select the Google Workspace administrator account you want to use. The Google Admin console appears.

11. Select Security > Access and data control > API controls from the Google Admin sidebar.

    

12. Under Domain wide delegation, click Manage Domain Wide Delegation.

    

13. Select Add new.

    

14. In Client ID, paste the client ID for the service account you copied in Step C.

    

15. In OAuth scopes, enter the following scopes in a single comma-delimited line: https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly
16. Select Authorize.

Add a read-only API user account

You create a Google Workspace user account with read-only API access for Citrix Cloud in this task. This account is not used for any other purpose and has no other privileges.

1. From the Google Admin menu, select Directory > Users.

   

2. Select Add new user and enter the appropriate user information.

   

3. Select Add new user to save the account information.

   

4. Create a custom role for the read-only user account:

5. From the Google Admin menu, select Account > Admin roles.

   

6. Select Create new role.

   

7. Enter a name for the new role. Example: API-ReadOnly

   

8. Select Continue.

9. Under Admin API privileges, select the following privileges:

   • Users > Read
   • Groups > Read
   • Domain Management

   

10. Select Continue and then select Create role.

    

11. Assign the custom role to the read-only user account that you created earlier:

12. From the custom role details page, in the Admins pane, select Assign users.

    

13. Start typing the name of the read-only user account and select it from the user list.

    

14. Select Assign role.

    

15. Return to the Users page (Directory > Users) to verify the role assignment and select the read-only user account. The custom role assignment is displayed under Admin roles and privileges.

Connect Google to Citrix Cloud

The next step is configuring Citrix DaaS to use Google Cloud as Identity Provider. The first step is to configure Google Cloud Identity globally.

1. Sign in to Citrix Cloud.

2. From the Citrix Cloud menu, select Identity and Access Management.

   

3. Locate Google and select Connect from the ellipsis menu.

   

4. Select Import File and then select the JSON file you saved when you created the key for the service account. This action imports your private key and the email address for the Google Cloud service account that you created.

   

5. In Impersonated User, enter the name of the read-only API user account.

6. Select Next. Citrix Cloud verifies your Google account details and tests the connection.

   

7. Review the associated domains that are listed. If they're correct, select Confirm to save your configuration.

Enable Google for workspace authentication

Now that Google Cloud Identity is configured switch the Workspace configuration to use it.

1. From the Citrix Cloud menu, select Workspace Configuration > Authentication.

   

2. Select Google. When prompted, select I understand the impact on the subscriber experience, then click Save.

   

Create Windows Virtual Machine

Create the Windows virtual machine on any hypervisor or hyperscaler supported by Citrix DaaS. In this case, Google Cloud is being used. Once your virtual machine is created, follow these steps:

1. RDP into your virtual machine

2. Download the latest and correct OS type release of the Citrix Virtual Delivery Agent

3. Run the VDA setup

   

4. Select Create a master MCS image, then click Next.

   

5. Click Next.

   

6. Select any Additional Components your deployment requires, click Next.

   

7. Select Let Machine Creation Services do it automatically, then Click Next.

   

8. Click Next.

   

9. Select Automatically, then click Next.

   

10. Review the summary page, then click Install.

    

11. When the installation is complete, click Finish and let the machine restart.

    

12. Once the machine restarts, edit the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent

    

Create Linux Virtual Machine

In this step, the Linux virtual machine VDA is installed. The virtual machine can be created on any hypervisor or hyperscaler supported by Citrix DaaS. In this case, Google Cloud is being used. During this process, the Citrix VDA will also be installed. Please refer to the following Citrix blog post for assistance during this process.

Prerequisites

• A supported Linux desktop installed.
• Microsoft .NET Runtime 6.0 installed
• Supported Linux VDA available to be installed.

1. Install the Linux VDA via SSH

   

   

2. Installation errors are expected. When the install completes, run the following command: sudo apt --fix-broken install

3. Create the MCS base image with the following command: sudo /opt/Citrix/VDA/sbin/deploymcs.sh

4. Shut down the virtual machine and create a snapshot. Use the snapshot when you create the Linux Machine Catalog.

Create Machine Catalogs

1. Click Machine Catalogs, then click Create Machine Catalog.

   

2. Select Machine Type, click Next.

   

3. Select the Machine Management options, and click Next.

   

4. Select the Desktop Experience type and if desktop is dedicated, then click Next.

   

5. Select the Master Image, VDA functional level, then click Next.

   

6. Select storage type, then click Next.

   

7. Choose the number of virtual machines to create, select zones, then click Next.

   

8. Choose non-domain-joined for the Identity type, provide a name for desktops, then click Next.

   

9. On the summary page, provide a name for the Machine Catalog, then click Finish.

   

10. The Machine Catalog is now being created. Once complete, move on to creating the Delivery Group.

    

11. Repeat the steps to create the Linux Machine Catalog.

Create Delivery Groups

1. Select Delivery Groups, then click Create Delivery Group.

   

2. Select the desktops and number of machines to add, then click Next.

   

3. Choose your user assignment type, then click Next.

   

4. Select your license type, then click Next.

   

5. Review the summary, give the Delivery Group, and display a name, then click Finish.

   

6. Repeat the steps to create the Linux Delivery Group.

Create Rendezvous Citrix Policy

1. Click Manage to open Citrix DaaS web studio.

   

2. Click Policies

   

3. Click Create Policy

   

4. Find the Rendezvous Protocol settings and click Select.

   

5. Select Allowed, then click Save.

   

6. Click Next

   

7. Choose the policy assignment method by Delivery Group.

   

8. Select the delivery group in the drop-down, ensure Enable is selected, then click Save.

   

9. Click Next.

   

10. Select Enable policy, name the policy, and then click Finish.

    

11. The rendezvous protocol policy is now enabled.

    

Assign Desktops

1. On the Citrix Cloud home page, click View Library.

   

2. Click the ellipsis for the Non-domain Joined GCP desktop and select Manage Subscribers

   

3. Begin to type the name of the user, then select the user.

   

4. Once the user has been Subscribed, close the screen.

   

5. Repeat the process for the Non-domain Joined Linux desktop.

   

Launch Desktops

1. Connect to your Workspace URL, where you will be directed to Google Authentication. Provide your email address and password, then click Next.

   

2. Select the desktop to launch.