Citrix Workspace App Azure Active Directory Seamless Single Sign-on with Domain/Hybrid/AAD joint clients

On this document we are going to explain how to implement Citrix Workspace app silent Single Sign on using Azure Active directory as an identity provider with Domain joint, Hybrid and Azure AD enrolled endpoints/VMs.

With this configuration we can also use Windows Hello to SSO to Workspace using AAD enrolled endpoints.

You can now authenticate to Citrix Workspace app using Windows Hello
FIDO2 based Authentication now works with the Citrix Workspace app. (Yes, Yubikey included!)
Single Sign-on to Citrix Workspace app from Microsoft AAD joined machines (AAD as IDP)
Conditional access with AAD
Your Microapp experience just got enhanced with spell check and copy/paste functionalities
Better Files download experience with download bar and security scans

In addition, as we show how to configure AAD passthrough you will not require to deploy a FAS server to provide SSO to Virtual Apps and Desktops.

*Note -> Only when using windows hello on its own, you can achieve SSO to CWA but you will be prompted for username/password when accessing your published virtual apps and desktops. To solve this you can deploy FAS and you will be able to SSO to CVAD in any case.

Please see this video of the end user experience:

Prerequisites:

  1. Connect Azure Active Directory to Citrix Cloud
    1. https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/connect-azure-ad.html

Step by step video:

Step by step video:

There are 3 steps that we need to configure to achieve this result:

  • CWA Client with the appropriate configuration set (includeSSO)
    • The correct Group policies to enable user authentication and trusted domains
  • Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)
  • Azure Active directory passthrough configured with ADsync.

1 – CWA Client:

Installation of Citrix Workspace (version 2107 onwards) + Policies

Install Workspace App from administrative command line with option “includeSSO”:

CitrixWorkspaceApp.exe /includeSSO

Reboot

  • ADD WORKSPACE GPO

Change Citrix Workspace GPO to allow “local username and password”

Computer configuration>Administrative templates>Citrix Components>Citrix Workspace>User Authentication

Add trusted sites in Internet options:

https://aadg.windows.net.nsatc.net
https://autologon.microsoftazuread-sso.com
https://xxxtenantxxx.cloud.com <- the name of your tenant

You can also set via GPO’s

Previous to with CWA Version 2109 Add EdgeChromiumEnabled =True registry key

Registry key name: EdgeChromiumEnabled

Type: String Value

Value: True

2 – Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)

To align with Industry-standard security practices and ensure that a user is properly and securely authenticated when accessing Citrix Workspace, the Engineering team has added the “prompt=login” parameter to every authentication request to the IdP of record

You need to contact Citrix technical support to disable prompt=login attribute in your tenant to make this configuration work

3 – Configure Azure AD connect:

Activate Pass-through authentication

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.