Configure Identity and Access Management(IAM) in Citrix Cloud with Microsoft Azure AD.

In this article, we will review what is Citrix Cloud Identity And Access Management and how to configure it with Microsoft Azure AD in order for your users and administrators to logon to Citrix Cloud with your corporate credentials managed via Azure AD.

Make sure to catch up this series' previous posts first!

 

What is Identity and Access Management in Citrix Cloud?

The foundation of Citrix Workspace is to unify the user experience by offering one place to access applications and data from different providers. These providers often use different authentication mechanisms with different identities. That’s where Identity and Access Management shows its value. The goal of Identity as a Service is to centralize and provide a single point of access control, flexible authentication with integrated Smart Access and with the support of any cloud deployments.

There is a great video from Citrix Synergy 2017 that explains How to Manage Identities and Access with Citrix Cloud.

Citrix Cloud supports 2 identity providers (Azure AD credentials and My Citrix credentials).

Architecture

Citrix Identity And Access Management Architecture - Lab 30
Citrix Identity And Access Management Architecture – Lab 30

Getting started

For this part of the lab, you will need to following:

  • Citrix Cloud account
  • Microsoft Azure AD configured. Your Active Directory can be located either in the Cloud or on-premises. In this example, Active Directory is located on-premises and Azure AD is installed in the Cloud and communicating to our local AD with Azure AD Connect installed on our local DC. You can take a look at this post (Lab: Part 27 – Getting started with Microsoft Azure) to learn how to configure Azure AD with AD Connect.
  • Account with permissions in Microsoft Azure
  • Citrix Cloud Connectors installed and connected to Citrix Cloud (See this post Lab: Part 28 – Getting started with Citrix Cloud)

You will learn:

  • How to delegate your Citrix Cloud account to Microsoft AD identities
  • How to configure a custom sign-on administration URL
  • How to troubleshoot delegation issues
  • How to query Azure AD in PowerShell

Configure Identity And Access Management

In the Citrix Cloud web console, open the left menu and go to Identity and Access Management.

Identity and Access Management
Identity and Access Management

Select Connect under Azure Active Directory.

Select Connect under Azure Active Directory
Select Connect under Azure Active Directory

Citrix Cloud will ask for an URL to authenticate using Azure Active Directory. You can change that later.

URL to authenticate using Azure Active Directory
URL to authenticate using Azure Active Directory

Note: you cannot logon on https://citrix.cloud.com with federated identities. You must use the custom sign-in URL provided by Citrix Cloud above.

You will be prompted for Microsoft Azure credentials.

Microsoft Azure credentials
Microsoft Azure credentials

And to allow Citrix to connect to Microsoft Azure.

Allow Citrix to connect to Microsoft Azure
Allow Citrix to connect to Microsoft Azure

Once authenticated, Azure AD will appear as Connected in Citrix Cloud.

Azure AD will appear as Connected in Citrix Cloud
Azure AD will appear as Connected in Citrix Cloud

See below more details about the new configuration.

IAM Configuration in Citrix Cloud
IAM Configuration in Citrix Cloud

In the Domains tab you can check that the communication is working for the domain citrixguru.com.

Domain supported in Citrix Cloud Identity and Access Management
Domain supported in Citrix Cloud Identity and Access Management

Note: check your Citrix Cloud connectors virtual machines if you have issues here. If you need help setting up Cloud Connectors, take a look at this article Lab: Part 28 – Getting started with Citrix Cloud.

Let’s now try to delegate permissions to users in Citrix Cloud.

Go to Identity and Access Management and Select Administrators. Select Azure AD: default Directory in the drop-down list. Type the name of the user you want to allow in Citrix Cloud. You may face the same issue as below (name grayed out).

identity And Access Management - Delegation
identity And Access Management – Delegation

This issue means that the account does not have an email address associated in Azure AD.

Note: It is not possible to see all attributes in Azure AD. To have more details, you need to do it in PowerShell.

See below how I did.

Here is the output of all attributes.

AD Azure - Show user attributes in PowerShell
AD Azure – Show user attributes in PowerShell

Here are the attributes I am looking for.

AD Azure - Show user attributes in PowerShell
AD Azure – Show user attributes in PowerShell

We have now confirmed that in AD Azure, this account does not have an email.

Let’s update it.

In my case this account is an account that was created in my Active Directory on-premises. Go to Active Directory on-premises, and pull up the account.

AD on-premises - User properties
AD on-premises – User properties

You can see above that the account has no email address associated with it.

Note: Citrix does not read the UPN attribute.

Add an email for the user and click OK.

Then force an AD Connect synchronization with Azure AD.

PowerShell should output the following:

AD Connect Sync
AD Connect Sync

You will have to wait few minutes for the replication to complete.

You can query Azure AD again in PowerShell to confirm that the account has been updated.

AD Azure - Show user attributes in PowerShell
AD Azure – Show user attributes in PowerShell

Go back to Citrix Cloud (https://citrix.cloud.com/identity/administrators) and try again to add a user from Azure AD.

identity And Access Management - Delegation
identity And Access Management – Delegation

Click on Invite.

Delegation - confirmation
Delegation – confirmation

The new account will show up in the list.

Account added in Citrix Cloud administrators
Account added in Citrix Cloud administrators

The user will get an email and has to validate the registration by clicking on the link in the email.

Invitation to manage Citrix Cloud
Invitation to manage Citrix Cloud

Select Accept Invitation.

You can now sign-in to Citrix Cloud with Azure AD credentials
You can now sign-in to Citrix Cloud with Azure AD credentials

You are now allowed to logon in Citrix Cloud with Azure AD credentials.

Note: if you don’t follow this step, you will get the following error message.

Not allowed to logon in Citrix Cloud with Azure AD credentials
Not allowed to logon in Citrix Cloud with Azure AD credentials

To access Citrix Cloud with corporate credentials, you must use a different logon page.

Go to Identity And Access Management to find the url.

For this lab, the address is https://citrix.cloud.com/go/citrixguru.

You will be prompted to logon via Microsoft.

Logon via Azure AD
Logon via Azure AD

Enter your password.

Enter Azure AD credentials
Enter Azure AD credentials

Allow Citrix Cloud to connect to Microsoft Azure.

Accept permissions
Accept permissions

You will be automatically redirected to Citrix Cloud dashboard.

Citrix Cloud dashboard
Citrix Cloud dashboard

A quick look in the Account Settings to confirm that we are now logged on with an account from Azure AD.

Account Settings - Citrix Cloud
Account Settings – Citrix Cloud

It possible to manage custom permissions for users in Citrix Cloud. At this time it is very limited.

Custom permissions in Citrix Cloud
Custom permissions in Citrix Cloud

That’s all for Identity And Access Management in Citrix Cloud. I hope you enjoyed this article. Stay tuned.

Make sure to catch up this series' previous posts first!