How to use Google identity provider (GCP) in SAML integration for Citrix Cloud

PREREQUISITES/REQUIREMENTS

  • SAML IdP for Citrix Workspace requires an Active Directory integration to both Citrix Cloud and Google Workspace (Gsuite account)

User assignment to resources is done by picking users out of an Active Directory

  • For this integration to work, Google must pass Citrix Cloud certain Active Directory attributes of the user in the SAML assertion. Specifically,
    • SecurityIDentifier (SID)
    • objectGUID (OID)
    • userPrincipalName (UPN)
    • Mail (Email)
  • To sync attributes between Active Directory and Google we have 2 options:
    1. Use Google cloud directory sync to access Active Directory and sync users and groups
      • We will need to create a custom schema to sync the required attributes
    2. Manually Create the 4 required attributes in Google console and extract the value of the attributes from AD

image.png

CONFIGURATION:

The configuration can be completed following these steps:

  1. In Identity and Access Management, connect your on-premises AD to Citrix Cloud as described in Connect Active Directory to Citrix Cloud.
  2. Integrate Google with your on-premises AD as described in SAML integration with Active Directory in this article.
    1. a) Usign Google Cloud Directory Sync (GCDS)
    2. b)Manual sync via Google Admin Console
  3. In Identity and Access Management, configure SAML authentication in Citrix Cloud. This task involves configuring a SAML application in google admin console with the SAML metadata from Citrix Cloud and then configuring Citrix Cloud with the metadata from your google SAML application to create the SAML connection.
  4. In Workspace Configuration, select the SAML authentication method.
  5. Test end user experience

1 – Connect Active Directory to Citrix Cloud

2 – Sync Active Directory to Google Cloud :

1a) To sync Active Directory to Google Cloud, use the Google Cloud Directory Sync tool.

Configure the Sync tool using the standard setup.

The extra item that needs to be added is a custom schema named “citrix-schema” (recommended)

Ensure you add the fields with exact casing as noted in the image on the top right.

  • UPN->userPrincipalName
  • SID-> objectSid
  • objectGUID -> objectGUID

Once the sync is complete the User Information section in Google Cloud will contain the user’s Active Directory information

image.png

image.png

Update Feb 2022: With the latest Google Cloud Directory Sync (GCDS) 4.7.14 version published on February 2022 you can finally automatize your AD user’s synchronization with google workspace to have a seamless SSO experience with Citrix.

Make sure you Select Base64 in your Schema :

image.png

image.png

1b) Sync Active Directory to Google Cloud without Google cloud sync

We will need to create a Custom schema with the UPN, ObjectGUID and SID

image.png

image.png

image.png

Extract UPN, ObjectGUID and SID values from AD (In AD using Get-ADUser user in powershell) and manually copy to the user attributes

image.png

image.png

3 Add SAML application in Google Admin console

image.png

image.png

image.png

image.png

After generating the SAML application in Google console we need to Enable SAML in workspace and copy the SSO URL and the Entity ID:

image.png

We also need to complete the service provider settings from the SAML metadata certificate from Citrix workspace and copy inside Google service provider details:

image.png

We also need to configure the attributes and activate for all users:

image.png

image.png

image.png

4 . We enable SAML in the workspace configuration.

image.png

image.png

5 . End User Experience

image.png

TROUBLESHOOTING

We need to verify the attributes are correctly imported from AD to google and integrated in the SAML response:

image.pngimage.png

https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm

We need to verify in the SAML response that we are passing the correct attributes from AD

image.png

image.png

Related:

  • No Related Posts

Leave a Reply