Configuring single sign-on to Citrix Workspace app

Single sign-on using Azure Active Directory

This section explains how to implement single sign-on (SSO) using Azure Active Directory (AAD) as an identity provider with domain joined workloads in hybrid or AAD enrolled endpoints. With this configuration, you can authenticate to Workspace using Windows Hello or FIDO2 on endpoints that are enrolled to AAD.

Note:

If you use Windows Hello, as a standalone authentication, you can achieve single sign-on to Citrix Workspace app. However, you are prompted for your user name and password while accessing published virtual apps or desktops. As a workaround, consider implementing Federated Authentication Service (FAS).

Prerequisites

Configuration

Do the following steps to configure SSO on your device:

  1. Install the Citrix Workspace app using the Windows command line with the includeSSON option:

CitrixWorkspaceApp.exe /includeSSON

  1. Reboot your device.

  2. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.

  3. Go to Administrative Templates > Citrix Components > Citrix Workspace > User Authentication > Local user name and password.

  4. Select Enable pass-through authentication. Depending on the configuration and security settings, select the Allow pass-through authentication for all ICA option for pass-through authentication to work.

  5. Modify the User Authentication settings in Internet Explorer. To modify the settings:

    • Open Internet Properties from the Control panel.
    • Navigate to General Properties > Local Intranet and click Sites.

    • In the Local Intanet window, click Advanced, add trusted sites, add the following trusted sites, and click Close:

      • https://aadg.windows.net.nsatc.net
      • https://autologon.microsoftazuread-sso.com
      • The name of your tenant, for example: https://xxxtenantxxx.cloud.com
  6. Disable extra authentication prompts by disabling the prompt=login attribute in your tenant. For more information, see User Prompted for Additional Credentials on Workspace URLs When Using Federated Authentication Providers. You can contact Citrix technical support to disable the prompt=login attribute in your tenant to successfully configure single sign-on.

  7. Enable domain pass-through authentication on the Citrix Workspace app client. For more information, see Domain pass-through authentication.

  8. Restart the Citrix Workspace app for the changes to take effect.

Single sign-on using Okta and Federated Authentication Service

This section explains how you can implement single sign-on (SSO) using Okta as an identity provider with domain joined device and Federated Authentication Service (FAS). With this configuration, you can authenticate to Workspace using Okta to enable single sign-on and prevent a second logon prompt. For this authentication mechanism to work, you need to use the Citrix Federated Authentication Service with Citrix Cloud. For more information, see Connect Citrix Federated Authentication Service to Citrix Cloud.

Prerequisites

Configuration

Do the following steps to configure SSO on your device:

Connect Citrix Cloud to your Okta organization:

  1. Download and install the Okta Active Directory agent. For more information, see Install the Okta Active Directory agent.

  2. Sign in to Citrix Cloud at https://citrix.cloud.com.

  3. From the Citrix Cloud menu, select Identity and Access Management.

  4. Locate Okta and select Connect from the ellipsis menu.

  5. In Okta URL, enter your Okta domain.

  6. In Okta API Token, enter the API token for your Okta organization.

  7. In Client ID and Client Secret, enter the client ID and secret from the OIDC web app integration you created earlier. To copy these values from the Okta console, select Applications and locate your Okta application. Under Client Credentials, use the Copy to Clipboard button for each value.

  8. Click Test and Finish. Citrix Cloud verifies your Okta details and tests the connection.

Enable Okta authentication for workspaces:

  1. From the Citrix Cloud menu, select Workspace Configuration > Authentication.

  2. Select Okta. When prompted, select I understand the impact on the subscriber experience.

  3. Click Accept to accept the permissions request.

Enable Federated Authentication Service:

  1. From the Citrix Cloud menu, select Workspace Configuration and then select Authentication.

  2. Click Enable FAS. This change might take up to five minutes to be applied to subscriber sessions.

Workspace Configuration page with Enable FAS button highlighted

Afterward, the Federated Authentication Service is active for all virtual app and desktop launches from Citrix Workspace.

Workspace Configuration page with FAS enabled

When subscribers sign in to their workspace and launch a virtual app or desktop in the same resource location as the FAS server, the app or desktop starts without prompting for credentials.

Note:

If all FAS servers in a resource location are down or in maintenance mode, application launches succeed, but single sign-on isn’t active. Subscribers are prompted for their AD credentials to access each application or desktop.

Configuring single sign-on to Citrix Workspace app