Inside Entra ID SSO with XenTegra Artwork

The Citrix Session

Welcome to 'The Citrix Session,' where we bring you the latest in Citrix technologies and solutions. Hosted by XenTegra, this podcast dives deep into the world of Citrix digital workspace solutions, exploring everything from virtual apps and desktops to networking and security. Join us each episode as we discuss best practices, new features, and expert strategies to optimize your Citrix environment and enhance your user experience. Whether you're an IT professional seeking to expand your Citrix knowledge or a business leader looking to improve operational efficiency, 'The Citrix Session' is your essential resource for staying ahead in the ever-evolving tech landscape. Tune in to transform the way you work with the power of Citrix and XenTegra."

All Episodes

The Citrix Session

Inside Entra ID SSO with XenTegra

December 10, 2025 • XenTegra • Episode 189

Podcast Description

In Episode 189 of The Citrix Session, host Bill Sutton, Director of Modern Workspace at XenTegra, is joined by Solutions Architects Stuart Donaldson and Randy Price for a deep dive into one of the most significant updates in modern Citrix authentication.

This episode unpacks Microsoft Entra ID Single Sign-On inside Citrix sessions and what it means for end users, admins, and the future of passwordless access. The team breaks down why FAS has become a layer of technical debt, how Entra ID SSO removes friction for users, and what prerequisites and limitations customers need to know before adopting it.

Listeners will learn:
• How Entra ID SSO eliminates duplicate authentication inside Citrix sessions
• Why Primary Refresh Token support is a major win for M365 user experience
• What environments are supported and where FAS is still required
• Operational considerations like Windows 11 requirements, VDA versions, and the impact on Auto Client Reconnect
• Known issues, performance implications, and what to expect in future iterations

If you support Citrix DAS, modern authentication, or hybrid identity environments, this episode gives you a practical, expert-level overview of what Entra ID SSO unlocks and why it matters.

Technical Details can be found at: https://docs.citrix.com/en-us/citrix-daas/install-configure/session-authentication/entra-sso.html

WEBVTT

1
00:00:02.690 --> 00:00:17.370
Bill Sutton: Hello, everyone, and welcome to Episode 189 of the Citrix session. I'm your host, Bill Sutton, the Director of Modern Workspace at Zentegra. I have a couple of other folks from Zentegra with me today. There are Solution Architects on the Modern Workspace team.

2
00:00:17.440 --> 00:00:29.930
Bill Sutton: I'll answer them in the order I see… that I see their picture, so I'll start with Stuart Donaldson. Stuart is on our team as a solutions architect. You want to just… just quickly introduce yourself, say hello, Stuart, so they know your voice?

3
00:00:31.020 --> 00:00:34.610
Stuart Donnelson: Oh, am I muted? No, I'm not muted. It would have made sense to be that one.

4
00:00:35.040 --> 00:00:41.309
Stuart Donnelson: Yeah, Stu Donaldson, I'm on the Enterprise Workspace team, and happy to be here today.

5
00:00:42.060 --> 00:00:50.420
Bill Sutton: Great, Stu, thanks. And also, we have with us Randy Price, who's a long-time SA with Zentegra. Randy, you want to say hello?

6
00:00:50.610 --> 00:00:52.509
Randy.Price: Yeah, hey guys, it's great to be here.

7
00:00:53.180 --> 00:01:10.450
Bill Sutton: Yep, great to have you. It's been a while, guys. Like, 3 or 4 weeks, I think, we've been kind of off the grid because of, various… one or more of us being unavailable. This might be the last one this year, I don't know, we might do one next week, I don't know, but then,

8
00:01:10.570 --> 00:01:23.620
Bill Sutton: once we get into Christmas week and New Year's week, I'm sure we won't do anything. Those weeks will… those will be canceled, because nobody will be here. So, happy to be back today. Today, we're gonna cover, a blog… a Citrix blog article.

9
00:01:23.860 --> 00:01:35.569
Bill Sutton: And I think I have shared, yes. It is entitled, One Identity, Every App Now Inside Citrix Sessions. That's One Identity, Every App Now Inside Citrix Sessions.

10
00:01:35.730 --> 00:01:50.030
Bill Sutton: It's written by Sean Bass, who, who is a senior exec at Citrix over the desktop group, I believe. His title has changed recently, but, he's a really long-time EUC, EUC

11
00:01:50.220 --> 00:01:56.350
Bill Sutton: person. And is now… has been at Citrix for a couple of years now, I believe.

12
00:01:56.800 --> 00:02:03.909
Bill Sutton: So, overall, this article is really dealing with password simplicity,

13
00:02:04.160 --> 00:02:17.180
Bill Sutton: you know, the… over the years, various industry folks have talked about, we need to get the passwordless, we need to get the passwordless. There really hasn't been much progress made in that regard for a number of reasons, and not the least of which is

14
00:02:17.270 --> 00:02:33.039
Bill Sutton: the dependence on traditional on-premises Active Directory, which of course was, I guess, what, Randy, that goes back to the NT days, probably, is where it first came out, or maybe it was Windows 2000 Server. I'm not sure which… which was first with Active Directory. It might have been Windows 2000 Server.

15
00:02:33.040 --> 00:02:34.390
Randy.Price: We'll go to 2000, yeah.

16
00:02:34.390 --> 00:02:42.440
Bill Sutton: Yeah, nevertheless, the Active Directory environment, and that goes back, I mean, if you figure Windows 2000 was released in the year 2000,

17
00:02:42.590 --> 00:03:01.530
Bill Sutton: That's 25 years worth of legacy development that we're still living with. And so, of course, it's always been a very solid authentication platform, but as we've moved, as the industry has moved to more modern authentication with things like Microsoft EntraID and other third-party, third-party IDP, or,

18
00:03:01.780 --> 00:03:13.870
Bill Sutton: IDP providers, like, for example, Okta is another example of an IDP. It's complicated things a little bit, it's made life easier for users in some ways, but where we're dealing with

19
00:03:13.920 --> 00:03:25.680
Bill Sutton: part of the environment is running on AD, and part of the environment is running with Microsoft EntraID, things get a little… a little messy, to be kind, and to enable that kind of seamless access.

20
00:03:25.800 --> 00:03:32.750
Bill Sutton: from your endpoint all the way into a Citrix Virtual Apps, Citrix Virtual App or Citrix Virtual Desktop.

21
00:03:32.810 --> 00:03:37.990
Bill Sutton: And that's really where the… where this… where the modern authentication platforms broke down.

22
00:03:38.030 --> 00:03:49.689
Bill Sutton: So, one of the… one of the ways of handling or addressing that, where you're dealing with on-premises Active Directory and SAML federated authentication, or Microsoft EntraID, or Okta for that matter.

23
00:03:49.720 --> 00:03:59.470
Bill Sutton: You've had to stand up FAS. You want to talk a little bit about federated authentication services, Randy, and what that does, and what it brings to bear for the end user and the administrator?

24
00:03:59.670 --> 00:04:10.379
Randy.Price: Sure, sure. So, you know, to your point, right, if I'm using some external IDP and attempting to log into my Citrix VDA, right, through that session,

25
00:04:10.510 --> 00:04:26.089
Randy.Price: Traditionally, you know, on-prem employments, like you mentioned before, they don't know how to interpret those, you know, SAML authentication, right? So, FAS is there to present a certificate, user-based certificate, user login. That is a separate service that you have to deploy.

26
00:04:26.090 --> 00:04:37.409
Randy.Price: Within the environment. It does require certificate services, right? And essentially, at login time, what happens is it'll generate a user certificate and present that user certificate so you can have that seamless sign-in.

27
00:04:37.410 --> 00:04:45.990
Randy.Price: Versus, the user being prompted again, right? Because again, those, those workloads not being able to interpret, you know, SAML-based authentication, so…

28
00:04:46.010 --> 00:04:49.099
Randy.Price: Yeah, that's… At a high level, but yeah.

29
00:04:49.380 --> 00:05:04.020
Bill Sutton: Yeah, I mean, and that… of course, that involves the deployment of two FAS… at least two FAS servers for high availability, if you're talking a small environment, as well as a Microsoft… well, I don't think it's limited to Microsoft anymore, but early… in the early FAS days.

30
00:05:04.030 --> 00:05:15.519
Bill Sutton: It was Microsoft Certificate Services or Microsoft PKI infrastructure. You had to have CA root servers and intermediate servers. I guess you didn't have to have intermediate, maybe you did.

31
00:05:15.600 --> 00:05:24.009
Bill Sutton: That would… that FAS would reach out to and request the short-lived certificates for, and then use that to authenticate the user like a smart card, right?

32
00:05:24.180 --> 00:05:30.870
Randy.Price: Right, and you would typically deploy those, right, if you're using Citrix DAS, you would need fast servers for each resource location.

33
00:05:30.870 --> 00:05:32.959
Bill Sutton: Yes, yes, good point.

34
00:05:33.160 --> 00:05:34.349
Bill Sutton: Very good point.

35
00:05:34.530 --> 00:05:53.099
Stuart Donnelson: To your point there, I mean, FAS introduced a workaround to the problem, but it also adds to the idea of technical debt. I mean, we're just accruing it over and over and over again, whether it's the requirements and complexity, it's the fact that FAS is now a very

36
00:05:53.210 --> 00:05:54.050
Stuart Donnelson: Great.

37
00:05:54.530 --> 00:06:14.470
Stuart Donnelson: serious target for… for possible, exploitation, and then, you know, sometimes it just didn't… it didn't generate the certificate that it was supposed to. It just didn't work. So, in my experience, it's been very, reliable, but, you know, there is… there is a measure of technical debt that we're accruing every time we add something like this in.

38
00:06:15.280 --> 00:06:28.399
Bill Sutton: Yep, and part of that technical debt is driven, like I said, by the need for Kerberos when you're dealing with Active Directory, and the fact that most of these modern authentication platforms don't leverage that.

39
00:06:28.520 --> 00:06:30.000
Bill Sutton: To my knowledge.

40
00:06:30.100 --> 00:06:35.580
Bill Sutton: So Citrix, in conjunction with Microsoft, decided it was time to close the gap.

41
00:06:35.620 --> 00:06:47.930
Bill Sutton: between modern authentication and, and the concept of FAS and other elements to provide workarounds. So they worked together to create Microsoft Entra ID SSO,

42
00:06:47.930 --> 00:07:03.289
Bill Sutton: So Microsoft IntraID SSO into the Citrix session. So, what this means to administrators and end users is, first of all, your VDAs, your workloads, have to be intra-ID or intra-hybrid ID joined.

43
00:07:03.390 --> 00:07:08.380
Bill Sutton: They also have to be Windows 11 workloads. No server workloads at this point.

44
00:07:08.420 --> 00:07:24.670
Bill Sutton: If you want server workloads, you're still going to have to leverage something like FAS to enable SSO. And then you've got to configure your intra… your Active Director… or your, I'm sorry, your Entra ID, environment such that it knows to talk to the…

45
00:07:25.160 --> 00:07:38.069
Bill Sutton: through the Citrix provider in order to get the types of authentication that are needed to enable access to the VDAs, or the workloads. So, the idea here is the user logs in from a laptop using EntraID,

46
00:07:38.070 --> 00:07:46.850
Bill Sutton: just like they do every day. I do it every day. They authenticate, and they log in, and then they launch a published app, or they launch their desktop, their published

47
00:07:46.850 --> 00:07:49.169
Bill Sutton: virtual desktop, through…

48
00:07:49.170 --> 00:08:08.390
Bill Sutton: a, through the Workspace app. Today, the Workspace app is the primary… it's the recommended method of accessing for this. There is a way you can get there via the web, but you have to have a plugin. The Microsoft SSO plugin has to be installed in the browser in order for this to work all the way through. So, again, I'll back up.

49
00:08:08.490 --> 00:08:18.640
Bill Sutton: They need to be intra-ID joined, needs to be Windows 11, and I'm talking about the virtual desktops for the virtual apps. Obviously, the workstation needs to be intra-ID joined or hybrid joined.

50
00:08:18.640 --> 00:08:30.500
Bill Sutton: So the point is, you log in with your Entry ID credential to the laptop. When you launch your Centric session, it passes that credential all the way through to the end of the Centric session, and you're logged in seamlessly.

51
00:08:30.500 --> 00:08:37.629
Bill Sutton: without having to be prompt… without being prompt for any additional authentication or any… any additional, IDs, no more…

52
00:08:37.630 --> 00:08:55.740
Bill Sutton: no second MFA, you're… all of that is preserved through the connection to the Citrix environment. There is no FAS in this architecture, as long as you follow the prerequisites and everything. But one key thing about this that it does preserve, that FAS… you might say to yourself, well.

53
00:08:56.010 --> 00:09:04.230
Bill Sutton: FAS could do this. So, what does this bring me that FAS doesn't? And what it brings you is something called the Primary Refresh Token, or the PRT.

54
00:09:04.280 --> 00:09:20.719
Bill Sutton: Which is a… was a relatively new part of the EntraID framework, and essentially what that allows you to do is take that authentication token, and I'm probably technically talking… saying this wrong, so I'll apologize. If somebody wants to call me out, that's fine, but essentially the PRT

55
00:09:20.800 --> 00:09:33.810
Bill Sutton: details get passed into the virtual desktop session, where they can be used for authentication to things like Microsoft 365 apps, OneDrive, all of that stuff that, that

56
00:09:34.110 --> 00:09:40.380
Bill Sutton: you would otherwise likely be required to authenticate to directly. Am I saying that right, Randy and Stu?

57
00:09:41.000 --> 00:09:41.550
Randy.Price: Yes, yeah.

58
00:09:41.550 --> 00:09:42.470
Bill Sutton: more or less.

59
00:09:42.800 --> 00:09:43.120
Stuart Donnelson: Yep.

60
00:09:43.120 --> 00:09:44.490
Randy.Price: Yeah, more or less, that's correct, yep.

61
00:09:45.100 --> 00:09:50.870
Bill Sutton: Yeah. So, that's what this really boils down to, is, you don't have to…

62
00:09:51.080 --> 00:10:00.899
Bill Sutton: you know, replicate policies or manage different identity layers. The user authenticates once, and their security posture stays with them. No more double MFA, things of that nature.

63
00:10:01.180 --> 00:10:05.780
Bill Sutton: And you get one sign-in, one sign-on, and end-to-end.

64
00:10:05.880 --> 00:10:14.120
Bill Sutton: They're not adding anything, there is no… there is no, federation, or no, FAS, Federated Authentication Services.

65
00:10:14.210 --> 00:10:26.979
Bill Sutton: So why this really matters is, again, you get one identity source across your local machine, the cloud, your virtual desktop. It eliminates the need for duplicate identity providers.

66
00:10:26.980 --> 00:10:36.009
Bill Sutton: or plugins, SSO-type plugins. It preserves the authentication information to enable the passing of the data that's needed for the PRT.

67
00:10:37.310 --> 00:10:51.089
Bill Sutton: You get full conditional access capabilities, both at the endpoint and inside the Citrix session, and it's… it's a move to get us to passwordless. I read a couple of articles relative to this,

68
00:10:51.270 --> 00:10:52.950
Bill Sutton: That indicated that

69
00:10:53.000 --> 00:11:06.679
Bill Sutton: there… that some passwordless authentication may work for this, either now or in the future, like Hello for Business. I think there's still some development to be done there, as well as FIDO… FIDO… what is it, FIDO2 authentication.

70
00:11:06.680 --> 00:11:18.140
Bill Sutton: Using something like a YubiKey, those things are coming. Today, if you enter a username and password via ENTRA, and then you're prompted for your MFA, you're gonna get in all the way through.

71
00:11:20.160 --> 00:11:31.249
Bill Sutton: So, we're 18 minutes in, guys, and that's really the blog article, but I wanted to get your thoughts. Anything you might want to add to what we've talked about? Anything I missed, or left out, or was wrong about?

72
00:11:32.570 --> 00:11:34.189
Randy.Price: Yeah, go ahead, Stu, I'll let you go first.

73
00:11:35.790 --> 00:11:55.329
Stuart Donnelson: This is another one of those issues worth the squeeze kind of questions right now, because there is a operational cost for… for moving in this direction, right? We still, you know, if we get seamless SSO, we get those zero-trust security, kind of, methodologies, we get the architectural simplification without needing FAS and whatnot.

74
00:11:55.330 --> 00:11:56.320
Bill Sutton: But we're…

75
00:11:56.320 --> 00:12:14.119
Stuart Donnelson: forced to upgrade to a version of Windows 11 that supports it, so your organization better be ready for 24H2, and that new VDA 2507. Beyond that, we have to make sure that our legacy apps are, are ready to work in this realm. So, and then…

76
00:12:14.330 --> 00:12:20.619
Stuart Donnelson: correct me if I'm wrong, guys, but I believe Auto Client Reconnect is also lost in this process, because.

77
00:12:20.620 --> 00:12:27.270
Bill Sutton: It is. Yeah, session… that's a good point. Session reliability remains, but Auto Client Reconnect, you're right, is gone.

78
00:12:28.430 --> 00:12:44.120
Stuart Donnelson: And that even… that even goes towards if you lock… if somebody locks the session, right? I mean, at that point, you need something like a disconnect on log off, or you're gonna have a lot of confused people who can't get… they don't even have the option to put a password in, they don't know it, right? So…

79
00:12:44.430 --> 00:12:58.749
Bill Sutton: Yeah, it does say here, Auto Client Reconnect is not supported when intra-ID, single ID session. The feature is automatically disabled when you use this method. Session reliability is still available for automatic reconnection in case you have, like, a network disruption.

80
00:12:59.150 --> 00:13:18.110
Bill Sutton: And to your point, Stu, I would encourage listeners to do a Google search for EntraID single sign-on with Citrix. It'll take you to a… the documentation, and there's a lot of things in here that go over some of the considerations to have when you're deploying this, as well as a detailed walkthrough of how to configure it.

81
00:13:18.110 --> 00:13:23.700
Bill Sutton: And it's not for the faint of heart. It's a good solution, but it's not for the faint of heart at this point. There's a lot of,

82
00:13:23.720 --> 00:13:33.759
Bill Sutton: a lot of, scripting that needs to be done to get things, and I'm sure you can do some of the scripting through the GUI, but it looks like they've mostly focused on,

83
00:13:34.180 --> 00:13:39.469
Bill Sutton: PowerShell scripting to, to get the configuration put in place. Randy, were you gonna say some things?

84
00:13:39.860 --> 00:13:56.579
Randy.Price: No, I think you guys hit it on the head, right? And the biggest thing, like you mentioned before, we start talking around how we handle this, you know, traditionally FAS versus, you know, this method. It really comes down to, you know, those VDAs. Are they AD domain joined? Are they intra-ID domain joined?

85
00:13:56.640 --> 00:14:08.760
Randy.Price: Right. So, you know, if it's AD domain joined, this is not going to apply to you. If you're using Storefront, right, this is not going to apply to you. This is really, truly just Citrix DAS using Citrix Workspace. And again.

86
00:14:08.760 --> 00:14:19.210
Randy.Price: Workspace app is a requirement, they list here as well. They actually mention in one of their known issues that if you enable this, and you have users that use both

87
00:14:19.510 --> 00:14:27.760
Randy.Price: Citrix Workspace app and the web browser, then logging in through the web browser, they could see a 30-second delay, right, during the application period.

88
00:14:27.760 --> 00:14:28.280
Bill Sutton: Yay.

89
00:14:28.610 --> 00:14:38.109
Randy.Price: Yeah, so… because it's going to attempt first, and so there's going to be a 30-second delay. So that's one thing to call out, you know, because we are all con… you know, we all think about login times, how does it affect the end users?

90
00:14:38.170 --> 00:14:51.399
Randy.Price: So if your users are using a mixed method of how they're accessing their apps or desktops, just be aware of that, that if all users aren't using Citrix Workspace app, they could incur that 30-second delay, so that's something to be aware of as well.

91
00:14:51.400 --> 00:14:53.920
Bill Sutton: Very good point. Yep, I must have missed that, or not.

92
00:14:53.920 --> 00:15:06.180
Randy.Price: Yeah, it's down at the bottom. If you go scroll down under known issues, they list a couple of things just to be aware of. I like to typically look through that. It's towards the bottom of this article. Yeah, scroll up a little bit, you'll see it. Keep going up a little bit.

93
00:15:06.180 --> 00:15:06.820
Bill Sutton: Oh, there it is.

94
00:15:08.170 --> 00:15:12.859
Randy.Price: So, just something to, you know, be considerate of as well, especially, you know, like I said.

95
00:15:13.140 --> 00:15:23.630
Randy.Price: Logging times seem to be the bane of every Citrix admin, right? Trying to… trying to decrease those, so we don't want to do anything necessarily to increase those without understanding that, so…

96
00:15:24.250 --> 00:15:40.549
Bill Sutton: Yeah, and there's a couple of tables at the beginning of the… I'll post the… I'll make sure that I post a link to this in the show notes, so, listeners can get directly to it. There's a couple of tables in here that deal with, what's supported, and like you said, Randy, it's pretty much, DAS and Workspace.

97
00:15:41.600 --> 00:15:46.950
Bill Sutton: and obviously the gateway Service and Netscaler, but CVET on-prem is not.

98
00:15:46.950 --> 00:15:49.000
Randy.Price: Right. You notice it, even though it's not.

99
00:15:49.000 --> 00:15:51.730
Bill Sutton: Not to say that it won't be at some point, but it's not now.

100
00:15:51.730 --> 00:15:57.460
Randy.Price: Right, and even on the supported identity providers, if you notice, adaptive authentication is not supported, right? So…

101
00:15:57.460 --> 00:15:58.240
Bill Sutton: Yes.

102
00:15:58.240 --> 00:16:04.620
Randy.Price: That's something to be aware of as well, and, you know, probably understand the reason behind that, but still, it's something to be aware of, so…

103
00:16:04.620 --> 00:16:20.219
Bill Sutton: An important point, as well, is this is, even though I mentioned Okta before, this is only Intra ID SSO with Citrix. Only Intra. And that's largely because Microsoft and Citrix worked together to get this to the point where they could… they could configure it to work.

104
00:16:20.290 --> 00:16:37.969
Bill Sutton: the way we've described. I expect this is, you know, this is the first release of this. I expect we'll see this evolve over time, like we do with all things like this, but this is a really good start. And for those customers that are really solidly in the intra-ID camp, and they're using Workspace App with Windows 11,

105
00:16:38.170 --> 00:16:45.860
Bill Sutton: This could be a good solution for them to… to kind of reduce some of the friction of the login experience for their users.

106
00:16:46.110 --> 00:16:46.710
Randy.Price: Boop.

107
00:16:46.950 --> 00:16:47.780
Randy.Price: Grief.

108
00:16:47.990 --> 00:16:54.380
Bill Sutton: All right, that's all we had. That's all we had for today. Any other fi… any final thoughts, guys, you want to convey before we adjourn?

109
00:16:55.050 --> 00:16:55.899
Randy.Price: No, I'm good.

110
00:16:56.420 --> 00:17:03.130
Bill Sutton: Okay. Well, I'll just say that what I've always said when I… whenever we run into new features like this, that Citrix continues to iterate.

111
00:17:03.130 --> 00:17:17.999
Bill Sutton: They're not… they're not, sitting back on their laurels. They are continuing to… to, innovate in the… in the… in their products and add new features and functionality to respond to user requests. So, it's just another example of that.

112
00:17:18.030 --> 00:17:22.020
Bill Sutton: Which is obviously a good thing to keep the technology moving forward.

113
00:17:22.579 --> 00:17:27.690
Bill Sutton: All right, guys, thank you all for, joining today. Hopefully we'll see you again next week.

114
00:17:28.119 --> 00:17:28.759
Stuart Donnelson: here.

115
00:17:28.760 --> 00:17:29.490
Randy.Price: Thank you guys.