This article describes how to resolve challenges with Single Sign-On (SSO) on Citrix after FAS (Federated Authentication Service) login, especially regarding access to Office 365, Teams, and other services via Microsoft Edge.
The Problem
When users log in to Citrix in the usual way, they provide a username and password. This gives the VDA or VDI the necessary information to retrieve an Entra ID Primary Refresh Token (PRT). This token is crucial for SSO to work against Entra ID.
When logging in with FAS, the VDA is only presented with a certificate. It then lacks the necessary information to retrieve an Entra ID PRT, which prevents SSO for Office, Teams, and other Entra ID integrated services via Edge.
The Solution: Certificate-Based Authentication in Entra ID
To solve this problem, we need to enable certificate-based authentication in Entra ID. This involves the following steps:
Upload root certificates: The root certificates of the CA server where the “Citrix_SmartcardLogon” certificate is issued must be uploaded to Entra ID.
Create a group: Create a group in Entra ID that will have permission to use certificate-based authentication.
Enable certificate-based authentication: Enable certificate-based authentication in Entra ID. Here, we need to make some choices:
- CRL validation: Choose whether to enable CRL (Certificate Revocation List) validation. If it is not possible to make this externally available, it is recommended to reduce the lifetime of the “Citrix_SmartcardLogon” certificate from one week to one day.
- MFA approval: Choose whether certificate-based authentication should be accepted as a valid method for multi-factor authentication (MFA).
- Username binding: Ensure that the username binding is correct. Usually, “Certificate Field: PrincipalName -> User Attribute: userPrincipalName” is the correct choice.
Conclusion
By enabling certificate-based authentication in Entra ID and following the necessary steps, you can solve the problem with SSO on Citrix after FAS login. This will provide users with seamless access to Office 365, Teams, and other Entra ID integrated services via Edge, and it will improve the overall user experience.
Security
To ensure that another certificate issued by the same CA cannot be used to acquire an Entra ID MFA session, we must create an Authentication binding where we define which CA is the issuer and a Policy ID we have created on the certificate template used. Here, we set the Authentication strength to MFA and Affinity binding to Low.
If we then set the Default Authentication binding to Single factor Auth and Affinity binding to High, the Default Authentication binding will never be met, and the user will not be able to use a valid certificate for authentication.
Thus, only the certificate issued by FAS will be valid for use in CBA, where a valid Entra ID MFA session will then be obtained.
To ensure that the only service that can issue a certificate that can be used for CBA, we do two things:
- Set rights on the certificate so that only FAS has the “Enroll” right.
- Set rights on the certificate so that only FAS has the “Enroll” right.
This certificate thus gives the user an Entra ID MFA session, therefore it is also very important to ensure that the user is not allowed to log in to Citrix via a FAS-enabled Storefront store via any other methods than SAML or Netscaler with SAML integration.
In this example, I only allow Pass-through from Citrix Gateway, as it only provides access with MFA and SAML Authentication that points to an Enterprise App that requires MFA, so that the store can also be used by users who are inside the network.
