Product documentation
Citrix Cloud
View PDF

Configure Duo as a SAML provider for workspace authentication

May 28, 2025
Author:  Mark Dear

This article describes the required steps for configuring a Duo SAML application and SAML connection between Citrix Cloud and your SAML provider. Some of these steps describe actions that you perform in the Duo SAML provider’s administration console.

Prerequisites

Before you complete the tasks in this article, ensure that you’ve met the following prerequisites:

  • A Duo cloud tenant.
  • A Duo authentication proxy inside your AD forest.
  • An Active Directory LDAPS connection which syncs your AD users to Duo.

Configure Active Directory Synching to your Duo tenant

Follow the Duo documentation on connecting your on-premises AD to Duo and importing users for SAML.

Create an Active Directory LDAPS Connection

  1. Select Applications > SSO Settings > Add Source > Active Directory > Add Active Directory .

    Saml duo add authentication source

  2. Enter a Display Name for the LDAPS connection to your AD forest.

  3. Enter the FQDN of your domain controller.

    Saml duo add dc fqdn

  4. Configure the Base DN of your AD domain.

    Saml duo base dn

  5. Select Integrated as the Authentication Type.

    Saml duo auth type

  6. Select LDAPS as the Transport Type.

    Saml duo transport type

  7. Tick SSL Verify Hostname.

  8. Enter both the Domain Controller certificate and then the Private Enterprise certificate authority CA certificate that was used to sign your Domain certificate.

  9. Enter the PEM formatted certificates according to the follow example

    -----BEGIN CERTIFICATE-----
`<base64 Domain Controller Certificate>`
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
`<base64 Certificate Authority Certificate used to sign the Domain Controller Certificate above>`
-----END CERTIFICATE-----
<!--NeedCopy-->

  10. Test your LDAPS connection.

    Saml duo run tests

Configure your Duo authentication proxy config file for SAML

  1. Check your Duo Auth Proxy configuration is healthy and showing as Connected to Duo.

    Saml duo auth proxy

  2. Log into your Duo authentication proxy and add a SAML [sso] section to its config file using the Remote Identity (rikey) provided from the Duo admin console. The Duo Authentication Proxy uses a shared secret to communicate with the Duo cloud service. This secret is generated during the initial installation or configuration of the Authentication Proxy.

    Saml duo auth proxy config

Configure a Duo SAML Application for use with Workspaces

  1. Select Applications > Protect an Application. Click Add Application.

  2. Locate the entry for Generic SAML Service Provider Duo app template. Citrix recommends the Generic SAML Service Provider Duo template as it is the most flexible and will allow you to configure different combinations of SAML attributes and different SAML flows according to your needs.

    Saml duo generic saml service provider

    Important:

    The use of the Duo Citrix Workspace SAML template is not recommended as it is inflexible and only supports SAML using AD identities. The Duo Citrix Workspace SAML template will also not allow the addition of optional attributes like cip_domain and cip_forest which are needed for some advanced mergers and acquisitions SAML configurations. It also does not allow the configuration of the Citrix Cloud logout endpoint.

  3. Specify a Display Name for your SAML application such as Citrix Cloud Prod.

  4. Specify the user access such as Enable for all users.

  5. Select None (manual Input) within Metadata Discovery and enter the following Citrix Cloud SAML endpoints.

  6. Enter the EntityID according to the Citrix Cloud region your CC tenant is in.

    URL Region
    https://saml.cloud.com Commercial EU, US, and APS
    https://saml.citrixcloud.jp JP
    https://saml.cloud.us GOV

  7. Configure the Single sign-on URL (ACS URL) according to the Citrix Cloud region your CC tenant is in.

    URL Region
    https://saml.cloud.com/saml/acs Commercial EU, US, and APS
    https://saml.citrixcloud.jp/saml/acs JP
    https://saml.cloud.us/saml/acs GOV

  8. Configure the Single Logout URL according to the Citrix Cloud region your CC tenant is in.

    URL Region
    https://saml.cloud.com/saml/logout/callback Commercial EU, US, and APS
    https://saml.citrixcloud.jp/samllogout/callback JP
    https://saml.cloud.us/saml/samllogout/callback GOV

  9. Service Provider Login URL is not required and can be left empty.

  10. Default Relay State is not required and can be left empty.

    Saml duo service provider

  11. Configure the Name ID Format as Unspecified.

  12. Configure the Name ID Attribute as userPrincipalName (case sensitive).

  13. Configure Signature algorithm as SHA256.

  14. Configure Signing options as Sign response.

  15. Configure Assertion encryption as disabled.

    Saml duo saml response

  16. Configure Map Attributes with Duo bridging attributes on the left and Citrix Cloud SAML claim names on the right.

    Saml duo attribute mappings

    Important:

    Duo bridge attributes (left) and SAML attribute claim names (right) are case sensitive. It is the claim names on the right that must match what is configured within the Citrix Cloud SAML connection.

Configure the Citrix Cloud SAML connection

  1. All Citrix logon flows need to be Service Provider initiated using either a Workspace URL or a Citrix Cloud GO URL.

  2. Use the default recommended values for the SAML connection within Identity and Access Management > Authentication > Add an identity provider > SAML.

  3. Obtain the Duo SAML application SAML endpoints to enter into the Citrix Cloud SAML connection from your Duo portal by visiting the Duo Active Directory Sync documentation.

    Saml duo duo endpoints

    In this field in Citrix Cloud Enter this value
    Entity ID https://sso-<id>.sso.duosecurity.com/saml2/sp/<samlappID>/metadata
    Sign Authentication Request Yes
    SSO Service URL https://sso-<id>.sso.duosecurity.com/saml2/sp/<samlappID>/sso
    SSO Binding Mechanism HTTP Post
    SAML Response Sign Either Response Or Assertion
    Authentication Context Unspecified, Exact
    Logout URL https://sso-<id>.sso.duosecurity.com/saml2/sp/<samlappID>/slo
    Sign Logout Request Yes
    SLO Binding Mechanism HTTP Post

Duo SAML Logout Behaviour

Duo SAML does not currently support SAML SLO at the time this article was written but it is possible to configure Duo to terminate the IDP session when a user explicitly logs out of Workspace and/or Citrix Cloud. It is recommended you read the SAML Logout Considerations section saml logout considerations in the main SAML article before choosing to configure your Duo SAML application’s logout settings.

Important:

Taken from Duo documentation Duo SSO Logout Behavior and Session Management Details.

Users that decide to log out and hit the SLO URL for Duo SSO will be logged out of Duo SSO and have their MFA remembered devices session deleted before redirecting them to the logout page.

To configure explicit logout of the Duo IDP session when the end user logs out of Workspace and/or Citrix Cloud follow the recommended steps below.

  1. Configure the Citrix Cloud SAML logout endpoint within your Duo SAML app.

    Saml duo cc logout

  2. Configure the Duo SLO endpoint within the Citrix Cloud SAML connection.

    Important:

    If you have not used the Generic SAML Provider Duo app template you will be unable to complete this step as the option to enter the Citrix Cloud logout endpoint will not be available.

    Saml duo ccconnection logout

  3. When logging out of Workspace with both sides of the SAML connection configured for logout as per steps 1 and 2 the following UI will be shown by Duo indicating the IDP session has been terminated.

    Saml duo logout ui

  4. Optional: To improve your Workspace end user’s logout experience it is possible to configure the Duo LDAPS connection with a single Logout Redirect URL which will redirect your end users back to the Citrix Workspace logon page. This is done inside the your AD forest LDAPS connection.

    Saml duo logout redirect url

    Important:

    The logout redirect URL field shown above will only allow the configuration of a single Workspace URL. The use of multiple different Workspace URLs within the Citrix Cloud tenant cannot be configured within a single Active Directory Forest connection in Duo.

Configure Duo as a SAML provider for workspace authentication
May 28, 2025
Author:  Mark Dear
May 28, 2025
Author:  Mark Dear

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.
OSZAR »