Citrix Files, Azure AD and Single Sign-On
In my last post, I talked about how to ensure access to a VDI in Azure without any re-authentication using Azure AD. Here it is if you missed it: https://www.mycugc.org/blogs/wendy-gay/2019/07/23/citrix-cloud-citrix-workspace-experience-and-feder.
I wanted to follow on from that blog and show you how to access the Citrix Files application on the VDI desktop in Azure via the Citrix Workspace. The Citrix Files application is installed with the VDA now which is great, and I want to ensure that I have it (Citrix Files) sign in with no prompts or pop-ups appearing for any end-user. I want to make the user experience is as seamless as possible. User experience and ease of use is a theme that I hear about a lot with customers and I want to avoid any additional logins.
So let's look at how this is achieved.
We need access to the Citrix Content Collaboration / Admin Settings to configure the SAML settings for SSO, and we also need to set up the enterprise application in Azure AD for SSO. Let's begin by creating an Azure Enterprise App for SSO to Citrix Content Collaboration.Azure Portal:
In the Azure Portal, navigate to the Azure Active Directory option on the left-hand side and then click on the Enterprise application option.
Search for the Citrix ShareFile app, give it a name you want to use and click the add button to install it.
Now let's see where the SSO configuration is set within the Azure application.
Let's look at the first setting for SAML configuration. The following must be configured (as in the screenshot below) to tell your Azure App about your ShareFile (Content Collaboration) tenant. Add your own tenant name after the https://MyTenant/Sharefile.EU or .com if that is where it is.
We also need to take note of the following.
- Reply URL
- Sign on URL
We need the certificate to upload into the ShareFile Download and save the Base64 certificate and store it. We will need that shortly.
This is the detail we now need to configure in the ShareFile Admin page. Take note of the settings.
Finally, we need to give the users in the organisation permissions to use this new enterprise app that we have created to use with Sharefile in Azure.
Citrix Content Collaboration Settings:
At this stage, I want to open my Sharefile account (I had to reset the password because SSO has been looking after it for so long that I had forgotten it!)
This is a good article from Microsoft that has all the required details on the config ( Azure documentation )
Login to the ShareFile account and navigate to the admin settings. Navigate to the Login & Security Policy page, SAML Basic settings. Enable the SAML radio button and apply the settings for Login URL, Sharefile issuer and IDP issuer. We now must also upload the certificate that we downloaded and saved into the certificate dialog box. Cut and paste the detail in between ---BEGIN CERTIFICATE--- and ---END CERTIFICATE--- lines and save it.
Now test the configuration settings using the test button.
We are almost complete and the last task is the GPO configuration. The VDA installer now auto installs the Citrix Files app (and the outlook plugins) so that is done automatically. We still need to tell the Citrix File app the name of the subdomain to use within Citrix Files. This is configured via an ADMX file for Citrix file. Complete the account settings and add the subdomain.sharefile.eu ( if you are in the EU) and ensure the group policy is applied to your VDA.
Now let's test and see how the user experience is! I have already setup FAS, and SSO to the VDA, and now we also have SSO to the Citrix Files app within that VDA. Here is a video of the user experience.https://twitter.com/Wendy_Gay1/status/1173545014477164545