Identity and access management
Identity and Access Management defines the identity providers and accounts used for Citrix Cloud administrators and workspace subscribers.
Identity providers
Identity providers supported for Citrix Cloud can be used to authenticate Citrix Cloud administrators, workspace subscribers, or both.
Identity provider | Administrator Authentication | Subscriber Authentication |
---|---|---|
Citrix identity provider | Yes | No |
On-premises Active Directory | No | Yes |
Active Directory plus token | No | Yes |
Azure Active Directory | Yes | Yes |
Citrix Gateway | No | Yes |
Google Cloud Identity | Yes | Yes |
Okta | No | Yes |
SAML 2.0 | Yes (AD groups only) | Yes |
By default, Citrix Cloud uses the Citrix identity provider to manage your Citrix Cloud account. Citrix identity provider authenticates Citrix Cloud administrators only.
Citrix identity provider
Citrix Cloud includes the built-in Citrix identity provider to authenticate administrators when they sign in. In the Citrix Cloud console, the Citrix identity provider is labeled Citrix Identity. If you use a different identity provider for administrator authentication, Citrix recommends having at least one full access administrator under the Citrix identity provider. This condition ensures that:
- You won’t be locked out of your Citrix Cloud account if your primary identity provider becomes unavailable.
- You can access your Citrix Cloud account to perform certain operations that can’t be completed when signed in under another identity provider, such as Azure AD. For example, If Azure AD is your selected identity provider, and you need to reinitiate the connection between your Azure AD and Citrix Cloud, you can perform this task after signing in using the Citrix identity provider.
Remove the Citrix identity provider
The Citrix identity provider is connected by default for all new Citrix Cloud accounts. If you choose not to use the Citrix identity provider, you can remove the connection, if needed. For example, you might choose to remove this connection to conform with your organization’s policies for security and administrator management.
Removing this connection disables the Citrix identity provider so it can’t be used to authenticate Citrix Cloud administrators.
Before you can remove the Citrix identity provider connection, you must have another identity provider configured in Citrix Cloud. Citrix Cloud doesn’t allow you to remove this connection without the presence of another configured identity provider.
Important
If you lose access to your chosen identity provider, you must contact Citrix Support to recover your Citrix Cloud account. This process might require several days to complete.
To remove the Citrix identity provider connection:
- From the Citrix Cloud menu, select Identity and Access Management.
- On the Authentication tab, locate the Citrix identity provider.
-
Click the ellipsis menu and select Delete identity provider.
- When prompted to confirm the removal, select I understand that deleting this identity provider also deletes the configuration data for this identity provider in Citrix Cloud.
- Click Delete identity provider.
Citrix Federated Authentication Service
Citrix Cloud also supports using the Citrix Federated Authentication Service to provide single sign-on access for workspace subscribers. For more information, refer to the following articles:
- Connect FAS to Citrix Cloud: Enable single sign-on for workspaces with Citrix Federated Authentication Service
- Citrix Tech Zone:
Administrators
Administrators use their identity to access Citrix Cloud, perform management activities, and install the Citrix Cloud Connector.
A Citrix identity mechanism provides authentication for administrators using an email address and password. Administrators can also use their My Citrix credentials to sign in to Citrix Cloud.
Multifactor authentication
Citrix Cloud provides multifactor authentication methods for both administrators and workspace subscribers.
For administrators, multifactor authentication is required when signing in to Citrix Cloud. Administrators can enroll their device when they onboard their Citrix Cloud account or after accepting an invitation from another administrator. For more information, see the following articles:
For workspace subscribers, multifactor authentication is enabled when administrators configure the Active Directory plus token authentication method. Active Directory plus token is the default identity provider for Citrix Workspace. After configuration, subscribers enroll their device for multifactor authentication. For more information, see the following articles:
- Enable Active Directory plus token authentication
- Enroll a device for two-factor authentication
- Re-enroll a device
Alternatively, you can use Azure AD multifactor authentication for both Citrix Cloud administrators and workspace subscribers. For more information about deployment methods, see Microsoft Azure MFA deployment methods.
Add new administrators
During the account onboarding process, an initial administrator is created. As the initial administrator, you can add other administrators to your Citrix Cloud account. These new administrators can use their existing Citrix account credentials or set up a new account if needed. You can also fine-tune the access permissions of the administrators that you add. Setting these permissions allows you to align the level of access with the administrator’s role in your organization.
For more information about adding administrators and setting access permissions, see Manage administrator access.
Reset your password
If you forget or want to reset your password, click Forgot your username or password? on the Citrix Cloud sign in page. After you enter your email address or username to find your account, Citrix sends you an email with a link to reset your password.
Citrix requires you to reset your password under certain conditions to help you keep your account password safe and secure. For more information about these conditions, see Changing your password.
Note:
Add customerservice@citrix.com to your list of allowed email addresses to ensure that Citrix Cloud emails don’t land in your spam or trash folders.
Remove administrators
You can remove administrators from your Citrix Cloud account on the Administrators tab. When you remove an administrator, they can no longer sign-in to Citrix Cloud.
If an administrator is logged in when you remove the account, the administrator remains active for a maximum of one minute. Afterward, access to Citrix Cloud is denied.
Note:
- If there’s only one administrator in the account, you can’t remove that administrator. Citrix Cloud requires at least one administrator for each customer account.
- Citrix Cloud Connectors are not linked to administrator accounts. So, Cloud Connectors continue operating even if you remove the administrator who installed them.
Subscribers
A subscriber’s identity defines the services to which they have access in Citrix Cloud. This identity comes from Active Directory domain accounts provided from the domains within the resource location. Assigning a subscriber to a Library offering authorizes the subscriber to access that offering.
Administrators can control which domains are used to provide these identities on the Domains tab. If you plan to use domains from multiple forests, install at least two Citrix Cloud Connectors in each forest. Citrix recommends at least two Citrix Cloud Connectors to maintain a high availability environment. For more information about deploying Cloud Connectors in Active Directory, see Deployment scenarios for Cloud Connectors in Active Directory.
Note:
- Disabling domains prevents new identities only from being selected. It does not prevent subscribers from using identities that are already allocated.
- Each Citrix Cloud Connector can enumerate and use all the domains from the single forest in which it is installed.
Manage subscriber usage
You can add subscribers to offerings using individual accounts or Active Directory groups. Using Active Directory groups does not require management through Citrix Cloud after you assign the group to an offering.
When an administrator removes an individual subscriber or group of subscribers from an offering, those subscribers can no longer access the service. For more information about removing subscribers from specific services, refer to the service’s documentation on the Citrix Product Documentation website.
Primary resource locations
A primary resource location is a resource location that you designate as “most preferred” for communications between your domain and Citrix Cloud. For your primary resource locations, select the resource location that has Citrix Cloud Connectors that have the best performance and connectivity to your domain. Making this resource location your primary resource location enables your users to log on quickly to Citrix Cloud.
For more information, see Select a primary resource location.
More information
-
Learn more about supported identity providers with the Introduction to Citrix Identity and Authentication education course on the Citrix Training web site.
-
Citrix Tech Zone: