Citrix Workspace SAML integration
Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.
Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.
Citrix™ Workspace offers a complete and integrated digital workspace that’s streamlined for IT control and easily accessible for users. Arculix by SecureAuth, as a Citrix Ready Partner and SAML provider, improves the user login experience for Horizon users with convenient MFA, and offers a simple solution for adding Multi-Factor Authentication (MFA) and single sign-on (SSO) on Citrix Workspace via SAML solution.
Prerequisites
Configured Arculix instance and user account with administrative privileges for Arculix.
Configured Arculix LDAP Agent.
For more information, see the Arculix LDAP Agent deployment guide.
Two Cloud Connectors deployed to a resource location and joined to your on-premises AD domain. The Cloud Connectors are used to ensure Citrix Cloud can communicate with your resource location.
User account with administrative privileges for Citrix Cloud Login.
Connect Cloud Connector to Citrix™ Cloud
The Citrix Cloud Connector is a Citrix component that serves as a channel for communication between Citrix Cloud and your resource locations, enabling cloud management without requiring any complex networking or infrastructure configuration. The Virtual Apps and Desktops service requires the Cloud Connector. Citrix recommends installing two Cloud Connectors for high availability.
Sign in to Citrix Cloud at https://citrix.cloud.com.
From the Citrix Cloud menu, select Identity and Access Management.
From the Authentication tab, in Active Directory, click the ellipsis menu and select Connect.
Click Install Connector to download the Cloud Connector software.
Launch the Cloud Connector installer and follow the installation wizard.
From the Connect to Active Directory page, click Detect. After verification, Citrix Cloud displays a message that your Active Directory is connected and after that you can add your virtual apps and desktops resource to Citrix Cloud.
Citrix WorkSpace™ configuration
In this section, you'll configure Citrix WorkSpace as a service provider (SP).
Download the SAML metadata and certificate for your organization from Arculix.
Metadata download:
https://sso.acceptto.com/<myorganization>/saml/download/metadata
View metadata:
https://sso.acceptto.com/<myorganization>/saml/metadata
Certificate download:
https://sso.acceptto.com/<myorganization>/saml/download/cert
From the Citrix Cloud menu, select Identity and Access Management.
From the Authentication tab, select the SAML button and then Connect.
In the Configure SAML section, set the following:
Entity ID
Enter the Arculix SAML Entity ID from the Arculix metadata downloaded in Step 1.
For example,
https://sso.acceptto.com/
.SSO Provider
Enter the URL provided by Arculix.
Binding Mechanism
Set to Http Redirect.
SAML Response
Set to Must Sign Response.
X.509 Certificate
Upload the certificate downloaded from Arculix in Step 1.
Authentication Context
Set to Unspecified and set Type to Minimum.
Download the SAML Metadata for Arculix configuration.
Click Test and Finish.
Arculix SAML configuration as an Identity Provider (IdP)
In this section, you'll add an application for Citrix Workspace and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.
Log in to Arculix with an administrative account and go to Applications.
Click Create New Application.
In the New Application form, on the General tab, set the following configurations:
Name
Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.
For example, Citrix Cloud.
Type
Set to SAML Service Provider.
Out of Band Methods
Select the allowed methods end users can choose to approve MFA requests.
For example, Arculix Mobile app (push notifications), SMS, or Security Key.
Message for MFA Requests
Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.
Select the SAML Service Provider Configuration tab, and set the following configurations:
Issuer or Entity ID
Enter the Issuer/EntityID of your Citrix Cloud instance provided in the Citrix metadata.
Log in URL
Enter the URL used by users to log in to your Citrix Workspace.
NameID Format
Set to Persistent.
Name Identifier
Set to ObjectGUID.
ACS URL
Enter the URL of the service provider where the identity provider will redirect to with its authentication response.
Single Logout URL
Enter the URL provided in the Citrix metadata.
Save your changes.
Download your SAML IdP X509 certificate. Go to
https://sso.acceptto.com/[organization identifier]/saml/download/cert
to download the cert.pem file containing your certificate.Download your SAML metadata file. Go to
https://sso.acceptto.com/[organization identifier]/saml/download/metadata
to download your metadata file.
Configure Workspace Authentication Method
From the Citrix Cloud menu, select Workspace Configuration.
From the Citrix Cloud menu, select SAML 2.0.
Test your application integration
Go to your Citrix Workspace URL.
You will be redirected to the Arculix SSO page.
After successful authentication, select your preferred MFA method to approve access to the Citrix Workspace application.
Pass the verification stage on your Arculix Mobile app. You can also scan with a QR code in the Arculix Mobile application.
Finally, you will be redirected to the Citrix Workspace portal page via an easy and passwordless authentication method.
Support
If you have questions or need assistance, contact SecureAuth Support.
Sales
Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.
Disclaimer
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.
Citrix, Citrix Cloud, and Citrix Workspace are either registered trademarks or trademarks of Citrix and/or one or more of its subsidiaries in the United States and/or other countries.
Azure, Microsoft and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.