Federated Authentication Service

Enable Federated Authentication Service for a tenant customer

May 17, 2024

Contributed by:

This article describes the steps to enable Federated Authentication Service (FAS) in multitenant Managed Service Provider (MSP) environments. For more information, see Reference Architecture: Citrix Service Provider DaaS.

Prerequisites

You have administrator access to Domains and Resource Location on Citrix Cloud. For more information, see Modify administrator permissions.
You have set up a tenant-MSP relationship. For more information, see Citrix DaaS for Citrix Service Providers.

Configure the MSP Customer

Use a Cloud Connector to make active directory domains available to Citrix Cloud.

Connect the on-prem infrastructure to the Citrix Cloud by installing cloud connectors.

Verify that the domains associated with the on-prem domain controller are available under Identity and Access Management > Domains.
Federate the domain to the tenant.

Select the domain and click the drop-down menu (…) and click Manage Federated Domains.

Find the tenant and click +. Then click Apply.
Verify that the domains associated are present in the tenant.

This step is an optional. Sign in to the console for the tenant customers and verify that the domains are listed under Identity and Access Management > Domains.

Return to the MSP customer.
Install and register a FAS server with Citrix Cloud.

Install FAS in the Active Directory (AD) forest where the tenant’s Citrix Virtual Apps and Desktops resources are located. Connect FAS to the cloud resource location associated with that AD forest. To install a FAS server, see Install and configure.
Configure the tenant customer

Enable FAS for the tenant customer
- Configure your Identity Provider (IdP)
  
  Switch to the tenant customer. Go to Identity and Access Management > Authentication. Connect to your IdP and ensure that AD is synchronized with the IdP.
- Enable FAS for a tenant
  
  Go to Workspace Configuration > Authentication. Select the authentication that you’ve set up and enable FAS.

Known issue

There’s a known problem with deleting a MSP domain before removing the federated domains for tenants. You can still enable FAS for the tenants, but FAS fails since the domain doesn’t exist for MSP anymore.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Enable Federated Authentication Service for a tenant customer

May 17, 2024

Contributed by:

May 17, 2024

Contributed by:

Enable Federated Authentication Service for a tenant customer

Prerequisites

Configure the MSP Customer

Known issue

In this article