On this document we are going to explain how to implement Citrix Workspace app silent Single Sign-on using Azure Active Directory as an identity provider with Domain joint, Hybrid and Azure AD enrolled endpoints/VMs.
With this configuration we can also use Windows Hello (Yes, FIDO2 based and Yubikey included!) to SSO to Workspace using AAD enrolled endpoints.
In addition, we show how to configure AAD passthrough you will not require to deploy a FAS server to provide SSO to Virtual Apps and Desktops.
*Note -> Only when using windows hello on its own, you can achieve SSO to CWA but you will be prompted for username/password when accessing your published virtual apps and desktops. To solve this you can deploy FAS and you will be able to SSO to CVAD in any case.
*** Update – July 2022 ***
I created a separate blog explaining how can we achieve SSO to VDAs without FAS: https://citrixie.wordpress.com/2022/07/04/citrix-workspace-azure-ad-sso-access-to-vda-desktops-and-apps-without-fas/
Please see this video of the end user experience:
- Connect Azure Active Directory to Citrix Cloud
Step by step video:
- Enable Azure AD authentication to access workspace
There are 3 steps that we need to configure to achieve this result:
- CWA Client with the appropriate configuration set (includeSSO)
- The correct Group policies to enable user authentication and trusted domains
- Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)
- Azure Active directory passthrough configured with ADsync.
1 – CWA Client:
Installation of Citrix Workspace (version 2107 onwards) + Policies
Install Workspace App from administrative command line with option “includeSSO”:
- ADD WORKSPACE GPO
Change Citrix Workspace GPO to allow “local username and password”
Computer configuration>Administrative templates>Citrix Components>Citrix Workspace>User Authentication
Add trusted sites in Internet options:
You can also set via GPO’s
Previous to with CWA Version 2109 Add EdgeChromiumEnabled =True registry key
Registry key name: EdgeChromiumEnabled
Type: String Value
2 – Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)
To align with Industry-standard security practices and ensure that a user is properly and securely authenticated when accessing Citrix Workspace, the Engineering team has added the “prompt=login” parameter to every authentication request to the IdP of record
You need to contact Citrix technical support to disable prompt=login attribute in your tenant to make this configuration work
3 – Configure Azure AD connect:
Activate Pass-through authentication