In this article, I’d like to discuss a specific detail I’ve learned about Citrix Cloud and Azure AD. Since my origin question, nobody could answer, I had to open a Support Case.
Question
First, I configure Citrix Cloud, under Workspace Configuration the authentication method Azure Active Directory.
If I now have an AAD joined device, log in there with an AAD user on that device and open the workspace URL, should the user be able to log in without authenticating (SSO)?
Test procedure
1: Login with AAD account on AAD joined device, open browser with incognito mode, open myapps.microsoft.com -> login prompt from AAD, open another SaaS service which one is AAD enabled -> SSO
2: Login with AAD account on AAD joined device, open browser, open myapps.microsoft.com -> SSO, open xyz.cloud.com -> login prompt from AAD
3: Login with AAD account on AAD joined device, open browser with incognito mode, open myapps.microsoft.com -> login prompt from AAD, open xyz.cloud.com -> login prompt from AAD
4: Login with AAD account on AAD joined device, open browser with incognito mode, open xyz.cloud.com -> login prompt from AAD, open myapps.microsoft.com -> SSO
The first test is to check if SSO works. But in every other test with Citrix Cloud, I must log in at the workspace login prompt.
Support Case
In the end, Citrix Support told me that SSO is possible. The prompt to add credentials is by default are forced.
“When we browse to citrix url, in its webform, prompt = login is set. Which means user will be forced to enter credentials even if they have any valid token issued by AD.”
“We can change this behavior by removing this specific parameter from web-form. For this we need to make change at backend for the respective customer. So customer would need to raise a request with us and then the change will be made.”
Conclusion
By default, SSO does not work with Azure AD. But it can be changed via a support case. Unfortunately, I could not test it anymore, because the customer wanted a different solution, but I’m looking forward to feedback if someone has tested it.