Jump to content
  • Azure Entra ID Single Sign-On for the Citrix Workspace App on macOS


    In this guide, we'll walk you through the steps to configure Entra ID SSO for the Citrix Workspace app on macOS, enabling streamlined access to Citrix-hosted resources.

    End-user experience demo video:

    Prerequisites

    1. MacOS CWA 2402 or above
    2. Azure EntraI ID (formerly Azure AD) Authentication for your Citrix Workspace - https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/connect-azure-ad.html
    3. Microsoft Enterprise SSO plug-in for Apple devices (published via Intunes) - https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin
    4. Disable Federated Identity Provider Sessions on Citrix cloud - https://support.citrix.com/article/CTX253779/user-prompted-for-credentials-on-workspace-urls-when-using-federated-authentication-providers

    Configuration

    Configuring single sign-on (SSO) for Citrix Workspace App on macOS involves several steps. Let’s walk through the process:

    1. CWA must be 2402 or above to enable the web browser for authentication system with private sessions, which can be done via terminal command or Global App Config Service
    • Terminal command line:

    defaults write com.citrix.receiver.nomas WebBrowserForAuthentication SystemWithPrivateSession

    image.png

    • Global App config Service: Web Browser for Authentication

    image.png

    1. Azure Entra ID (formerly Azure AD) must be the Identity provider configured for your Citrix cloud deployment - https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/connect-azure-ad.html

     

    image.png

     

    1. Entra ID SSO for MacOS requires the MacOS to be MDM managed by Intune and configure the SSO App extension for Entra ID deployed via a Configuration profile.

    image.png

    Manage macOS devices in Microsoft Intune - Deployment guide https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-platform-macos

     

    3.1 CWA will use the Entra ID SSO intune plugin to achieve SSO when opening the app.

    Microsoft Enterprise SSO plug-in for Apple devices (published via Intunes) official documentation https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin

    image.png

              image.png

     

                   image.png

     

    3.2 These are the summarized steps and the official Microsoft documentation links I used to configure this integration:

    1. Prerequisites:

    image.png

    • Ensure Intune manages your macOS devices.

              image.png

     

    • Verify that the devices support the Microsoft Enterprise SSO plug-in (macOS 10.15 and newer).
    • Install and configure the Microsoft Company Portal app on the devices.
    1. Create a Configuration Profile:
    • In Intune, go to Devices > macOS > Configuration profiles.
    • Create a new configuration profile with the following settings:
      • Profile type: Templates > Device features.
      • Expand the Single sign-on app extension pane.
      • Select Microsoft Entra ID from the SSO app extension type dropdown menu.

    image.png

    1. Configure the SSO App Extension:
    • Specify any additional settings required for your environment. For this POC, we selected Entra ID.
    • Be cautious when allowing apps, as they’ll bypass interactive sign-in prompts for the signed-in user.
    1. Assign the Configuration Profile:
    • Assign the configuration profile to Intune's relevant user or device groups.
    1. Test SSO:
    • Verify that users can log in to Office 365 apps and websites using Entra ID without repeated authentication prompts.

     

    4. Another requirement is to Disable Federated Identity Provider Sessions https://support.citrix.com/article/CTX253779/user-prompted-for-credentials-on-workspace-urls-when-using-federated-authentication-providers

    Workspace Configuration > Customize > Preferences - Federated Identity Provider Sessions

    image.png

    image.png

    IMPORTANT: 
    Customers should consult their internal security teams before requesting an exception to determine which settings are best for their environment and security posture.

     

    Once all the Microsoft configurations are valid and you can experience SSO to any Entra ID application like Outlook or Teams, the Citrix Workspace app should achieve seamless Single Sign On.

    Troubleshoot: If any issues arise during testing, refer to Entra ID's documentation or contact the Microsoft support team at https://support.microsoft.com/en-gb for assistance.

     

    Conclusion

    By configuring Entra ID Single Sign-On for the Citrix Workspace app on macOS, organizations can enhance security and user experience while simplifying access to critical resources. With streamlined authentication processes and centralized access management, Entra ID SSO empowers users to navigate their digital workspace efficiently and securely.


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...