PREREQUISITES/REQUIREMENTS
- SAML IdP for Citrix Workspace requires an Active Directory integration to both Citrix Cloud and Google Workspace (Gsuite account)
User assignment to resources is done by picking users out of an Active Directory
- For this integration to work, Google must pass Citrix Cloud certain Active Directory attributes of the user in the SAML assertion. Specifically,
- SecurityIDentifier (SID)
- objectGUID (OID)
- userPrincipalName (UPN)
- Mail (Email)
- To sync attributes between Active Directory and Google we have 2 options:
- Use Google cloud directory sync to access Active Directory and sync users and groups
- We will need to create a custom schema to sync the required attributes
- Manually Create the 4 required attributes in Google console and extract the value of the attributes from AD
- Use Google cloud directory sync to access Active Directory and sync users and groups
CONFIGURATION:
The configuration can be completed following these steps:
- In Identity and Access Management, connect your on-premises AD to Citrix Cloud as described in Connect Active Directory to Citrix Cloud.
- Integrate Google with your on-premises AD as described in SAML integration with Active Directory in this article.
- a) Usign Google Cloud Directory Sync (GCDS)
- b)Manual sync via Google Admin Console
- In Identity and Access Management, configure SAML authentication in Citrix Cloud. This task involves configuring a SAML application in google admin console with the SAML metadata from Citrix Cloud and then configuring Citrix Cloud with the metadata from your google SAML application to create the SAML connection.
- In Workspace Configuration, select the SAML authentication method.
- Test end user experience
1 – Connect Active Directory to Citrix Cloud
2 – Sync Active Directory to Google Cloud :
1a) To sync Active Directory to Google Cloud, use the Google Cloud Directory Sync tool.
Configure the Sync tool using the standard setup.
- https://tools.google.com/dlpage/dirsync
- https://support.google.com/a/topic/2679497?hl=en
- https://support.google.com/a/answer/106368
The extra item that needs to be added is a custom schema named “citrix-schema” (recommended)
Ensure you add the fields with exact casing as noted in the image on the top right.
- UPN->userPrincipalName
- SID-> objectSid
- objectGUID -> objectGUID
Once the sync is complete the User Information section in Google Cloud will contain the user’s Active Directory information
Update Feb 2022: With the latest Google Cloud Directory Sync (GCDS) 4.7.14 version published on February 2022 you can finally automatize your AD user’s synchronization with google workspace to have a seamless SSO experience with Citrix.
Make sure you Select Base64 in your Schema :
1b) Sync Active Directory to Google Cloud without Google cloud sync
We will need to create a Custom schema with the UPN, ObjectGUID and SID
Extract UPN, ObjectGUID and SID values from AD (In AD using Get-ADUser user in powershell) and manually copy to the user attributes
3 Add SAML application in Google Admin console
After generating the SAML application in Google console we need to Enable SAML in workspace and copy the SSO URL and the Entity ID:
We also need to complete the service provider settings from the SAML metadata certificate from Citrix workspace and copy inside Google service provider details:
We also need to configure the attributes and activate for all users:
4 . We enable SAML in the workspace configuration.
5 . End User Experience
TROUBLESHOOTING
We need to verify the attributes are correctly imported from AD to google and integrated in the SAML response:
https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm
We need to verify in the SAML response that we are passing the correct attributes from AD
