Jump to content
Welcome to our new Citrix community!
  • 0

Citrix cloud SSO & Passthrough Authentication workspace and on prem Active Directory

Whit Freer


I'm looking for help figuring out how to get domain joined windows PCs with workspace installed with SSON and pass logon credentials from the PC through workspace through citrix cloud. 


We've have this perfectly working now with everything citrix on premise. That is user logs in to PC AD joined, workspace loads, workspace automatically logs in as the user and launches a full desktop VDI, without the user having to ever put credentials into workspace, ever.


I have workspace properly pointing to https://ourcustomdomain.cloud.com, but the username & password prompt appears in workspace. If the user type their current AD username & password into workspace is does authenticate with the right AD credentials. So, we have the AD / cloud configuration right, I just want to keep the same experience we have now where the user doesn't enter anything into workspace at all.

Link to comment

7 answers to this question

Recommended Posts

  • 0

Thanks for the quick reply and information. Looking at the table I'm not sure which method works best (I don't exactly see which one would apply in our case). Which IdP would work?


We have:

  • citrix cloud
  • citrix cloud connectors on prem
  • AD  on prem (not AAD/Azure)
  • users AD credentials do work in workspace & citrix cloud.com webpage (web interface to virtual apps/desktops)

Issues & what we don't have

  • don't have on prem citrix gateway or citrix netscaler - only cloud connectors
  • don't have azure AD
  • don't have storefront (not available on citrix cloud & we don't have on prem)

Thanks for any further insight.

Link to comment
  • 0
On 1/13/2023 at 3:03 PM, Carl Stalhood1709151912 said:

Can we accomplish SSON with workspace authentication set to  Azure AD using Netscaler onPrem? 
NetScaler onPrem will be used as SP and Azure AD as IDP?
NetScaler will be configured with nFactor Azure AD and LDAP to onPrem DC? 

Link to comment
  • 0
12 hours ago, Carl Stalhood1709151912 said:

SAML does not provide the user's password to Citrix. To SSON to VDA, you either need user's password or use certificates. FAS generates certificates instead of using the user's password since the user's password is not available.


Carl, SSON to VDA currently works with  our onPrem setup with Azure MFA  (NO FAS ), SF and NS are onPrem. 

First Factor is SAML auth and second factor is LDAP with no_authentication. 


We have also configured Name suffix routing in our multi forest setup.

onPrem NS Setup:

Citrix GW VS: xyz.com
Auth Profile: SAML_Azure_MFA
Auth VS: Azure_Auth_VS

Auth Policy: SAML_Azure_Auth_Pol    
Action: SAML_AuthServer
Next Factor: PreFillUserName

Policy Label: PreFillUserName
Policy Name: LDAP-SSON_POL

Authentication is disabled

Traffic Policy:
SSON to SF Server
SSON set to ON

 will this work with Citrix cloud if we configure storefront server / NS onPrem?  


I have also tried steps in this article to setup SSON to VDA but it did not work. 


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...