Single sign-on for Citrix Workspace app using Microsoft Azure as the IdP

You can configure Security Assertion Markup Language (SAML) single sign-on (SSO) for ChromeOS devices. Use Microsoft Entra ID (formerly known as Azure Active Directory) as a SAML IdP and Google Admin as the service provider (SP).

You can configure this feature for managed users only. We have added Citrix VMs to the local Active Directory (AD) that are created on Azure, as a use case. If you have on-premises AD-based VMs on Azure and Microsoft Entra ID users, follow this article.

Prerequisites

The following prerequisites require administrator privileges:

  • Active Directory (AD)

    Install and configure an Active Domain Controller in your setup. For more information, see Installing AD DS by using Server Manager. To install Active Directory Domain Services using Server Manager, follow the steps 1 through 19.

  • Certificate Authority (CA)

    Install CA. For more information, see Install the Certification Authority.

    A certificate authority can be installed and configured on any of the following machines:

    • a new dedicated machine
    • an existing CA machine
    • an installation of this certificate authority component on Citrix Cloud Connector
    • the Active Directory machine
  • Citrix Cloud and Citrix Cloud Connector

    If you’re new to Citrix Cloud, define a Resource Location, and have the connectors configured. It’s recommended you have at least two cloud connectors deployed in production environments. For information on how to install Citrix Cloud Connector, see Cloud Connector Installation.

  • Global administrator account on Azure portal

    You must be a global administrator in Microsoft Entra ID. This privilege helps you to configure Citrix Cloud to use the Entra ID as an IdP. For information on the permissions that Citrix Cloud requests when connecting and using Entra ID, see Azure Active Directory Permissions for Citrix Cloud.

  • Federated Authentication Service (optional).

    For more information, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.

  • Global administrator account on Google admin console

  • Citrix Workspace app

Get started

To get started, do the following:

  • Join all the machines to the Domain before you configure the installed software or Roles on them.

  • Install the Citrix Cloud Connector software on the respective machine, but don’t configure anything yet.

  • Install the Citrix FAS on the respective machine, but don’t configure anything yet.

How to configure Citrix Cloud to use Azure AD as an IdP

Note:

Make sure you fulfill all the prerequisites.

  1. To connect Entra ID to Citrix Cloud, see Connect Azure Active Directory to Citrix Cloud.

  2. To add administrators to Citrix Cloud from Entra ID, see Add administrators to Citrix Cloud from Azure AD.

  3. To sign in to Citrix Cloud using Entra ID, see Sign-in to Citrix Cloud using Azure AD.

  4. To enable advanced Entra ID capabilities, see Enable advanced Azure AD capabilities.

  5. To reconnect to Entra ID for the updated app, see Reconnect to Azure AD for the updated app.

  6. To reconnect Entra ID, see Reconnect to Azure AD for the updated app.

  7. To sync accounts with Entra ID Connect, see Sync accounts.

    It’s recommended you sync your on-premises AD accounts with the Entra ID.

    Note:

    Disable the login prompt for Federated Identity Provider Sessions in the Citrix Workspace Configuration. Federated Identity Provider

Set up SSO and user provisioning between Microsoft Azure and ChromeOS on the Azure portal

After you set up the provisioning of SSO between a Microsoft Entra ID tenant and Google for ChromeOS, end users can sign in to an Azure authentication page instead of the Google sign-in screen on their ChromeOS devices.

For more information, see:

and

To set up SSO on the Azure portal:

  1. Create an enterprise application in the Microsoft Entra ID portal. For more information, see step 1 in the Google article Set-up SSO and user provisioning between Microsoft Azure and ChromeOS.

SSO Azure

  1. Assign a user or multiple users to the enterprise application that you created in step 1. For more information, see step 2 in the Google article Set-up SSO and user provisioning between Microsoft Azure and ChromeOS.

  2. Set up SSO with SAML. For more information, see step 3 in the Google article Set-up SSO and user provisioning between Microsoft Azure and ChromeOS.

    Note:

    It’s recommended you change the Basic SAML configuration after the creation of the SAML policy in the Google Admin policy.

    After you set up URLs on the Azure portal for SAML-based single sign-on, the application appears as follows.

    SSO Azure SAML

Validation Checkpoint

When you enter the store URL, the Azure IdP’s sign-in page must appear. If unsuccessful, revisit the Set-up SSO and user provisioning between Microsoft Azure and ChromeOS on the Azure Portal steps.

Configure SAML SSO profile with Google Admin Console

Validation Checkpoint

Using the Chromebook, you must be able to sign in to Citrix Workspace app using Azure credentials. When you enter the store URL in the browser, you must be able to sign in.

Configure SSO for Citrix Workspace app for ChromeOS using SAML SSO Chrome extension

To configure SSO using the SAML extension, do the following:

  1. Install and configure SAML SSO for the Chrome app extension on Chrome devices.

    To install the extension, click SAML SSO for Chrome Apps.

  2. The extension retrieves SAML cookies from the browser and provides them to the Citrix Workspace app for ChromeOS.

  3. Configure the extension with the following policy to allow Citrix Workspace app to get SAML cookies. The following is the JSON data:

    {
    "whitelist": {
        "Value": [
            {
                "appId": "haiffjcadagjlijoggckpgfnoeiflnem",
                "domain": "login.microsoftonline.com"
            }
        ]
    }
    }
    <!--NeedCopy-->
    

Validation Checkpoint

When you start Citrix Workspace app with Azure IdP store and SSO extension, your sign-in to the Citrix Workspace app must be successful.

Deploy FAS to achieve SSO to virtual apps and desktops

To achieve SSO for virtual apps and desktops, you can deploy a Federated Authentication Service (FAS).

Note:

Without FAS, you’re prompted for the Active Directory user name and password. For more information, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.