Last year I published a post explaining how to configure Citrix Workspace Single Sign-on using AAD as an Identity Provider for Workspace: LINK.
I have received a lot of questions on how can we achieve SSO to VDAs without deploying FAS, so I have created the post below to clarify:
The essential requirement is that the end-user device is AD Domain joined – if you try to access from a non-domain joined device you will be prompted for username and password. However, this solution is suitable for the majority of use cases we encounter.
There are 4 requirements that we need to configure to achieve this result:
- Azure Active Directory configured with Citrix cloud and enabled as IdP for Workspace: LINK.
- CWA 2112 (or newer version) Client with the appropriate configuration set (includeSSO)
- The correct Group policies to enable user authentication and trusted domains
- Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)
- Azure Active directory passthrough configured with ADsync.
1 – Connect Azure Active Directory to Citrix Cloud:
1.1 Enable Azure AD authentication to access workspacehttps://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/connect-azure-ad.html#enable-azure-ad-authentication-for-workspaces
2 – CWA Client Domain Joined endpoint:
Installation of Citrix Workspace (version 2107 onwards) + Policies
Install Workspace App from administrative command line with option “includeSSO”:
- ADD WORKSPACE GPO
Change Citrix Workspace GPO to allow “local username and password”
Computer configuration>Administrative templates>Citrix Components>Citrix Workspace>User Authentication
Add trusted sites in Internet options:
You can also set via GPO’s
3 – Disable prompt=login attribute in Citrix cloud (https://support.citrix.com/article/CTX253779)
To align with Industry-standard security practices and ensure that a user is properly and securely authenticated when accessing Citrix Workspace, the Engineering team has added the “prompt=login” parameter to every authentication request to the IdP of record
Workspace Configuration\Customize\Preferences-Federated Identity Provider Sessions
4 – Configure Azure AD connect:
Activate Pass-through authentication