Google identity provider (SAML integration) for Citrix Cloud Step by Step guide

Following the announcement of general availability of SAML 2.0 (Security Assertion Markup Language) for Citrix Workspace now we can officially integrate Google as a primary identity provider for Citrix Workspace.

With this integration you can provide all the benefits of Citrix Secure Workspace Access including SSO capabilities to any:

  • SaaS
  • VPNLess access to Internal Web Apps
  • Citrix Files
  • Virtual apps and Desktops

including all the Security AI built into Google when authenticating your users with any 2-Step Verification methods like Google Authenticator, Text message or phone call, Yubikey passwordless access…

Video of the end user experience:

For an optimal end-user experience, I would recommend deploying a Citrix cloud FAS server to provide single sign-on and prevent a second logon prompt when opening an app or desktop from the Citrix Virtual Apps and Desktops service. For more information, see Connect Citrix Federated Authentication Service to Citrix Cloud.

Prerequisites/Requirements

  • SAML IdP for Citrix Workspace requires an Active Directory integration to both Citrix Cloud and Google Workspace (Gsuite account)

User assignment to resources is done by picking users out of an Active Directory

  • For this integration to work, Google must pass Citrix Cloud certain Active Directory attributes of the user in the SAML assertion. Specifically,
    • SecurityIDentifier (SID)
    • objectGUID (OID)
    • userPrincipalName (UPN)
    • Mail (Email)
  • To sync attributes between Active Directory and Google we have 2 options:
    1. Use Google cloud directory sync to access Active Directory and sync users and groups
      • We will need to create a custom schema to sync the required attributes
    2. Manually Create the 4 required attributes in Google console and extract the value of the attributes from AD

Configuration:

The configuration can be completed following these steps:

  1. In Identity and Access Management, connect your on-premises AD to Citrix Cloud as described in Connect Active Directory to Citrix Cloud.
  2. Integrate Google with your on-premises AD as described in SAML integration with Active Directory in this article.
    1. a) Usign Google Cloud Directory Sync (GCDS)
    2. b)Manual sync via Google Admin Console
  3. In Identity and Access Managementconfigure SAML authentication in Citrix Cloud. This task involves configuring a SAML application in google admin console with the SAML metadata from Citrix Cloud and then configuring Citrix Cloud with the metadata from your google SAML application to create the SAML connection.
  4. In Workspace Configurationselect the SAML authentication method.
  5. Test end user experience

1 – Connect Active Directory to Citrix Cloud

2 – Sync Active Directory to Google Cloud :

1a) To sync Active Directory to Google Cloud, use the Google Cloud Directory Sync tool.

Configure the Sync tool using the standard setup.

The extra item that needs to be added is a custom schema named “citrix-schema” (recommended)

Ensure you add the fields with exact casing as noted in the image on the top right.

  • UPN->userPrincipalName
  • SID-> objectSid
  • objectGUID -> objectGUID

Once the sync is complete the User Information section in Google Cloud will contain the user’s Active Directory information

1b) Sync Active Directory to Google Cloud without Google cloud sync

We will need to create a Custom schema with the UPN, ObjectGUID and SID

Extract UPN, ObjectGUID and SID values from AD (In AD using Get-ADUser user in powershell) and manually copy to the user attributes

3 Add SAML application in Google Admin console

After generating the SAML application in Google console we need to Enable SAML in workspace and copy the SSO URL and the Entity ID:

We also need to complete the service provider settings from the SAML metadata certificate from Citrix workspace and copy inside Google service provider details:

We also ned to configure the attributes and activate for all users:

4 . We enable SAML in the workspace configuration.

5 . End User Experience

TROUBLESHOOTING

We need to verify the attributes are correctly imported from AD to google and integrated in the SAML response:

https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm

We need to verify in the SAML response that we are passing the correct attributes from AD

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.