Jump to content
Welcome to our new Citrix community!

How can I select the account used for Receiver Native SAML logon?

Recommended Posts


  • I have configured Gateway + AAA + SAML so that I can authenticate with native Workspace App using SAML credentials. IDP is Azure AD.
  • I am logged on to Windows 10 client machine as User A which is connected to Azure AD.
  • I want to authenticate to the target gateway as User B, which is in a different Azure AD tenant.


However as soon as I try to connect to add the store it automatically attempts to sign me in as User A, screenshot below. I am unsure why this is.

Any ideas as to how I can prevent it from guessing which identity to use for the SAML sign-in?





Link to comment
Share on other sites

So, I believe this occurs because the client workstation is Azure AD joined, which causes Windows to attempt SSO using the primary refresh token (PRT). A fiddler trace shows that the following header is included along with the initial SAML request (this header contains the PRT):

URL    : https://login.microsoftonline.com/<tenant>/saml2
Header : x-ms-RefreshTokenCredential

Which has highlighted two issues:

  1. We do not always want to use the user credentials that are bound to Windows to connect to a SAML store
  2. If the workstation is not Azure AD joined then full credentials are required each time Receiver / Workspace App is loaded -- there is no SSO and the username is also not retained

Has anyone come across this and worked around it?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...