Skip to main content

Citrix Workspace SAML


Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure that only you know or have access to. Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Citrix™ Workspace offers a complete and integrated digital workspace that’s streamlined for IT control and easily accessible for users. Acceptto™, as a Citrix Ready Partner and SAML provider, improves the user login experience for Horizon users with convenient MFA, and offers a simple solution for adding Multi-Factor Authentication (MFA) and single sign-on (SSO) on Citrix Workspace via SAML solution.


  1. An Acceptto account with a configured Identity Provider and LDAP Agent. (See this page for the instructions)
  2. An organization identifier provided by Acceptto (organization slug).
  3. Two Cloud Connectors deployed to a resource location and joined to your on-premises AD domain. The Cloud Connectors are used to ensure Citrix Cloud can communicate with your resource location.
  4. A user with administrative privileges for Citrix Cloud Login.

Connect Cloud Connector to Citrix™ Cloud#

The Citrix Cloud Connector is a Citrix component that serves as a channel for communication between Citrix Cloud and your resource locations, enabling cloud management without requiring any complex networking or infrastructure configuration.The Virtual Apps and Desktops service requires the Cloud Connector. Citrix recommends installing two Cloud Connectors for high availability.

  1. Sign in to Citrix Cloud at
  2. From the Citrix Cloud menu, select Identity and Access Management.
  3. From the Authentication tab, in Active Directory, click the ellipsis menu and select Connect. citrix identity and access management
  4. Click Install Connector to download the Cloud Connector software. citrix active directory
  5. Launch the Cloud Connector installer and follow the installation wizard.
  6. From the Connect to Active Directory page, click Detect. After verification, Citrix Cloud displays a message that your Active Directory is connected and after that you can add your virtual apps and desktops resource to Citrix Cloud.

Configure Citrix WorkSpace™ as a SAML Service Provider#

  1. Download the SAML metadata and certificate for your organization from Acceptto.

    Metadata Download at<myorganization>/saml/download/metadata or view at<myorganization>/saml/metadata

    Certificate Download at<myorganization>/saml/download/cert

  2. From the Citrix Cloud menu, select Identity and Access Management. Citrix ID and Access Management

  3. From the Authentication tab, select the SAML button and then Connect. SAML auth tab

  4. In the SAML Configuration form, enter the following Acceptto Idp information values.

    • Entity ID- Copy and paste the Acceptto SAML Entity ID from Acceptto Metadata (e.g.
    • SSO Service Provider - Copy and paste the sign in URL from Acceptto
    • Binding Mechanism - Set Binding Mechanism on Http Redirect.
    • SAML Response - Set SAML Response on Most Sign Response.
    • X.509 Certificate - Upload Acceptto X.509 certificates.
    • Authentication Context - Set Authentication Context on Unspecified and select type to minimum. Configure SAML
  5. Download SAML Metadata and use it for Acceptto Idp Configuration.

  6. Click on Test and Finish.

Acceptto SAML Configuration as Identity Provider#

  1. Login to the Acceptto Dashboard with an administrative account and go to Applications.

  2. Create a new application by selecting the Create New Application. create new application

  3. In the New Application form, enter the following values under the General tab.

    • Name - The application name displayed in the admin panel and application portal and used for push notifications and audit logs (e.g. Citrix Cloud)
    • Type - Select "SAML Service Provider" from the options
    • Out of Band Methods - Select the allowed methods for approving MFA requests
    • Message for MFA Requests - Enter the user-facing message for Push, SMS, and email MFA requests (optional) Citrix cloud application
  4. Under the SAML Service Provider Configuration tab, enter the following values:

    • Issuer or Entity ID – Enter the Issuer/EntityID of your Citrix Cloud instance. This value is available at the Downloaded Metadata in Citrix Cloud SAML Configuration.(e.g.
    • Sign in URL - The URL used to login to your Citrix Workspace.
    • NameID Format - Select "Persistent" from the dropdown menu.
    • Name Identifier - Select "ObjectGUID" from the dropdown menu.
    • Assertion Consumer Service (ACS) URL - Enter the URL on the service provider where the identity provider will redirect to with its authentication response.
    • Single Logout URL - Enter the URL which is given in the Citrix Cloud metadata. saml service provider
  5. Then, Click Save to create the Application.

  6. Download your SAML IdP X509 certificate. Go to[organization identifier]/saml/download/cert to download the cert.pem file containing your certificate.

  7. Download your SAML metadata file. Go to[organization identifier]/saml/download/metadata to download your metadata file.

Configure Workspace Authentication Method#

  1. From the Citrix Cloud menu, select Workspace Configuration.

workspace config

  1. From the Citrix Cloud menu, select SAML 2.0.

workspace saml config

Test your setup#

  1. Go to your Workspace URL. You will be redirected to the Acceptto SSO page.

saml sign-in

  1. After successful authentication, you’ll see the Acceptto MFA options. Select your desired method. Next, pass the verification stage on your It'sMe mobile app. You can also scan with a QR code in the Acceptto It’sMe application.

qr code sign-in

  1. Finally, you will be redirected to the Citrix Workspace portal page via an easy and passwordless authentication method.


If you require assistance, please email us at


Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the Acceptto Corporation.

Citrix, Citrix Cloud, and Citrix Workspace are either registered trademarks or trademarks of Citrix and/or one or more of its subsidiaries in the United States and/or other countries. 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.