Connect Google Cloud Identity as an identity provider to Citrix Cloud
Citrix Cloud supports using Google Cloud Identity as an identity provider to authenticate subscribers signing in to their workspaces. By connecting your organization’s Google account to Citrix Cloud, you can provide a unified sign-in experience for accessing Citrix Workspace and Google resources.
Requirements for domain-joined and non-domain-joined configuration
You can configure Google Cloud Identity as an identity provider in Citrix Cloud using a machine that’s domain-joined or non-domain-joined.
- Domain-joined means machines are joined to a domain in your on-premises Active Directory (AD) and authentication uses the user profiles that are stored there.
- Non-domain-joined means machines aren’t joined to an AD domain and authentication uses the user profiles that are stored in your Google Workspace directory (also known as Google-native users).
The following table lists the requirements for each configuration type.
Requirement | Domain-joined | Non-domain-joined | More information |
---|---|---|---|
On-premises AD | Yes | No | See Prepare Active Directory and Citrix Cloud Connectors in this article. |
Citrix Cloud Connectors deployed in your resource location | Yes | No; Cloud Connectors aren’t needed to access non-domain-joined machines. | Prepare Active Directory and Citrix Cloud Connectors in this article. |
AD synchronization with Google Cloud | Optional only if using Gateway service and no other services. Otherwise, this task is required. | No | See Sync Active Directory with Google Cloud Identity in this article. |
Developer account with access to the Google Cloud Platform console. Used for creating a service account and key, and enabling the Admin SDK API. | Yes | Yes | See Create a service account, Create a service account key, and Configure domain-wide delegation in this article. |
An administrator account with access to the Google Workspace Admin console. Used for configuring domain-wide delegation and a read-only API user account. | Yes | Yes | See Configure domain-wide-delegation and Add a read-only API user account in this article. |
Authentication with multiple Citrix Cloud accounts
This article describes how to connect Google Cloud Identity as an identity provider to a single Citrix Cloud account. If you have multiple Citrix Cloud accounts, you can connect each one to the same Google Cloud account using the same service account and read-only API user account. Simply sign in to Citrix Cloud and select the appropriate customer ID from the customer picker.
Prepare Active Directory and Citrix Cloud Connectors
If you are using a domain-joined machine with Google Cloud Identity, use this section to prepare your on-premises AD. If you are using a non-domain-joined machine, skip this task and continue to Create a service account in this article.
You need at least two (2) servers in your Active Directory domain on which to install the Citrix Cloud Connector software. Cloud Connectors are required for enabling communication between Citrix Cloud and your resource location. At least two Cloud Connectors are required to ensure a highly available connection with Citrix Cloud. These servers must meet the following requirements:
- Meets the requirements described in Cloud Connector Technical Details.
- Does not have any other Citrix components installed, is not an Active Directory domain controller, and is not a machine critical to your resource location infrastructure.
- Joined to your Active Directory (AD) domain. If your workspace resources and users reside in multiple domains, you must install at least two Cloud Connectors in each domain. For more information, see Deployment scenarios for Cloud Connectors in Active Directory.
- Connected to a network that can contact the resources that users access through Citrix Workspace.
- Connected to the Internet. For more information, see System and Connectivity Requirements.
For more information about installing Cloud Connectors, see Cloud Connector Installation.
Sync Active Directory with Google Cloud Identity
If you are using a domain-joined machine with Google Cloud Identity, use this section to prepare your on-premises AD. If you are using a non-domain-joined machine, skip this task and continue to Create a service account in this article.
Synchronizing your AD with Google Cloud Identity is optional if you are using only Citrix Gateway service, with no other services enabled. For these services alone, you can use Google-native users without needing to synchronize with your AD.
If you are using other Citrix Cloud services, synchronizing your AD with Google Cloud Identity is required. Google Cloud must pass the following AD user attributes to Citrix Cloud:
- SecurityIDentifier (SID)
- objectGUID
- userPrincipalName (UPN)
To sync your AD with Google Cloud
- Download and install the Google Cloud Directory Sync utility from the Google web site. For more information about this utility, see the Google Cloud Directory Sync documentation on the Google web site.
- After installing the utility, launch the Configuration Manager (Start > Configuration Manager).
- Specify the Google domain settings, and LDAP settings as described in Set up your sync with Configuration Manager of the utility documentation.
- In General Settings, select Custom Schemas. Leave the default selections unchanged.
- Configure a custom schema to apply to all user accounts. Enter the required information using the exact casing and spelling specified in this section.
- Select the Custom Schemas tab and then select Add Schema.
- Select Use rules defined in “User Accounts”.
- In Schema Name, enter citrix-schema.
- Select Add Field and then enter the following information:
- Under Schema field template, in Schema Field, select userPrincipalName.
- Under Google field details, in Field Name, enter UPN.
- Repeat Step 4 to create the following fields:
- objectGUID: Under Schema field template, select objectGUID. Under Google field details, enter objectGUID.
- SID: Under Schema field template, select Custom. Under Google field details, enter SID.
- objectSID: Under Schema field template, select Custom. Under Google field details, enter objectSID.
- Select OK to save your entries.
- Finish configuring any remaining settings for your organization and verify synchronization settings as described in Set up your sync with Configuration Manager of the utility documentation.
- Select Sync & apply changes to synchronize your Active Directory with your Google account.
After the sync finishes, the User Information section in Google Cloud displays users’ Active Directory information.
Create a service account
To complete this task, you need a Google Cloud Platform developer account.
- Sign in to https://console.cloud.google.com.
- From the Dashboard sidebar, select IAM & Admin and then select Service Accounts.
- Select Create service account.
- Under Service account details, enter the service account name and service account ID.
- Select Done.
Create a service account key
- On the Service Accounts page, select the service account you just created.
- Select the Keys tab and then select Add key > Create new key.
- Leave the default JSON key type option selected.
- Select Create. Save the key to a secure location that you can access later. You enter the private key in the Citrix Cloud console when you connect Google Cloud Identity as an identity provider.
Configure domain-wide delegation
- Enable the Admin SDK API:
- From the Google Cloud Platform menu, select APIs & Services > Enabled APIs & services.
- Select Enable APIs and services near the top of the console. The API Library home page appears.
- Search for Admin SDK API and select it from the results list.
- Select Enable.
- Create an API client for the service account:
- From the Google Cloud Platform menu, select IAM & Admin > Service Accounts and then select the service account you created earlier.
- From the service account’s Details tab, expand Advanced settings.
- Under Domain-wide Delegation, copy the Client ID and then select View Google Workspace Admin Console.
- If applicable, select the Google Workspace administrator account you want to use. The Google Admin console appears.
- From the Google Admin sidebar, select Security > Access and data control > API controls.
- Under Domain wide delegation, click Manage Domain Wide Delegation.
- Select Add new.
- In Client ID paste the client ID for the service account that you copied in Step C.
-
In OAuth scopes, enter the following scopes in a single comma-delimited line:
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly <!--NeedCopy-->
- Select Authorize.
Add a read-only API user account
In this task, you create a Google Workspace user account that has read-only API access for Citrix Cloud. This account is not used for any other purpose and has no other privileges.
- From the Google Admin menu, select Directory > Users.
- Select Add new user and enter the appropriate user information.
- Select Add new user to save the account information.
- Create a custom role for the read-only user account:
- From the Google Admin menu, select Account > Admin roles.
- Select Create new role.
- Enter a name for the new role. Example: API-ReadOnly
- Select Continue.
- Under Admin API privileges, select the following privileges:
- Users > Read
- Groups > Read
- Domain Management
- Select Continue and then select Create role.
- Assign the custom role to the read-only user account you created earlier:
- From the custom role details page, in the Admins pane, select Assign users.
- Start typing the name of the read-only user account and select it from the user list.
- Select Assign role.
- To verify the role assignment, return to the Users page (Directory > Users) and select the read-only user account. The custom role assignment is displayed under Admin roles and privileges.
Connect Google Cloud Identity to Citrix Cloud
- Sign in to Citrix Cloud at https://citrix.cloud.com.
- From the Citrix Cloud menu, select Identity and Access Management.
- Locate Google Cloud Identity and then select Connect from the ellipsis menu.
- When prompted, enter a short, URL-friendly identifier for your company and select Save and Continue. The identifier you choose must be globally unique within Citrix Cloud.
- Select Import File and then select the JSON file you saved when you created the key for the service account. This action imports your private key and the email address for the Google Cloud service account that you created.
- In Impersonated User, enter the name of the read-only API user account.
- Select Next. Citrix Cloud verifies your Google account details and tests the connection.
- Review the associated domains that are listed. If they’re correct, select Confirm to save your configuration.
Add administrators to Citrix Cloud
You can add individual Citrix Cloud administrators and administrator groups through Google Cloud. For more information, see the following articles:
- For individual administrators: Manage administrator access to Citrix Cloud
- For administrator groups: Manage administrator groups
After you add administrators to Citrix Cloud, they can sign in using one of the following methods:
- Navigate to the administrator sign-in URL that you configured when you initially configured Google Cloud as an identity provider. Example:
https://citrix.cloud.com/go/mycompany
- From the Citrix Cloud sign-in page, select Sign in with my company credentials, enter the unique identifier for your company (for example, “mycompany”), and click Continue.
Enable Google Cloud Identity for workspace authentication
- From the Citrix Cloud menu, select Workspace Configuration > Authentication.
- Select Google Cloud Identity. When prompted, select I understand the impact on the subscriber experience and then click Save.
In this article
- Requirements for domain-joined and non-domain-joined configuration
- Authentication with multiple Citrix Cloud accounts
- Prepare Active Directory and Citrix Cloud Connectors
- Sync Active Directory with Google Cloud Identity
- Create a service account
- Create a service account key
- Configure domain-wide delegation
- Add a read-only API user account
- Connect Google Cloud Identity to Citrix Cloud
- Add administrators to Citrix Cloud
- Enable Google Cloud Identity for workspace authentication