Skip to main content

Citrix Workspace SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Citrix™ Workspace offers a complete and integrated digital workspace that’s streamlined for IT control and easily accessible for users. Arculix by SecureAuth, as a Citrix Ready Partner and SAML provider, improves the user login experience for Horizon users with convenient MFA, and offers a simple solution for adding Multi-Factor Authentication (MFA) and single sign-on (SSO) on Citrix Workspace via SAML solution.


  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • Two Cloud Connectors deployed to a resource location and joined to your on-premises AD domain. The Cloud Connectors are used to ensure Citrix Cloud can communicate with your resource location.

  • User account with administrative privileges for Citrix Cloud Login.

Connect Cloud Connector to Citrix™ Cloud

The Citrix Cloud Connector is a Citrix component that serves as a channel for communication between Citrix Cloud and your resource locations, enabling cloud management without requiring any complex networking or infrastructure configuration. The Virtual Apps and Desktops service requires the Cloud Connector. Citrix recommends installing two Cloud Connectors for high availability.

  1. Sign in to Citrix Cloud at

  2. From the Citrix Cloud menu, select Identity and Access Management.

  3. From the Authentication tab, in Active Directory, click the ellipsis menu and select Connect.

  4. Click Install Connector to download the Cloud Connector software.

  5. Launch the Cloud Connector installer and follow the installation wizard.

  6. From the Connect to Active Directory page, click Detect. After verification, Citrix Cloud displays a message that your Active Directory is connected and after that you can add your virtual apps and desktops resource to Citrix Cloud.

Citrix WorkSpace™ configuration

In this section, you'll configure Citrix WorkSpace as a service provider (SP).

  1. Download the SAML metadata and certificate for your organization from Arculix.

    Metadata download:<myorganization>/saml/download/metadata

    View metadata:<myorganization>/saml/metadata

    Certificate download:<myorganization>/saml/download/cert

  2. From the Citrix Cloud menu, select Identity and Access Management.

  3. From the Authentication tab, select the SAML button and then Connect.

  4. In the Configure SAML section, set the following:

    Entity ID

    Enter the Arculix SAML Entity ID from the Arculix metadata downloaded in Step 1.

    For example,

    SSO Provider

    Enter the URL provided by Arculix.

    Binding Mechanism

    Set to Http Redirect.

    SAML Response

    Set to Must Sign Response.

    X.509 Certificate

    Upload the certificate downloaded from Arculix in Step 1.

    Authentication Context

    Set to Unspecified and set Type to Minimum.

  5. Download the SAML Metadata for Arculix configuration.

  6. Click Test and Finish.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for Citrix Workspace and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:


    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Citrix Cloud.


    Set to SAML Service Provider.

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Issuer or Entity ID 

    Enter the Issuer/EntityID of your Citrix Cloud instance provided in the Citrix metadata.

    Log in URL 

    Enter the URL used by users to log in to your Citrix Workspace.

    NameID Format 

    Set to Persistent.

    Name Identifier 

    Set to ObjectGUID.

    ACS URL 

    Enter the URL of the service provider where the identity provider will redirect to with its authentication response.

    Single Logout URL

    Enter the URL provided in the Citrix metadata.

  5. Save your changes.

  6. Download your SAML IdP X509 certificate. Go to[organization identifier]/saml/download/cert to download the cert.pem file containing your certificate.

  7. Download your SAML metadata file. Go to[organization identifier]/saml/download/metadata to download your metadata file.

Configure Workspace Authentication Method

  1. From the Citrix Cloud menu, select Workspace Configuration.

  2. From the Citrix Cloud menu, select SAML 2.0.


Test your application integration

  1. Go to your Citrix Workspace URL.

  2. You will be redirected to the Arculix SSO page.

    Application login page with email
  3. After successful authentication, select your preferred MFA method to approve access to the Citrix Workspace application.

    Select MFA method
  4. Pass the verification stage on your Arculix Mobile app. You can also scan with a QR code in the Arculix Mobile application.

    Application login page with QR code
  5. Finally, you will be redirected to the Citrix Workspace portal page via an easy and passwordless authentication method.


If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

Citrix, Citrix Cloud, and Citrix Workspace are either registered trademarks or trademarks of Citrix and/or one or more of its subsidiaries in the United States and/or other countries.

Azure, Microsoft and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.