This article is intended for Citrix administrators and technical teams only. Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information.



Citrix Receiver for Chrome now supports single sign-on (SSON) on Chromebook devices and Citrix Virtual Apps and Desktops backend. With this functionality, users do not have to retype their passwords within a Citrix environment. SSON configuration includes setting up SAML SSO on Chrome devices and Receiver for Chrome sessions using SAML cookies.

Main components involved in this are:

• Virtual Desktops with FAS enabled

• Google Admin console

• Active Directory Federation Services (AD FS) and

• Citrix NetScaler Gateway

---

Instructions

Installing Virtual Desktops

Install Virual Desktop and configure Federated Authentication Service. Refer Citrix Documentation - Federated Authentication Service for more details.

Configuring Active Directory Federation Services (AD FS) and Google Admin Console

1. Install and configure Active Directory Federation Service (AD FS) from server manager roles on any Windows 2K8 R2 or Windows 2K12 R2 server. Ensure that, AD FS and AD are not on the same machine.

2. Configure AD FS URL in Google Admin console for Single Sign-on as follows:

   • Enable Single Sign-on in Google Apps. Log in to your administration console at
     http://www.google.com/a/your-domain/. Click Security->Set up Single Sign-on (SSO)

   • This will take you through to a configuration screen. Select Enable Single Sign-on,
     and enter the following values:
     Sign-in page URL: https://adfs.yourdomain.com/adfs/ls/
     Sign-out page URL: https://adfs.yourdomain.com/adfs/ls/
     Change password URL: https://sts.yourdomain.com/startersts/users/password.aspx

   • Verification certificate: Upload the AD FS Token Signing cert (.cer file) which can be obtained from the AD FS 2.0 Management Console (under Service > Certificates). Click Upload.

   • Select “Use a domain specific issuer”.

   • Enter network addresses in the Network masks textbox.
     

   • Single sign-on is configured and enabled. Note that the settings take effect immediately. However, it does not affect your login to the Admin Console – that is always accessed by manual login, so that you can get and disable Single Sign-on again.

3. Configure SAML Single Sign-on policies on Google Admin Console, refer https://support.google.com/chrome/a/answer/6060880 for more details.

4. Configuring AD FS
   ​• Open the AD FS 2.0 Management Console and navigate to Relying Parties section.

   1. Click Add Relying Party Trust

   2. Choose Enter data about the relying party manually
      

   3. Provide a name for the trust (so that you can easily identify it)
      

   4. Select AD FS 2.0 profile
      

   5. Select Enable support for the SAML 2.0 WebSSO protocol and enter /acs">https://www.google.com/a//acs in the Relying party SAML 2.0 SSO service URL textbox.
      

   6.  Enter google.com/a/<your-domains the Relying party identifier
      

   7. Complete the wizard steps

   8. Click on the newly added item and select Properties. Click on the Signature tab and Click Add:
      

   9. Add the Token Signing Certificate – it must the AD FS Token Signing Certificate you uploaded to the Google Admin Console AD FS.

   10. Click OK.

   11. Click Edit Claim Rules and click Add Rule:
       

   12. From the Claim rule drop-down, select Transform an Incoming Claim.
       

   13. Provide a Name to the rule, select E-Mail Address as the Incoming Claim Type, set the Outgoing claim type to Name ID and the Outgoing name ID format to Email:
       

   14. Complete the Wizard steps.

   • Go to your Active Directory. Go to properties of user for whom you want to enable Single sign on and then add the google domain email address of that user in Email field.

   • Go to your Active Directory. Go to properties of user for whom you want to enable Single sign on and then add the google domain email address of that user in Email field.

Configuring Citrix NetScaler

• Configure NetScaler SAML to work with AD FS. Before this make sure, Virtual Desktop works with NetScaler without SSON or FAS configuration.. Refer, http://support.citrix.com/article/CTX133919 to configure NetScaler SAML with AD FS
• On successful completion of all the above steps, you are redirected to AD FS page on entering the SF URL

Configuring Single Sign-on on Chromebook

• Chromebook should be a managed Chromebook
• Install and configure SAML SSO for Chrome app extension on Chrome devices. Refer to the Google website for more information. This extension retrieves SAML cookies from browser and provides to Citrix Receiver. This extension needs to be configured with the following policy to allow Receiver to get SAML cookies:
  {
  "whitelist" : {
  "Value" : [
  {
  "appId" : "haiffjcadagjlijoggckpgfnoeiflnem",
  "domain" : "saml.yourcompany.com"
  }
  ]
  }
  }
• If you are repackaging Citrix Receiver for Chrome, change the appId. In addition, change the domain to your company's SAML IdP domain.
• Configure Receiver to user NetScaler Gateway configured for SAML logon. This enables users to use the NetScaler Gateway configured for SAML logon.
• Login to Chromebook using managed user which will redirect you to AD FS page for the first time. user has to enter the password twice for the first time.
• After successful login, you can access the Virtual Desktop resources without having to re-enter the credentials. providing any credentials.

Citrix Receiver for Chrome now supports single sign-on (SSON) functionality on Chromebook devices and Citrix XenApp/XenDesktop backend. With this functionality, users do not have to retype passwords within a Citrix environment. SSON configuration includes setting up SAML SSO on Chrome devices and Receiver for Chrome sessions using SAML cookies.