Citrix Workspace Azure AD SSO access to VDA (Desktops and Apps) without FAS

Last year I published a post explaining how to configure Citrix Workspace Single Sign-on using AAD as an Identity Provider for Workspace: LINK.

I have received a lot of questions on how can we achieve SSO to VDAs without deploying FAS, so I have created the post below to clarify:

The essential requirement is that the end-user device is AD Domain joined – if you try to access from a non-domain joined device you will be prompted for username and password. However, this solution is suitable for the majority of use cases we encounter.

There are 4 requirements that we need to configure to achieve this result:

  • Azure Active Directory configured with Citrix cloud and enabled as IdP for Workspace: LINK.
  • CWA 2112 (or newer version) Client with the appropriate configuration set (includeSSO)
    • The correct Group policies to enable user authentication and trusted domains
  • Disable prompt=login attribute in Citrix cloud (
  • Azure Active directory passthrough configured with ADsync.

1 – Connect Azure Active Directory to Citrix Cloud:

1.1 Enable Azure AD authentication to access workspace

2 – CWA Client Domain Joined endpoint:

Installation of Citrix Workspace (version 2107 onwards) + Policies

Install Workspace App from administrative command line with option “includeSSO”:

CitrixWorkspaceApp.exe /includeSSO



Change Citrix Workspace GPO to allow “local username and password”

Computer configuration>Administrative templates>Citrix Components>Citrix Workspace>User Authentication

Add trusted sites in Internet options: <- the name of your tenant

You can also set via GPO’s

3 – Disable prompt=login attribute in Citrix cloud (

To align with Industry-standard security practices and ensure that a user is properly and securely authenticated when accessing Citrix Workspace, the Engineering team has added the “prompt=login” parameter to every authentication request to the IdP of record

Workspace Configuration\Customize\Preferences-Federated Identity Provider Sessions

4 – Configure Azure AD connect:

Activate Pass-through authentication

One thought on “Citrix Workspace Azure AD SSO access to VDA (Desktops and Apps) without FAS

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.