Can someone give me a reality check. Citrix cloud with SAML/FAS should allow single sign on and users should not be prompted with passwords correct?

You would need FAS to not be prompted

And if we had Fas enables it should not be prompted correct?

Correct assuming the PKI works properly

I cant believe cirix support. They keep telling me to I have to use AD for Single sign on. Even when I submit articles to them

?

Are your VMs domain joined or Azure AD Joined?

Domain joined, synced with azure via adconect

Can you share the support case?

We are using SAML for the authentication part, FAS is involved for SSO. This is fully supported by Citrix..

Well, FAS does SSO when launching the VDA. Im talking about just logging into your citrix cloud web page

That definitely is different

Yeah, and that's were I and Citrix are at odds. I am under the impression with Azure being my SAML provider, using the Citrix supplied enterprise SAML application in the Microsoft enterprise app area, and all the correct settings on the client, I should be able to go to cloud.domain.com and not be prompted for a password on domain joined machines\synced with AD connect to Azure. (Or open the workspace app and not be prompted for a password) Just like I can when browsing to say outlook.com

Have you looked at this? https://support.citrix.com/article/CTX253779/user-prompted-for-credentials-on-workspace-urls-when-using-federated-authentication-providers But, be aware of the security implications! More info from a CTP: https://jkindon.com/azure-ad-and-citrix-workspace-sso/

That would have nothing to do wiht FAS. FAS is SSO into VDAs using eh same credentials you logged into workspace with. SSO into workspace itselft has more to do with how you setup your Idp and workspace integration. If workspace send you to the idp and you already have the appropriate attributes in your browser you shoudl get passed through as long as the idp allows it.

@Rody Kossen Thanks, already turned that on.

Having that to on (recommended) means prompted for credentials This parameter forces the user to be prompted for authentication whenever there is not a valid Citrix Workspace session.

@Rob Zylowski I agree FAS has nothing to do with what I'm asking about. However, as ntoed in the above two articles what im asking is supported with Citrix. Those two articles actaully prove that it should work but in a indirect way

I think it will work. I dont think we support it meaning if its not working that you could open a ticket.

@Rob Zylowski Citrix is supporting it by have that box in the two articles above to be on or off.

Thanks for that i hadnt seen that setting before. But the second part about outlook.com or any m365 app is more complicated. The problem there is that your auth token wont be passed through to the VDA unless you do the proper configurations with EntraID CBA to make that happen and use hybrid joined vdas. There have been many blogs and discussion here on that one.