Product documentation
Citrix Cloud
View PDF

Connect Google as an identity provider to Citrix Cloud

July 1, 2022
Contributed by:
J

Citrix Cloud supports using Google as an identity provider to authenticate subscribers signing in to their workspaces. By connecting your organization’s Google account to Citrix Cloud, you can provide a unified sign-in experience for accessing Citrix Workspace and Google resources.

Note:

Google authentication is available as a preview. Citrix recommends using preview features only in non-production environments.

Requirements for domain-joined and non-domain-joined configuration

You can configure Google as an identity provider in Citrix Cloud using a machine that’s domain-joined or non-domain-joined.

  • Domain-joined means machines are joined to a domain in your on-premises Active Directory (AD) and authentication uses the user profiles that are stored there.
  • Non-domain-joined means machines aren’t joined to an AD domain and authentication uses the user profiles that are stored in your Google Workspace directory (also known as Google-native users).

The following table lists the requirements for each configuration type.

Requirement Domain-joined Non-domain-joined More information
On-premises AD Yes No SeePrepare Active Directory and Citrix Cloud Connectorsin this article.
Citrix Cloud Connectors deployed in your resource location Yes No; Cloud Connectors aren’t needed to access non-domain-joined machines. Prepare Active Directory and Citrix Cloud Connectorsin this article.
AD synchronization with Google Cloud Optional only if using Gateway service or Microapps and no other services. Otherwise, this task is required. No SeeSync Active Directory with Google Cloudin this article.
Developer account with access to the Google Cloud Platform console. Used for creating a service account and key, and enabling the Admin SDK API. Yes Yes SeeCreate a service account,Create a service account key, andConfigure domain-wide delegationin this article.
一个管理or account with access to the Google Workspace Admin console. Used for configuring domain-wide delegation and a read-only API user account. Yes Yes SeeConfigure domain-wide-delegationandAdd a read-only API user accountin this article.

Google authentication with multiple Citrix Cloud accounts

This article describes how to connect Google as an identity provider to a single Citrix Cloud account. If you have multiple Citrix Cloud accounts, you can connect each one to the same Google Cloud account using the same service account and read-only API user account. Simply sign in to Citrix Cloud and select the appropriate customer ID from the customer picker.

Prepare Active Directory and Citrix Cloud Connectors

If you are using adomain-joinedmachine to configure Google authentication, use this section to prepare your on-premises AD. If you are using a non-domain-joined machine, skip this task and continue toCreate a service accountin this article.

You need at least two (2) servers in your Active Directory domain on which to install the Citrix Cloud Connector software. Cloud Connectors are required for enabling communication between Citrix Cloud and yourresource location. At least two Cloud Connectors are required to ensure a highly available connection with Citrix Cloud. These servers must meet the following requirements:

  • Meets the requirements described inCloud Connector Technical Details.
  • Does not have any other Citrix components installed, is not an Active Directory domain controller, and is not a machine critical to your resource location infrastructure.
  • Joined to your Active Directory (AD) domain. If your workspace resources and users reside in multiple domains, you must install at least two Cloud Connectors in each domain. For more information, seeDeployment scenarios for Cloud Connectors in Active Directory.
  • Connected to a network that can contact the resources that users access through Citrix Workspace.
  • Connected to the Internet. For more information, seeSystem and Connectivity Requirements.

For more information about installing Cloud Connectors, seeCloud Connector Installation.

Sync Active Directory with Google Cloud

If you are using adomain-joinedmachine to configure Google authentication, use this section to prepare your on-premises AD. If you are using a non-domain-joined machine, skip this task and continue toCreate a service accountin this article.

Synchronizing your AD with Google is optional if you are using only Citrix Gateway service or Microapps, with no other services enabled. For these services alone, you can use Google-native users without needing to synchronize with your AD.

If you are using other Citrix Cloud services, synchronizing your AD with Google is required. Google Cloud must pass the following AD user attributes to Citrix Cloud:

  • SecurityIDentifier (SID)
  • objectGUID
  • userPrincipalName (UPN)

To sync your AD with Google Cloud

  1. Download and install theGoogle Cloud Directory Sync utilityfrom the Google web site. For more information about this utility, see theGoogle Cloud Directory Syncdocumentation on the Google web site.
  2. After installing the utility, launch the Configuration Manager (Start > Configuration Manager).
  3. Specify the Google domain settings, and LDAP settings as described inSet up your sync with Configuration Managerof the utility documentation.
  4. InGeneral Settings, selectCustom Schemas. Leave the default selections unchanged.
  5. Configure a custom schema to apply to all user accounts. Enter the required information using the exact casing and spelling specified in this section.
    1. Select theCustom Schemastab and then selectAdd Schema.
    2. SelectUse rules defined in “User Accounts”.
    3. InSchema Name, entercitrix-schema.
    4. SelectAdd Fieldand then enter the following information:
      • UnderSchema field template, inSchema Field, selectuserPrincipalName.
      • UnderGoogle field details, inField Name, enterUPN.
    5. Repeat Step 4 to create the following fields:
      • objectGUID: UnderSchema field template, selectobjectGUID. UnderGoogle field details, enterobjectGUID.
      • SID: UnderSchema field template, selectCustom. UnderGoogle field details, enterSID.
      • objectSID: UnderSchema field template, selectCustom. UnderGoogle field details, enterobjectSID.
    6. SelectOKto save your entries.
  6. Finish configuring any remaining settings for your organization and verify synchronization settings as described inSet up your sync with Configuration Managerof the utility documentation.
  7. SelectSync & apply changesto synchronize your Active Directory with your Google account.

After the sync finishes, the User Information section in Google Cloud displays users’ Active Directory information.

Create a service account

To complete this task, you need a Google Cloud Platform developer account.

  1. Sign in tohttps://console.cloud.google.com.
  2. From the Dashboard sidebar, selectIAM & Adminand then selectService Accounts.
  3. SelectCreate service account.
  4. UnderService account details, enter the service account name and service account ID.
  5. SelectDone.

Create a service account key

  1. On theService Accountspage, select the service account you just created.
  2. Select theKeystab and then selectAdd key > Create new key.
  3. Leave the default JSON key type option selected.
  4. SelectCreate. Save the key to a secure location that you can access later. You enter the private key in the Citrix Cloud console when you connect Google as an identity provider.

Configure domain-wide delegation

  1. Enable the Admin SDK API:
    1. From the Google Cloud Platform menu, selectAPIs & Services > Enabled APIs & services.
    2. SelectEnable APIs and servicesnear the top of the console. The API Library home page appears.
    3. Search forAdmin SDK APIand select it from the results list.
    4. SelectEnable.
  2. Create an API client for the service account:
    1. From the Google Cloud Platform menu, selectIAM & Admin > Service Accountsand then select the service account you created earlier.
    2. From the service account’sDetailstab, expandAdvanced settings.
    3. UnderDomain-wide Delegation, copy the Client ID and then selectView Google Workspace Admin Console.
    4. If applicable, select the Google Workspace administrator account you want to use. The Google Admin console appears.
    5. From the Google Admin sidebar, selectSecurity > Access and data control > API controls.
    6. UnderDomain wide delegation, clickManage Domain Wide Delegation.
    7. SelectAdd new.
    8. InClient IDpaste the client ID for the service account that you copied in Step C.

    9. InOAuth scopes, enter the following scopes in a single comma-delimited line:

      https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly
    10. SelectAuthorize.

Add a read-only API user account

In this task, you create a Google Workspace user account that has read-only API access for Citrix Cloud. This account is not used for any other purpose and has no other privileges.

  1. From the Google Admin menu, selectDirectory > Users.
  2. SelectAdd new userand enter the appropriate user information.
  3. SelectAdd new userto save the account information.
  4. Create a custom role for the read-only user account:
    1. From the Google Admin menu, selectAccount > Admin roles.
    2. SelectCreate new role.
    3. Enter a name for the new role. Example: API-ReadOnly
    4. SelectContinue.
    5. UnderAdmin API privileges, select the following privileges:
      • Users > Read
      • Groups > Read
      • Domain Management
    6. SelectContinueand then selectCreate role.
  5. Assign the custom role to the read-only user account you created earlier:
    1. From the custom role details page, in theAdminspane, selectAssign users.
    2. Start typing the name of the read-only user account and select it from the user list.
    3. SelectAssign role.
    4. To verify the role assignment, return to the Users page (Directory > Users) and select the read-only user account. The custom role assignment is displayed underAdmin roles and privileges.

Connect Google to Citrix Cloud

  1. Sign in to Citrix Cloud athttps://citrix.cloud.com.
  2. From the Citrix Cloud menu, selectIdentity and Access Management.
  3. Locate Google and selectConnectfrom the ellipsis menu.
  4. SelectImport Fileand then select the JSON file you saved whenyou created the key for the service account. This action imports your private key and the email address for the Google Cloud service account that you created.
  5. InImpersonated User, enter the name of the read-only API user account.
  6. SelectNext. Citrix Cloud verifies your Google account details and tests the connection.
  7. Review the associated domains that are listed. If they’re correct, selectConfirmto save your configuration.

Enable Google for workspace authentication

  1. From the Citrix Cloud menu, selectWorkspace Configuration > Authentication.
  2. SelectGoogle. When prompted, selectI understand the impact on the subscriber experienceand then clickSave.
Connect Google as an identity provider to Citrix Cloud
July 1, 2022
Contributed by:
J
July 1, 2022
Contributed by:
J

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings
© 1999-Cloud Software Group, Inc. All rights reserved.