Following the announcement of general availability of SAML 2.0 (Security Assertion Markup Language) for Citrix Workspace now we can officially integrate Google as a primary identity provider for Citrix Workspace.

The blog created by Citrix Technologist Javier Lopez Santacruz can be referred for the same details.

With this integration you can provide all the benefits of Citrix Secure Workspace Access including SSO capabilities to any:

• SaaS
• VPNLess access to Internal Web Apps
• Citrix Files
• Virtual apps and Desktops

including all the Security AI built into Google when authenticating your users with any 2-Step Verification methods like Google Authenticator, Text message or phone call, Yubikey passwordless access…



For an optimal end-user experience, it is recommended deploying a Citrix cloud FAS server to provide single sign-on and prevent a second logon prompt when opening an app or desktop from the Citrix Virtual Apps and Desktops service. For more information, see Connect Citrix Federated Authentication Service to Citrix Cloud.

---

Instructions

PREREQUISITES/REQUIREMENTS

• SAML IdP for Citrix Workspace requires an Active Directory integration to both Citrix Cloud and Google Workspace (Gsuite account)

User assignment to resources is done by picking users out of an Active Directory

• For this integration to work, Google must pass Citrix Cloud certain Active Directory attributes of the user in the SAML assertion. Specifically,
  • SecurityIDentifier (SID)
  • objectGUID (OID)
  • userPrincipalName (UPN)
  • Mail (Email)

• To sync attributes between Active Directory and Google we have 2 options:
  1. Use Google cloud directory sync to access Active Directory and sync users and groups
     • https://tools.google.com/dlpage/dirsync
     • We will need to create a custom schema to sync the required attributes
  2. Manually Create the 4 required attributes in Google console and extract the value of the attributes from AD

CONFIGURATION:

The configuration can be completed following these steps:

1. In Identity and Access Management, connect your on-premises AD to Citrix Cloud as described in Connect Active Directory to Citrix Cloud.
2. Integrate Google with your on-premises AD as described in SAML integration with Active Directory in this article.
   1. a) Usign Google Cloud Directory Sync (GCDS)
   2. b)Manual sync via Google Admin Console
3. In Identity and Access Management, configure SAML authentication in Citrix Cloud. This task involves configuring a SAML application in google admin console with the SAML metadata from Citrix Cloud and then configuring Citrix Cloud with the metadata from your google SAML application to create the SAML connection.
4. In Workspace Configuration, select the SAML authentication method.
5. Test end user experience

1 – Connect Active Directory to Citrix Cloud

2 – Sync Active Directory to Google Cloud :

1a) To sync Active Directory to Google Cloud, use the Google Cloud Directory Sync tool.

Configure the Sync tool using the standard setup.

• https://tools.google.com/dlpage/dirsync
• https://support.google.com/a/topic/2679497?hl=en
• https://support.google.com/a/answer/106368

The extra item that needs to be added is a custom schema named “citrix-schema” (recommended)

Ensure you add the fields with exact casing as noted in the image on the top right.

• UPN->userPrincipalName
• SID-> objectSid
• objectGUID -> objectGUID

Once the sync is complete the User Information section in Google Cloud will contain the user’s Active Directory information

Update Feb 2022: With the latest Google Cloud Directory Sync (GCDS) 4.7.14 version published on February 2022 you can finally automatize your AD user’s synchronization with google workspace to have a seamless SSO experience with Citrix.

Make sure you Select Base64 in your Schema :

1b) Sync Active Directory to Google Cloud without Google cloud sync

We will need to create a Custom schema with the UPN, ObjectGUID and SID

Extract UPN, ObjectGUID and SID values from AD (In AD using Get-ADUser user in powershell) and manually copy to the user attributes


3 Add SAML application in Google Admin console




After generating the SAML application in Google console we need to Enable SAML in workspace and copy the SSO URL and the Entity ID:

We also need to complete the service provider settings from the SAML metadata certificate from Citrix workspace and copy inside Google service provider details:

We also need to configure the attributes and activate for all users:



4 . We enable SAML in the workspace configuration.


5 . End User Experience

TROUBLESHOOTING

We need to verify the attributes are correctly imported from AD to google and integrated in the SAML response:

https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm

We need to verify in the SAML response that we are passing the correct attributes from AD

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

https://www.citrix.com/blogs/2021/09/15/citrix-workspace-saml-2-0-support-is-now-generally-available/
https://docs.citrix.com/en-us/citrix-workspace/optimize-cvad/workspace-federated-authentication.html