Integrating Trusona and Citrix Workspace

This guide details the steps required to configure Trusona as a passwordless authentication solution for your Citrix Workspace instance.

1. Prerequisites

Before proceeding, ensure that you have the following steps completed:

  1. In your Active Directory lab environment, set up a Citrix Connector
  2. Have admin access to the Trusona Dashboard
  3. Have admin access to Citrix Cloud

Reference the Citrix product documentation as needed for the above steps.

2. Configuring SAML

2.1. Create the SAML integration

  1. Navigate to the Trusona Dashboard and log into your account.
  2. From your Trusona account dashboard, select ’Generic SAML’ on the left-hand navigation.
  3. On the Generic SAML Integrations page, click on Create SAML integration
  4. Enter the following information:
    • Name: Name of your integration
    • Assertion consumer service url: https://saml.cloud.com/saml/acs
    • Starting url: This is your Workspace URL that users log into. You can find this information in your Citrix Workspace Admin Console by going to Workspace Configuration > Access.
    • Logout URL: https://saml.cloud.com/saml/logout/callback
  5. Click ‘Save’. You will be redirected back to the Generic SAML Integrations page.
  6. Find your newly create SAML integration, click on the Actions button to the right, and select Download Certificate and View metadata XML
  7. In the Metadata XML file, find the following values:
    1. SSO URL: locate the SingleSignOnService line and make note of the URL.
    2. Single Logout URL: locate the SingleLogoutService line and make note of the URL
Select Generic SAML
Select Generic SAML
Find your Workspace URL
Find your Workspace URL
Newly created SAML integration
Newly created SAML integration
Finding the SAML Metadata XML file
Finding the SAML metadata XML file
Locating the Single Logout URL
Locating the Single Logout URL
Locating the SSO URL
Locating the SSO URL

2.2. Configure Citrix

Once you have created a SAML integration within the Trusona Dashboard, you can begin configuring Citrix.

  1. Log into a Citrix Workspace Admin Account.
  2. From the main dashboard page, click on the hamburger icon in the upper left-hand corner and select ‘Identity & Access Management’.
  3. On the Authentication Tab, locate the section labeled SAML 2.0 (Tech Preview), click on the 3-dot icon, and select connect. (You will be taken to a new Configuration page for SAML. We recommend leaving this tab open.)
  4. On the Configuration page for SAML, enter the following information:
    1. Entity ID: https://gateway.trusona.net/saml/metadata
    2. Sign Authentication Request: The Sign Authentication Request will depend on your company’s policies.
      1. Select Yes to allow Citrix Cloud to sign authentication requests, certifying they came from Citrix Cloud and not a malicious actor. If you select Yes, you will need to download the SAML metadata file from the SAML configurations page in Citrix, extract the certificate data, and save it as a .crt. Upload this cert to the SAML integration you created for Citrix, within the Trusona Dashboard.
      2. Select No if you prefer to add the Citrix ACS URL to an allow list that your SAML provider uses for posting SAML responses safely.
    3. SSO Service URL: This is the SingleSignOnService URL that was extracted earlier from the Trusona Metadata file.
    4. Binding Mechanism: HTTP-Redirect or HTTP-POST. We recommend using HTTP-POST, but both Citrix and Trusona support either one.
    5. SAML Response: Choose Must Sign Assertion.
    6. X.509 Certificate: Upload the certificate downloaded earlier from the Trusona Dashboard.
    7. Authentication Context: Choose ‘Unspecified’ and ‘Minimum’.
    8. Logout URL: This is the SingleLogoutService URL that was extracted earlier from the Trusona Metadata file.
    9. Attribute mapping: Ensure each attribute matches the values in the table. (See table below)
  5. Select Test and Finish. You will receive a notification that SAML was enabled successfully

2.2.1. Attribute mapping

Attribute Name Value
User Display Name (optional) name
User Given Name (optional) given_name
User Family Name (optional) commonname
Security Identifier (SID) cip_sid
User Principal Name (UPN) cip_upn
Email cip_email
AD Object Identifier (OID) cip_oid
Navigating to Identity and Access management
Navigating to Identity and Access management
Identity and Access management
Identity and Access management
Entering SAML configuration details part 1
Entering SAML configuration details part 1
Entering SAML configuration details part 2
Entering SAML configuration details part 2
Test and finish
Test and finish
SAML was successfully enabled
SAML was successfully enabled

2.3. Enable SAML for Workspace Authentication

  1. Click on the hamburger icon in the upper left-hand corner and select Workspace configuration.
  2. On the authentication tab, select ‘SAML (Tech Preview)’
Workspace configuration
Workspace configuration
Enabling SAML
Enabling SAML

3. Syncing users

Your Citrix users need to be imported into Trusona in order for the integration to properly identify users during the authentication process. This will be done by exporting your targeted users from Active Directory to a CSV file that will be used to import your users.

3.1. Exporting users from Active Directory

  1. Log onto your Active Directory Domain Controller
  2. Download the most recent version of the Trusona Citrix exporter
  3. Extract the zip file and run the CitrixExportAgent executable
  4. When prompted for the group, enter a group name to narrow the export or leave it blank to export your users located in ‘Domain Users’.
  5. A CSV file is created by the exporter and saved in the same directory.

3.1.1. Citrix Exporter notes

  • The name of the group should not include the full DN.
  • The Trusona Citrix Exporter queries the Active Directory for the list of users and filters them by group membership (if specified) and creates a CSV with the list of users.
  • If you have multiple domains, the exporter will only query the Domain that the DC is joined to.
Running the Citrix Exporter Application
Running the Citrix Exporter Application
Querying Active Directory and generating a CSV
Querying Active Directory and generating a CSV
The generated CSV file
The generated CSV file

3.2. Importing users to Trusona

  1. Log into the Trusona Dashboard
  2. Select ‘Generic SAML’ on the left-hand navigation
  3. Locate the Citrix Integration you previously created and select the ‘Actions’ button
  4. From the dropdown menu, select ‘Import Accounts’
  5. Click on the Choose File option, and select the account CSV that was created by the exporter
  6. Click on Import Account CSV.
  7. You will now see a list of the users who were imported, along with a status of Added or Updated.
Navigating to the import accounts feature
Navigating to the import accounts feature
Importing the CSV generated by the Citrix Exporter
Importing the CSV generated by the Citrix Exporter
Import results
Import results

3.3. Accessing Citrix Workspace with Trusona

Open a private or incognito browser and navigate to your Citrix Workspace URL. You will be prompted to login using Trusona.


Integrations

Desktop
IAM and SSO
PAM
Productivity
RADIUS
Remote access
VPN

Guides

Get started guides
Implementation guides
Users guides

SDKs

Mobile SDKs
Server SDKs
Web SDKs

APIs

Authentication Service
ID Proofing Service

TOTP

Business
E-commerce
Finance
Productivity
Social
Gaming
Other