Citrix Workspace App Azure Active Directory Seamless Single Sign-on with Domain/Hybrid/AAD joint clients

On this document we are going to explain how to implement Citrix Workspace app silent Single Sign-on using Azure Active Directory as an identity provider with Domain joint, Hybrid and Azure AD enrolled endpoints/VMs.

With this configuration we can also use Windows Hello (Yes, FIDO2 based and Yubikey included!) to SSO to Workspace using AAD enrolled endpoints.

In addition, we show how to configure AAD passthrough you will not require to deploy a FAS server to provide SSO to Virtual Apps and Desktops.

*Note -> Only when using windows hello on its own, you can achieve SSO to CWA but you will be prompted for username/password when accessing your published virtual apps and desktops. To solve this you can deploy FAS and you will be able to SSO to CVAD in any case.

*** Update – July 2022 ***

I created a separate blog explaining how can we achieve SSO to VDAs without FAS: https://citrixie.wordpress.com/2022/07/04/citrix-workspace-azure-ad-sso-access-to-vda-desktops-and-apps-without-fas/

******

Please see this video of the end user experience:

Prerequisites:

  1. Connect Azure Active Directory to Citrix Cloud
    1. https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/connect-azure-ad.html

Step by step video:

Step-by-step video:

There are 3 steps that we need to configure to achieve this result:

  • CWA Client with the appropriate configuration set (includeSSO)
    • The correct Group policies to enable user authentication and trusted domains
  • Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)
  • Azure Active directory passthrough configured with ADsync.

1 – CWA Client:

Installation of Citrix Workspace (version 2107 onwards) + Policies

Install Workspace App from administrative command line with option “includeSSO”:

CitrixWorkspaceApp.exe /includeSSO

Reboot

  • ADD WORKSPACE GPO

Change Citrix Workspace GPO to allow “local username and password”

Computer configuration>Administrative templates>Citrix Components>Citrix Workspace>User Authentication

Add trusted sites in Internet options:

https://aadg.windows.net.nsatc.net
https://autologon.microsoftazuread-sso.com
https://xxxtenantxxx.cloud.com <- the name of your tenant

You can also set via GPO’s

Previous to with CWA Version 2109 Add EdgeChromiumEnabled =True registry key

Registry key name: EdgeChromiumEnabled

Type: String Value

Value: True

2 – Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)

To align with Industry-standard security practices and ensure that a user is properly and securely authenticated when accessing Citrix Workspace, the Engineering team has added the “prompt=login” parameter to every authentication request to the IdP of record

You need to contact Citrix technical support to disable prompt=login attribute in your tenant to make this configuration work

3 – Configure Azure AD connect:

Activate Pass-through authentication

2 thoughts on “Citrix Workspace App Azure Active Directory Seamless Single Sign-on with Domain/Hybrid/AAD joint clients

  1. Hi
    In AD-Connect wouldn’t it also work with Password Hash Synkronization and not only Pass-through synkronization?

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.