Citrix Workspace Azure AD SSO access to VDA (Desktops and Apps) without FAS

Last year I published a post explaining how to configure Citrix Workspace Single Sign-on using AAD as an Identity Provider for Workspace: LINK.

I have received a lot of questions on how can we achieve SSO to VDAs without deploying FAS, so I have created the post below to clarify:

The essential requirement is that the end-user device is AD Domain joined – if you try to access from a non-domain joined device you will be prompted for username and password. However, this solution is suitable for the majority of use cases we encounter.

There are 4 requirements that we need to configure to achieve this result:

  • Azure Active Directory configured with Citrix cloud and enabled as IdP for Workspace: LINK.
  • CWA 2112 (or newer version) Client with the appropriate configuration set (includeSSO)
    • The correct Group policies to enable user authentication and trusted domains
  • Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)
  • Azure Active directory passthrough configured with ADsync.

1 – Connect Azure Active Directory to Citrix Cloud:

https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/connect-azure-ad.html

1.1 Enable Azure AD authentication to access workspacehttps://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/connect-azure-ad.html#enable-azure-ad-authentication-for-workspaces

2 – CWA Client Domain Joined endpoint:

Installation of Citrix Workspace (version 2107 onwards) + Policies

Install Workspace App from administrative command line with option “includeSSO”:

CitrixWorkspaceApp.exe /includeSSO

Reboot

  • ADD WORKSPACE GPO

Change Citrix Workspace GPO to allow “local username and password”

Computer configuration>Administrative templates>Citrix Components>Citrix Workspace>User Authentication

Add trusted sites in Internet options:

https://aadg.windows.net.nsatc.net
https://autologon.microsoftazuread-sso.com
https://xxxtenantxxx.cloud.com <- the name of your tenant

You can also set via GPO’s

3 – Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)

To align with Industry-standard security practices and ensure that a user is properly and securely authenticated when accessing Citrix Workspace, the Engineering team has added the “prompt=login” parameter to every authentication request to the IdP of record

Workspace Configuration\Customize\Preferences-Federated Identity Provider Sessions

4 – Configure Azure AD connect:

Activate Pass-through authentication

Advertisement

One thought on “Citrix Workspace Azure AD SSO access to VDA (Desktops and Apps) without FAS

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.