As Citrix admins, we always aim to provide the best end-user experience. Citrix Workspace integrates modern authentication protocols like SAML, to provide Single Sign On (SSO) to SaaS and Internal Web Apps. It provides a seamless SSO experience when accessing any workspace apps by removing username and password prompt.
The idea of this blog is that you can deploy (for free) a real SAML SSO SaaS app integration using a Salesforce developer account in less than 20 minutes. This will allow you to gain some knowledge on identity SAML SP integration in Citrix Cloud.
We have been using these deployments for our internal demos. We are continuously working with customers to provide these capabilities. This Salesforce SAML implementation will build good foundational knowledge on App identity deployment in Citrix cloud.
End User Experience: SSO to Salesforce
Requirements
- Citrix cloud account with Secure Private Access entitlements
- Any Identity provider: AD, AAD, Google, OKTA configured in Citrix cloud
- A Salesforce developer account (info below)
Step by Step guide
The first part is creating a Salesforce Developer account, you will need to use a real email address (not necessary to be a registered domain, a Gmail or outlook will also work) and verify the account before accessing the SF portal: https://developer.salesforce.com/signup
Once you have access to your Salesforce account you need to look for your domain in the menu on the left. then you will find your Salesforce tenant URL, in my case is
https://azjavilab-dev-ed.develop.my.salesforce.com
Now we are going to Citrix Cloud Admin Portal to configure our brand new Salesforce app in Secure Private Access
We can use a template to configure Salesforce, but in my case, I am going to configure the app manually.
On the Single Sign-On configuration, we are going to select SAML.
Sing Assertion, Assertion and Relay state URL is going to use the URL of our Salesforce tenant https://azjavilab-dev-ed.develop.my.salesforce.com/
Name ID Format: Transient
Name ID: User Name
Now we move to the SAML metadata part. Here we can download an XML file with all our configurations that we can import later to Salesforce. The XML file includes the certificate that we need to import.
this is the structure of the XML file.
We move back to Salesforce and we look for the Single Sign-on Settings. We need to enable SAML configuration and then import from the metadata file. we will use the XML file downloaded from Citrix cloud.
Once imported all the fields will be populated and the you can safe your configuration,
Make sure you activate the HTTP POST.
You can also create a new configuration from a new field and copy the selected entity ID and application values inside Salesforce.
Once our Salesforce application is saved then we go back to citrix cloud to finish configuring the app.
The next step will be creating the access policy for the Salesforce app in citrix cloud and assign to the user.
Test user creation in Salesforce
Now we need to create a user that will match the email address of our users
In my case, I have user1@azjavilab.com as an Azure Active directory user, but doesn’t matter if your user is coming from on-prem AD, OKTA, AAD or google. we are going to federate this SAML authentication based on the email address, so if that matches SAML SSO will work
Make sure the test user/s are created in Salesforce and also you could verify if the user licence is correctly assigned (need Salesforce licence)
Once this step is finished we are ready for testing:
Troubleshooting tips
Inside Salesforce under the Single Sign-On Settings there is a SAML Assertion Validator that would help you to verify your configuration
Here are some tips:
- Make sure the test user/s are created in Salesforce and also you could verify if the user licence is correctly assigned (need Salesforce licence)
The SAML decoder chrome extension is always very helpful to troubleshoot SAML issues
https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm
citrixie.wordpress.com 