Users Prompted for Credentials on Workspace URLs When Using Federated Authentication Providers

Users Prompted for Credentials on Workspace URLs When Using Federated Authentication Providers

book

Article ID: CTX253779

calendar_today

Updated On:

Description

Overview:
Users may be prompted for additional authentication when navigating to Citrix Workspace URLS if Workspace is configured to use a federated identity provider.

Example:
Users may be prompted for Azure AD credentials when Using AAD for Authentication to Citrix Workspace, even if the user has a valid Microsoft authentication token.

Scenario

  • Authenticate to an existing O365 or Azure AD provisioned resource
  • Browser retains the Microsoft authentication token for the session
  • Navigate to Citrix Workspace URL  (configured to use AAD as the Workspace IdP)
  • Previous authentication token is NOT accepted by Workspace
  • User is prompted again prompted to provide Azure AD credentials to login to Workspace 

 

Resolution

IMPORTANT: 
Customers should consult their internal security teams before requesting an exception to determine which settings are best for their environment and security posture.

This behavior can now be modified directly by the following Cloud setting:

  • Always prompt end users for their credentials:
    • "Workspace Configuration\Customize\Preferences\Workspace sessions"




Note: This feature alone does not allow Single Sign-On into a Desktop VDA or Published Application session, and Citrix Federated Authentication Service (FAS) will be required to be in place for Single Sign-On to occur. Learn more here.

Problem Cause

  • Citrix recently made a change with within the Azure AD Workspace integration to resolve a security concern.
  • To ensure that a user is properly and securely authenticated when accessing Citrix Workspace, the Engineering team has added the “prompt=login” parameter to every authentication request to the IdP of record.
  • This parameter forces the user to be prompted for authentication whenever there is not a valid Citrix Workspace session.
  • This was done to align with Industry-standard security practices.


 

Issue/Introduction

Users may be prompted for additional authentication when navigating to Citrix Workspace URLS if Workspace is configured to use a federated identity provider.

Additional Information

Customize security and privacy policies:

https://docs.citrix.com/en-us/citrix-workspace/experience/policies#workspace-session

 

Microsoft has documented how Azure AD should be configured for applications that use “prompt=login”:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-prompt-login

Citrix CTP Contributions:

https://jkindon.com/2019/09/20/azure-ad-and-citrix-workspace-sso/

Powered by Wolken Software