Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD

Configure Identity and Access Management(IAM) in Citrix Cloud with Microsoft Azure AD.

In this article, we will review what is Citrix Cloud Identity And Access Management and how to configure it with Microsoft Azure AD in order for your users and administrators to logon to Citrix Cloud with your corporate credentials managed via Azure AD.

More from the Lab!

 

What is Identity and Access Management in Citrix Cloud?

The foundation of Citrix Workspace is to unify the user experience by offering one place to access applications and data from different providers. These providers often use different authentication mechanisms with different identities. That’s where Identity and Access Management shows its value. The goal of Identity as a Service is to centralize and provide a single point of access control, flexible authentication with integrated Smart Access and with the support of any cloud deployments.

There is a great video from Citrix Synergy 2017 that explains How to Manage Identities and Access with Citrix Cloud.

Citrix Cloud supports 2 identity providers (Azure AD credentials and My Citrix credentials).

Architecture

Getting started

For this part of the lab, you will need to following:

• Citrix Cloud account
• Microsoft Azure AD configured. Your Active Directory can be located either in the Cloud or on-premises. In this example, Active Directory is located on-premises and Azure AD is installed in the Cloud and communicating to our local AD with Azure AD Connect installed on our local DC. You can take a look at this post (Lab: Part 27 – Getting started with Microsoft Azure) to learn how to configure Azure AD with AD Connect.
• Account with permissions in Microsoft Azure
• Citrix Cloud Connectors installed and connected to Citrix Cloud (See this post Lab: Part 28 – Getting started with Citrix Cloud)

You will learn:

• How to delegate your Citrix Cloud account to Microsoft AD identities
• How to configure a custom sign-on administration URL
• How to troubleshoot delegation issues
• How to query Azure AD in PowerShell

Configure Identity And Access Management

In the Citrix Cloud web console, open the left menu and go to Identity and Access Management.

Select Connect under Azure Active Directory.

Citrix Cloud will ask for an URL to authenticate using Azure Active Directory. You can change that later.

Note: you cannot logon on https://citrix.cloud.com with federated identities. You must use the custom sign-in URL provided by Citrix Cloud above.

You will be prompted for Microsoft Azure credentials.

And to allow Citrix to connect to Microsoft Azure.

Once authenticated, Azure AD will appear as Connected in Citrix Cloud.

See below more details about the new configuration.

In the Domains tab you can check that the communication is working for the domain citrixguru.com.

Note: check your Citrix Cloud connectors virtual machines if you have issues here. If you need help setting up Cloud Connectors, take a look at this article Lab: Part 28 – Getting started with Citrix Cloud.

Let’s now try to delegate permissions to users in Citrix Cloud.

Go to Identity and Access Management and Select Administrators. Select Azure AD: default Directory in the drop-down list. Type the name of the user you want to allow in Citrix Cloud. You may face the same issue as below (name grayed out).

This issue means that the account does not have an email address associated in Azure AD.

Note: It is not possible to see all attributes in Azure AD. To have more details, you need to do it in PowerShell.

See below how I did.

Here is the output of all attributes.

Here are the attributes I am looking for.

We have now confirmed that in AD Azure, this account does not have an email.

Let’s update it.

In my case this account is an account that was created in my Active Directory on-premises. Go to Active Directory on-premises, and pull up the account.

You can see above that the account has no email address associated with it.

Note: Citrix does not read the UPN attribute.

Add an email for the user and click OK.

Then force an AD Connect synchronization with Azure AD.

PowerShell should output the following:

You will have to wait few minutes for the replication to complete.

You can query Azure AD again in PowerShell to confirm that the account has been updated.

Go back to Citrix Cloud (https://citrix.cloud.com/identity/administrators) and try again to add a user from Azure AD.

Click on Invite.

The new account will show up in the list.

The user will get an email and has to validate the registration by clicking on the link in the email.

Select Accept Invitation.

You are now allowed to logon in Citrix Cloud with Azure AD credentials.

Note: if you don’t follow this step, you will get the following error message.

To access Citrix Cloud with corporate credentials, you must use a different logon page.

Go to Identity And Access Management to find the url.

For this lab, the address is https://citrix.cloud.com/go/citrixguru.

You will be prompted to logon via Microsoft.

Enter your password.

Allow Citrix Cloud to connect to Microsoft Azure.

You will be automatically redirected to Citrix Cloud dashboard.

A quick look in the Account Settings to confirm that we are now logged on with an account from Azure AD.

It possible to manage custom permissions for users in Citrix Cloud. At this time it is very limited.

That’s all for Identity And Access Management in Citrix Cloud. I hope you enjoyed this article. Stay tuned.

More from the Lab!