Table of Contents
Overview
On a recent migration from SAML 2.0 (ADFS to OnPrem AD) to Entra ID (OIDC) as IdP on DaaS Cloud Workspace, I came across an interesting Issue regarding Group-Filters for limiting Visibility for Published Apps.
Issue
During the migration, the goal was to switch from recent OnPrem Active Directory Group-Filters for both published Desktops and Apps to Entra ID synced Groups.
Published Desktops, everything worked well.
Published Apps never started, the app enumeration on Cloud Workspace worked fine, all apps are there, ICA file getting downloaded and started, but after “Welcome” – were normally SSO and Profile Loading continues – the process stops with a logon timeout on Director.
I’m pretty sure in the past you weren’t able to configure Entra ID as a group-source on published Apps. My used workaround was to use Application Groups. A PubApp has no filter and is bound to a application group where the Entra ID Groupfilter is configured, this is working fine – now it’s there with the notice to use VDA 2411 as a minimum:
I’ve found that statement on Citrix Docs with a minimum requirement of VDA 2503 for AAD users / groups:
Citrix support recommended also to use 2503 or higher.
After I’ve updated the VDA at the customer, all published apps started successfully.
Summary
If you want to use Entra ID Groups as filter on published Apps, remember to use a minimum VDA version of 2503 or later.
I still don’t understand why app enumeration works fine, only the start of the app fails – and why there’s no need for required VDA version when doing the same on the application-group layer, instead of the pubapp directly.