Citrix Cloud, Citrix Workspace Experience and Federated Authentication Service with Azure AD
This is a feature that I have been waiting to test and play with for a while now, and it has arrived in private tech preview. It allows users of the Citrix Workspace Experience, using Federated Authentication Service, access to Citrix VDA resources with Azure Azure AD credentials. Federated Authentication Service (FAS) has been available since 7.9 and has been integrated with on-premises Citrix ADC and Citrix Storefront for SAML authentication since then. Let's take a look at the use cases for Federated Authentication Service. This service allows contractors, partners and other users who need access to resources on your network in a controlled way with Azure AD or Okta credentials. FAS uses "Shadow Accounts" that will allow users access to resources using the UPN, First Name, and Last Name on a matching shadow account in AD. FAS ensures the end-user never needs to know the password for that AD account on your network. Let's take a look at this new feature of Citrix Cloud and check out the new Workspace experience.
What is Federated Authentication Service?
Here is an explanation of Federated Authenticated Service from the Citrix website: "The Federated Authentication Service (FAS) is a privileged component designed to integrate with Active Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an Active Directory environment as if they had a smart card. This allows StoreFront to use a broader range of authentication options, such as SAML (Security Assertion Markup Language) assertions. SAML is commonly used as an alternative to traditional Windows user accounts on the Internet." If you are interested in how to install FAS and set it up from scratch using Citrix ADC and Citrix Storefront, then please see this article for more details. https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/federated-authentication-service.html. In this article, I am focusing on the Citrix Cloud FAS installation.
What's new in Citrix Cloud?
Up until now, it was not possible to use Federated Authentication Service with Citrix Workspace Experience. I am pleased to say that this is now possible and is in tech preview. So what does Federated Authentication Service (FAS) do, and why is it important for a better end-user experience? FAS will allow users to make use of authentication methods such as Azure AD and OKTA within Citrix Workspace Experience. The end-user can now use Azure AD authentication to login into the Workspace and have that pass all the way through to the VDA session. This means that users now get a seamless authentication process all the way through to a launched desktop with Azure credentials! I think this is awesome for user experience. If an admin were to setup Azure AD Authentication for Citrix Workspace experience and not use our new FAS service with Citrix Cloud, end users are prompted for and Active Directory login when they attempt to launch a desktop. This would leave users with a less than optimal experience and not what we want for our end users.
How do we set up FAS?
In the resource location, we need the following machines
In Citrix Cloud
- Active Directory Certificate Services (MS Certificates Server)
- FAS Server (with Private Tech Preview of FAS installed)
- Virtual Desktop Agent (to test the launch process.
- Active Directory Domain Controller.
- Azure AD Sync to Azure AD
Step 1: Citrix Cloud Setup Let's set our authentication method to Azure AD for Subscribers. This will allow our end-users to login onto the Citrix Workspace with Azure AD credentials. We can do this by choosing Identity and Access Management.
- Enable Citrix FAS
- Configure the Azure AD Authentication for the Citrix Workspace Experience.
STEP 2: In the Resource Location
Log into the FAS Server in the Resource Location and Install the FAS service. (I used the private tech preview, thanks to Oscar Day.) I installed the "Federated AuthenticationService_x64.msi" on a clean install of 2016 Server with .Net Framework 4.8 installed.