On this document we are going to explain how to implement Citrix Workspace app silent Single Sign on using Azure Active directory as an identity provider with Domain joint, Hybrid and Azure AD enrolled endpoints/VMs.
With this configuration we can also use Windows Hello to SSO to Workspace using AAD enrolled endpoints.
You can now authenticate to Citrix Workspace app using Windows Hello
FIDO2 based Authentication now works with the Citrix Workspace app. (Yes, Yubikey included!)
Single Sign-on to Citrix Workspace app from Microsoft AAD joined machines (AAD as IDP)
Conditional access with AAD
Your Microapp experience just got enhanced with spell check and copy/paste functionalities
Better Files download experience with download bar and security scans
In addition, as we show how to configure AAD passthrough you will not require to deploy a FAS server to provide SSO to Virtual Apps and Desktops.
*Note -> Only when using windows hello on its own, you can achieve SSO to CWA but you will be prompted for username/password when accessing your published virtual apps and desktops. To solve this you can deploy FAS and you will be able to SSO to CVAD in any case.
Please see this video of the end user experience:
- Connect Azure Active Directory to Citrix Cloud
Step by step video:
- Enable Azure AD authentication to access workspace
Step by step video:
There are 3 steps that we need to configure to achieve this result:
- CWA Client with the appropriate configuration set (includeSSO)
- The correct Group policies to enable user authentication and trusted domains
- Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)
- Azure Active directory passthrough configured with ADsync.
1 – CWA Client:
Installation of Citrix Workspace (version 2107 onwards) + Policies
Install Workspace App from administrative command line with option “includeSSO”:
- ADD WORKSPACE GPO
Change Citrix Workspace GPO to allow “local username and password”
Computer configuration>Administrative templates>Citrix Components>Citrix Workspace>User Authentication
Add trusted sites in Internet options:
You can also set via GPO’s
Previous to with CWA Version 2109 Add EdgeChromiumEnabled =True registry key
Registry key name: EdgeChromiumEnabled
Type: String Value
2 – Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)
To align with Industry-standard security practices and ensure that a user is properly and securely authenticated when accessing Citrix Workspace, the Engineering team has added the “prompt=login” parameter to every authentication request to the IdP of record
You need to contact Citrix technical support to disable prompt=login attribute in your tenant to make this configuration work
3 – Configure Azure AD connect:
Activate Pass-through authentication