Citrix Workspace app for Mac supports SAML authentication. When you add a storefront that is set up with SAML authentication, the Citrix Workspace app can navigate to your identity provider’s authentication page and log you in using the identity provider.

SAML (Security Assertion Markup Language) is a standard for cross-context user login. It supports securely logging in the user for various web applications and other services without requiring the user to enter their password multiple times for different services. In simple terms, how this works is that for example, the identity of the users in an organization can be tied to their active directory domain. While the user is logged into the domain, the organization already has the identity of the user. SAML Authentication process involves using this identity to log in the user to other services.

How does SAML work?

Let’s say a user is registered into a system (Identity Provider) and wants to access a remote service (Service provider).

  1. The user accesses the remote service through an intranet link.
  2. The remote service loads and identifies the origin of the user by means of the domain, subdomain, IP address etc. and redirects the user to identity provider’s authentication page.
  3. If the user has already logged into the identity provider then he has an active browser session with the identity provider. If not then he is asked to enter his/her credentials for logging into the identity provider.
  4. The identity provider creates an authentication response containing the user’s identity and posts it to the service provider.
  5. The service provider recognizes the identity provider and can establish a user’s identity by validating the authentication response from the identity provider.
  6. Upon successful validation, the user is provided access to the remote service.

How SAML authentication works in Workspace app for Mac?

When you log into the store that is set up with SAML authentication, Citrix Workspace app pops up a web view and loads the authentication page of the identity provider.

You can log in to the identity server by providing your credentials in the web view. Once you are logged in to identity server, you are automatically logged in to the storefront. The pop up goes away and you are successfully logged in.

Supported Storefront versions

Storefront version 3.9 and above are supported.

More Information

Further information can be found here.