Table of Contents
Overview
This guide provides information for configuring Entra ID Single Sign-on (AAD SSO) for Citrix DaaS without the use of FAS and also getting a PRT – so there are no SSO problems with M365 Apps inside your HDX session. The architecture is based on modern auth (OAuth) without any legacy method. The VDA’s machine identity has to be Entra joined or Entra hybrid joined.
This feature is currently in private tech preview.
Requirements
The following are the system requirements for using Entra ID SSO:
Currently NDA
Configuration
The configuration part – I’m very sorry! – at the moment is strictly under NDA. I will update this post with all details (Config for DaaS and Citrix Workspace App) as soon as I’m allowed to.
I just want to make sure that there is something in the pipe! So if you’re planning to switch your IdP in DaaS to Entra ID and you’re considering some FAS / SSO problems – maybe lean back and wait a few minutes more đ
Here’s a quick sneak peek how’s the look & feel and the confirmation that it’s also working fine with Windows Server 2022, too.
This is a brand new user, never started a resource before, adding first time Account in Workspace App:
Some Screenshots:
Summary
Finally we can put FAS to sleep and make usage of all kind of modern auth from Microsoft Entra ID’s spectrum.
Thanks to Miguel Contreras and Team for the great work!
Canât wait!
I need this for one of our customers ASAP, how can I participate to the private technical preview? It’s an enterprise customers with a large number of users and many countries involved.
Just DaaS? or will it also work for on-premise deployment?
At the moment it’s only announced for DaaS, because of the used technology for SSO.
‘at the moment’… so there’s hope? đ
Does anyone have an update on ETA? I logged a call with Citrix and spoke to a member of the Team at ‘Citrix R&D India Pvt. Ltd’ – They said that they were unaware of this feature being on the way… they also asked their senior colleagues there whom were unaware
‘However, there is no ETA for this feature at the moment.
Microsoft has plans to introduce support for certificate-based authentication when performing requests for AzureADPRT, for Hybrid joined computers.
Once this becomes available, then our existing integration methods will automatically become compatible and start to work.’
Does anyone have further confirmation?
This is the official listed feature https://updates.cloud.com/details/sso-for-azure-ad-joined-virtual-desktops-(without-fas)-hdx51158/ – there is no ETA at the moment.