Skip to main content

Citrix Workspace SAML integration

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure that only you know or have access to. Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Citrix™ Workspace offers a complete and integrated digital workspace that’s streamlined for IT control and easily accessible for users. Acceptto™, as a Citrix Ready Partner and SAML provider, improves the user login experience for Horizon users with convenient MFA, and offers a simple solution for adding Multi-Factor Authentication (MFA) and single sign-on (SSO) on Citrix Workspace via SAML solution.

Prerequisites

  • An Acceptto account with a configured Identity Provider and LDAP Agent.

    For more information, see the LDAP Agent deployment guide.

  • An organization identifier provided by Acceptto (organization slug).

  • Two Cloud Connectors deployed to a resource location and joined to your on-premises AD domain. The Cloud Connectors are used to ensure Citrix Cloud can communicate with your resource location.

  • A user with administrative privileges for Citrix Cloud Login.

Connect Cloud Connector to Citrix™ Cloud

The Citrix Cloud Connector is a Citrix component that serves as a channel for communication between Citrix Cloud and your resource locations, enabling cloud management without requiring any complex networking or infrastructure configuration. The Virtual Apps and Desktops service requires the Cloud Connector. Citrix recommends installing two Cloud Connectors for high availability.

  1. Sign in to Citrix Cloud at https://citrix.cloud.com.

  2. From the Citrix Cloud menu, select Identity and Access Management.

  3. From the Authentication tab, in Active Directory, click the ellipsis menu and select Connect.

    citrix_workspace_id_management.png
  4. Click Install Connector to download the Cloud Connector software.

    citrix_workspace_install_connector.png
  5. Launch the Cloud Connector installer and follow the installation wizard.

  6. From the Connect to Active Directory page, click Detect. After verification, Citrix Cloud displays a message that your Active Directory is connected and after that you can add your virtual apps and desktops resource to Citrix Cloud.

Configure Citrix WorkSpace™ as a SAML Service Provider

  1. Download the SAML metadata and certificate for your organization from Acceptto.

    Metadata Download at https://sso.acceptto.com/<myorganization>/saml/download/metadata or view at https://sso.acceptto.com/<myorganization>/saml/metadata

    Certificate Download at https://sso.acceptto.com/<myorganization>/saml/download/cert

  2. From the Citrix Cloud menu, select Identity and Access Management.

    citrix_ws-s_iam.png
  3. From the Authentication tab, select the SAML button and then Connect.

    citrix_ws-s_saml_auth.png
  4. In the SAML Configuration form, enter the following Acceptto Idp information values.

    • Entity ID- Copy and paste the Acceptto SAML Entity ID from Acceptto Metadata (e.g. https://sso.acceptto.com/)

    • SSO Service Provider - Copy and paste the sign in URL from Acceptto

    • Binding Mechanism - Set Binding Mechanism on Http Redirect.

    • SAML Response - Set SAML Response on Most Sign Response.

    • X.509 Certificate - Upload Acceptto X.509 certificates.

    • Authentication Context - Set Authentication Context on Unspecified and select type to minimum.

    citrix_ws-s_config_saml.png
  5. Download SAML Metadata and use it for Acceptto Idp Configuration.

  6. Click on Test and Finish.

Acceptto SAML Configuration as Identity Provider

  1. Login to the Acceptto Dashboard with an administrative account and go to Applications.

  2. Create a new application by selecting the Create New Application.

    Create new application
  3. In the New Application form, enter the following values under the General tab.

    • Name - The application name displayed in the admin panel and application portal and used for push notifications and audit logs (e.g. Citrix Cloud)

    • Type - Select "SAML Service Provider" from the options

    • Out of Band Methods - Select the allowed methods for approving MFA requests

    • Message for MFA Requests - Enter the user-facing message for Push, SMS, and email MFA requests (optional)

    citrix_ws-s_add_cloud_app.png
  4. Under the SAML Service Provider Configuration tab, enter the following values:

    • Issuer or Entity ID – Enter the Issuer/EntityID of your Citrix Cloud instance. This value is available at the Downloaded Metadata in Citrix Cloud SAML Configuration.(e.g.

    • Sign in URL - The URL used to login to your Citrix Workspace.

    • NameID Format - Select "Persistent" from the dropdown menu.

    • Name Identifier - Select "ObjectGUID" from the dropdown menu.

    • Assertion Consumer Service (ACS) URL - Enter the URL on the service provider where the identity provider will redirect to with its authentication response.

    • Single Logout URL - Enter the URL which is given in the Citrix Cloud metadata.

    citrix_ws-s_sp_settings.png
  5. Then, Click Save to create the Application.

  6. Download your SAML IdP X509 certificate. Go to https://sso.acceptto.com/[organization identifier]/saml/download/cert to download the cert.pem file containing your certificate.

  7. Download your SAML metadata file. Go to https://sso.acceptto.com/[organization identifier]/saml/download/metadata to download your metadata file.

Configure Workspace Authentication Method

  1. From the Citrix Cloud menu, select Workspace Configuration.

    citrix_ws-s_workspace_config.png
  2. From the Citrix Cloud menu, select SAML 2.0.

    citrix_ws-s_wokspace_config_saml.png

Test your application integration

  1. Go to your Workspace URL. You will be redirected to the Acceptto SSO page.

    SSO login
  2. After successful authentication, you’ll see the Acceptto MFA options. Select your desired method. Next, pass the verification stage on your It'sMe mobile app. You can also scan with a QR code in the Acceptto It’sMe application.

    acceptto_qr_login.png
  3. Finally, you will be redirected to the Citrix Workspace portal page via an easy and passwordless authentication method.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

Citrix, Citrix Cloud, and Citrix Workspace are either registered trademarks or trademarks of Citrix and/or one or more of its subsidiaries in the United States and/or other countries.

Microsoft and Active Directory are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.