When using a federated logon provider such as Azure AD, AD-FS, etc., user credentials are not available; instead, only a user identity token is available to the Citrix components.  This has two impacts:

1. Application enumeration and launch commands sent from Workspace Experience to the on-premises delivery controller cannot be authenticated.
2. When the user launches applications or desktops from Workspace Experience, the user is prompted for local AD credentials.

Instructions

Enabling enumeration and launch via Workspace Experience

Before proceeding, carefully note the security implications of the following change.  We will be turning off the authentication of enumeration and launch requests to the XenApp and XenDesktop delivery controllers.

Before making this change, ensure that only trusted components can communicate with the XML service over your private internal network.  Failure to follow these instructions can expose your system to attack.

Use a firewall, VLAN, an IPSEC tunnel, a cloud security group, or other network isolation construct to ensure that only Citrix Cloud Connectors and trusted on-premises StoreFront servers can communicate with your on-premises XenApp and XenDesktop delivery controllers over the XML service port.  By default this is port 80.  See https://support.citrix.com/article/CTX127945 for details about how to change the XML service port if necessary.

Once you are certain that the XML service port is secured, enable the TrustRequestsSentToTheXmlPort setting on your site:

1. Enter the PowerShell command line interface on any Delivery Controller.

2. Enter Add-PSSnapIn Citrix* to verify the Citrix cmdlets are available.

3. Enter Get-BrokerSite to check if the TrustRequestsSentToTheXmlPort setting is False.  If it is already set to True, no further action is required.

4. Enter Set-BrokerSite -TrustRequestsSentToTheXmlPort $true

5. Enter Get-BrokerSite again to verify that the TrustRequestsSentToTheXmlPort setting is True.

Once this change is complete, Workspace Experience users will be able to enumerate and launch applications and desktops using federated authentication in combination with the Site Aggregation feature.

Single sign-on from Workspace Experience to desktops and applications

When using federated authentication with Workspace Experience, users will need to type their username and password in order to launch sessions.  To ensure that the username and password are the same as those used by the federated identity system to access Workspace Experience itself, make sure that they are synchronized between your identity provider and your Active Directory domain.

For Azure AD, this entails setting up Azure AD Connect to synchronize settings.  Enable the password hash synchronization and password writeback features for the best end-user experience.  More information on Azure AD Connect can be found here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect