Integrating Trusona and Citrix Workspace

This guide details the steps required to configure Trusona as a passwordless authentication solution for your Citrix Workspace instance.

1. Prerequisites

Before proceeding, you should make sure that you have the following steps completed:

  1. In your Active Directory lab environment, set up a Citrix Connector
  2. Set up the Identity and Access Management for SAML 2.0 (Tech Preview) in Citrix Workspace
  3. Set the Workspace Configuration to use SAML 2.0 (Tech Preview) in the Citrix Workspace
  4. Create and configure a Generic SAML integration in the Trusona Dashboard to work with Citrix Workspace

2. Configuring SAML

2.1. Create the SAML integration

  1. Navigate over to the Trusona Dashboard and log into your account
  2. From your Trusona account dashboard, click on the Generic SAML tab from the navigation menu on the left side of the page
  3. On the Generic SAML Integrations page, click on Create SAML integration
  4. Enter all the information requested and upload the required certificate. Once finished, click on Save
  5. You will be redirected back to the Generic SAML Integrations page and should now be able to see your newly created integration.
  6. Click on the Actions button to the right, and select Download Certificate and View metadata XML to obtain the information needed.

2.2. Configure Citrix

Once you have created a SAML integration using Trusona, and obtained the Certificate and XML metadata you can begin configuring Citrix.

  1. Log into a Citrix Workspace Admin Account
  2. From the main dashboard page, click on the hamburger icon in the upper left-hand corner and select the Identity & Access Management option
  3. At the bottom of the new page, locate the section labeled SAML 2.0, and click on the 3 dot icon and select connect
  4. You will be taken to a new Configuration page for SAML and leave this tab open
  5. Fill out all of the required fields for the SAML Configuration Page and upload all required documents

The SAML metadata file you downloaded from the Trusona Dashboard will have all the information you need to complete the configuration in Citrix.

  • The IDP metadata will have a entityID with a value assigned to it. This is the Entity ID field value for the SAML Configuration Page
Enter entity ID field value
Enter entity ID field value
  • The Sign Authentication Request will depend on your company‚Äôs policies. It is recommend that you use signing if your company does not use whitelisting

  • The SSO Service URL will come from the IDP metadata.

Enter the SSO service url value
Enter the SSO service url value
  • Binding Mechanism supports either Post or Redirect

  • The SAML Response value MUST MATCH the configuration value for your IDP. Failure to do so will cause Citrix Workspace to reject any responses. Generally speaking, it is more secure to sign the entire repsonse, instead of the insertion alone.

Select a SAML response
Select a SAML response
  • Select the SSO tab from the navigation bar on the left
Navigate to the SSO tab
Navigate to the SSO tab
  • Set the SAML Signature Algorithm to SHA-256
Set the SAML signature algorithm to SHA-256
Set the SAML signature algorithm to SHA-256
  • Under x509 certificate, click on View Details
Click on view details
Click on view details
  • Click on the Download button to obtain your X.509 cert PEM
Click to download the X.509 cert PEM
Click to download the X.509 cert PEM
  1. Now upload the X.509 PEM file to Citrix Workspace
Upload the X.509 cert PEM
Upload the X.509 cert PEM
  • Select the Authentication Context and the level of specificity you want to enforce
Select and choose the level of specificity you want to enforce for Authentication Context
Select and choose the level of specificity you want to enforce for Authentication Context
  • Enter the Logout URL. Match this value with your IdP Metadata. Please note that Citrix Workspace only supports logout Redirect
Enter the Logout URL. It should match your IdP Metadata
Enter the Logout URL. It should match your IdP Metadata
  • Enter the value of the attributes that will provide the SID, UPN, Email, and OID of the user
Enter the value of attributes for SID, UPN, Email & OID of the user
Enter the value of attributes for SID, UPN, Email & OID of the user
  • Select Test and Finish, and you should receive a notification that SAML was enabled successfully
Select Test & Finish
Select Test & Finish
Check for a notification that states SAML was enabled successfully
Check for a notification that states SAML was enabled successfully
  • From the sidebar navigation menu, click on Workspace configuration, then select the Authentication tab
Click on the Workspace tab from the navigation menu
Click on the Workspace tab from the navigation menu
  • Select SAML (Tech Preview)
Select the SAML (Tech Preview)
Select the SAML (Tech Preview)

3. Syncing users

User details need to be exported from Active Directory and imported to Trusona in order for the integration to properly identify users during the authentication process.

3.1. Exporting users from Active Directory

  1. Access your Active Directory instance
  2. Download the most recent version of the Trusona Citrix exporter
  3. Extract the zip file and run the CitrixExportAgent executable
  4. When prompted for the group, choose a group to narrow the export or leave it blank to export all users

A CSV file is created by the exporter and saved in the same directory.

3.2. Importing users to Trusona

  1. Navigate to the Trusona Dashboard and log in
  2. Click Generic SAML Integrations in the side bar
  3. Locate the Citrix Integration you created and click on the Actions button
  4. From the dropdown menu, click on Import Accounts
  5. Click on the Choose File option, and select the account CSV that was created by the exporter
  6. Click on Import Account CSV.

You will now see the accounts imported with a status of Added or Updated.

3.3. Accessing Citrix Workspace with Trusona

Create a new private session and navigate to your Citrix Workspace. You will be prompted to log into the account using the Trusona App.


Integrations

Desktop
IAM and SSO
PAM
Productivity
RADIUS
Remote access
VPN

Guides

Get started guides
Implementation guides
Users guides

SDKs

Mobile SDKs
Server SDKs
Web SDKs

APIs

Authentication Service
ID Proofing Service

TOTP

Business
E-commerce
Finance
Productivity
Social
Gaming
Other