Before proceeding, you should make sure that you have the following steps completed:
- In your Active Directory lab environment, set up a Citrix Connector
- Set up the Identity and Access Management for SAML 2.0 (Tech Preview) in Citrix Workspace
- Set the Workspace Configuration to use SAML 2.0 (Tech Preview) in the Citrix Workspace
- Create and configure a Generic SAML integration in the Trusona Dashboard to work with Citrix Workspace
2. Configuring SAML
2.1. Create the SAML integration
- Navigate over to the Trusona Dashboard and log into your account
- From your Trusona account dashboard, click on the Generic SAML tab from the navigation menu on the left side of the page
- On the Generic SAML Integrations page, click on Create SAML integration
- Enter all the information requested and upload the required certificate. Once finished, click on Save
- You will be redirected back to the Generic SAML Integrations page and should now be able to see your newly created integration.
- Click on the Actions button to the right, and select Download Certificate and View metadata XML to obtain the information needed.
2.2. Configure Citrix
Once you have created a SAML integration using Trusona, and obtained the Certificate and XML metadata you can begin configuring Citrix.
- Log into a Citrix Workspace Admin Account
- From the main dashboard page, click on the hamburger icon in the upper left-hand corner and select the Identity & Access Management option
- At the bottom of the new page, locate the section labeled SAML 2.0, and click on the 3 dot icon and select connect
- You will be taken to a new Configuration page for SAML and leave this tab open
- Fill out all of the required fields for the SAML Configuration Page and upload all required documents
The SAML metadata file you downloaded from the Trusona Dashboard will have all the information you need to complete the configuration in Citrix.
- The IDP metadata will have a entityID with a value assigned to it. This is the Entity ID field value for the SAML Configuration Page
The Sign Authentication Request will depend on your company’s policies. It is recommend that you use signing if your company does not use whitelisting
The SSO Service URL will come from the IDP metadata.
Binding Mechanism supports either Post or Redirect
The SAML Response value MUST MATCH the configuration value for your IDP. Failure to do so will cause Citrix Workspace to reject any responses. Generally speaking, it is more secure to sign the entire repsonse, instead of the insertion alone.
- Select the SSO tab from the navigation bar on the left
- Set the SAML Signature Algorithm to SHA-256
- Under x509 certificate, click on View Details
- Click on the Download button to obtain your X.509 cert PEM
- Now upload the X.509 PEM file to Citrix Workspace
- Select the Authentication Context and the level of specificity you want to enforce
- Enter the Logout URL. Match this value with your IdP Metadata. Please note that Citrix Workspace only supports logout Redirect
- Enter the value of the attributes that will provide the SID, UPN, Email, and OID of the user
- Select Test and Finish, and you should receive a notification that SAML was enabled successfully
- From the sidebar navigation menu, click on Workspace configuration, then select the Authentication tab
- Select SAML (Tech Preview)
3. Syncing users
User details need to be exported from Active Directory and imported to Trusona in order for the integration to properly identify users during the authentication process.
3.1. Exporting users from Active Directory
- Access your Active Directory instance
- Download the most recent version of the Trusona Citrix exporter
- Extract the zip file and run the
- When prompted for the group, choose a group to narrow the export or leave it blank to export all users
A CSV file is created by the exporter and saved in the same directory.
3.2. Importing users to Trusona
- Navigate to the Trusona Dashboard and log in
- Click Generic SAML Integrations in the side bar
- Locate the Citrix Integration you created and click on the Actions button
- From the dropdown menu, click on Import Accounts
- Click on the Choose File option, and select the account CSV that was created by the exporter
- Click on Import Account CSV.
You will now see the accounts imported with a status of Added or Updated.
3.3. Accessing Citrix Workspace with Trusona
Create a new private session and navigate to your Citrix Workspace. You will be prompted to log into the account using the Trusona App.