Citrix Workspace App Azure Active Directory Seamless Single Sign-on with Domain/Hybrid joint clients

On this document we are going to explain how to implement Citrix Workspace app silent Single Sign on using Azure Active directory as an identity provider with Domain joint and Hybrid joint endpoints/VMs.

In addition, as we are configuring AAD passthrough you will not require to deploy a FAS server to provide SSO to Virtual Apps and Desktops.

We can split the use case in 2:

  1. SSO/Domain passthrough   for  AD joined machine  and AAD configured as IDP in Workspace.  Covered in this article.
  2. SSO/Domain passthrough   for  AAD joined/connected  machine  and AAD configured as IDP in Workspace.   We are working on this feature and it is on the roadmap.

Please see this video of the end user experience:


  1. Connect Azure Active Directory to Citrix Cloud

Step by step video:

Step by step video:

There are 4 parts that we need to configure to achieve this result:

  • CWA Client with the appropriate configuration set (includeSSO)
  • The correct Group policies to enable user authentication and trusted domains

CWA Client:

  1. Installation of Citrix Workspace (version 2012 onwards)

Install Workspace App from administrative command line with option “includeSSO”:

CitrixWorkspaceApp.exe /includeSSO



Change Citrix Workspace GPO to allow “local username and password”

Computer configuration>Administrative templates>Citrix Components>Citrix Workspace>User Authentication

Add trusted sites in Internet options:

You can also set via GPO’s

  1. Disable prompt=login attribute in Citrix cloud (

To align with Industry-standard security practices and ensure that a user is properly and securely authenticated when accessing Citrix Workspace, the Engineering team has added the “prompt=login” parameter to every authentication request to the IdP of record

You need to contact Citrix technical support to disable prompt=login attribute in your tenant to make this configuration work

  • Configure Azure AD connect:

Activate Pass-through authentication

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.