The Citrix integration enables biometric authentication via SAML 2.0 for Citrix Cloud and Citrix Workspace, covering both cloud identity federation and on-premises Gateway deployments for virtual apps and desktops.
Integration type
SSO
Updated
Overview
1Kosmos integrates with Citrix as a SAML 2.0 identity provider to secure administrator and subscriber access to Citrix Cloud and Citrix Workspace. Users authenticating through Citrix Workspace are redirected to 1Kosmos for biometric verification before being returned to their virtual app or desktop session. The integration covers Citrix Cloud identity federation (managed through Identity and Access Management in the Citrix Cloud admin console) as well as on-premises Citrix Gateway (NetScaler) deployments.
For Citrix Cloud, the SAML configuration is established by creating a SAML connection in Identity and Access Management → Authentication. Citrix Cloud provides fixed SP Entity IDs and ACS URLs based on the region of the tenant. For Citrix Gateway, the ACS URL follows the pattern https://[gateway-fqdn]/cgi/samlauth and the Entity ID is the gateway FQDN or a URI configured during SAML action setup.
Citrix Cloud supports both HTTP-POST and HTTP-Redirect binding. Users must have Active Directory accounts that are synchronized to the SAML identity provider for the authentication flow to succeed.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Citrix Cloud subscription: Administrator access to Identity and Access Management in the Citrix Cloud admin console, or ASDM/SSH access for Citrix Gateway/NetScaler.
Active Directory synchronization: User accounts must exist in Active Directory and be synchronized to your SAML identity provider. Citrix Cloud requires AD attributes (sAMAccountName, userPrincipalName) from the SAML assertion to locate the user.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Citrix:
Field | Where to find it |
|---|---|
SAML Metadata URL or XML | AdminX → Settings → IdP Configuration → Metadata URL |
SSO Service URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Fixed Citrix Cloud SP values to enter in AdminX:
Region | SP Entity ID | ACS URL |
|---|---|---|
US / EU / APAC South | https://saml.cloud.com | https://saml.cloud.com/saml/acs |
Japan | https://saml.citrixcloud.jp | https://saml.citrixcloud.jp/saml/acs |
Government (US) | https://saml.cloud.us | https://saml.cloud.us/saml/acs |
Citrix Gateway SP values (on-premises):
Field | Value |
|---|---|
ACS URL | https://[gateway-fqdn]/cgi/samlauth |
SP Entity ID | https://[gateway-fqdn] (or the FQDN configured as Issuer Name in the NetScaler SAML action) |
Integration steps
Step 1: Add Check Point as a SAML application in AdminX (Citrix Cloud)
Log in to the AdminX portal and navigate to Applications → Add Application.
Scroll to Custom App, select SAML 2.0 Generic, and click Add integration.
Enter "Citrix Cloud" as the Application Name, set Instance to Production, and enter your Citrix Workspace URL (https://[company].cloud.com) as the Application Access URL. Click Next.
Set the NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. Add claims foremail(Username),cip_upn(userPrincipalName),cip_oid(objectGUID), anddisplayName. Click Next.Enter the Citrix Cloud SP Entity ID and ACS URL for your region from the table above. Enable Assertion signing and click Save.
Step 2: Configure the SAML connection in Citrix Cloud
Log in to the Citrix Cloud admin console and navigate to Identity and Access Management → Authentication.
Locate SAML 2.0 and select Connect from the ellipsis menu.
When prompted for your unique sign-in URL, enter a short URL-friendly identifier for your company (e.g.,
https://citrix.cloud.com/go/mycompany) and click Save and continue.In the Configure SAML Identity Provider section, enter the 1Kosmos IdP Entity ID, SSO Service URL, and binding mechanism (HTTP Post). Upload the 1Kosmos signing certificate into the X.509 Certificate field.
Set SAML Response to Sign Either Response or Assertion and click Test and Finish.
Step 3: Assign the SAML authentication method in Workspace Configuration
In the Citrix Cloud admin console, navigate to Workspace Configuration → Authentication.
Select SAML 2.0 as the workspace authentication method.
Save the configuration. Users accessing Citrix Workspace will now be redirected to 1Kosmos for authentication.
Step 4: Configure Citrix Gateway (on-premises, if applicable)
Log in to the NetScaler/Citrix ADC management console and navigate to NetScaler Gateway → Policies → Authentication → SAML.
Create a new SAML Action. In the SAML IDP Metadata URL field, paste the 1Kosmos metadata URL. Set the Issuer Name to your gateway FQDN. Click Create.
Create a SAML Policy using the action, set the expression to
ns_true, and bind the policy to the authentication virtual server for your gateway virtual server.In AdminX, create a separate SAML application entry for Citrix Gateway using
https://[gateway-fqdn]/cgi/samlauthas the ACS URL and the gateway FQDN as the Entity ID.
Step 5: Test the integration
Navigate to your Citrix Workspace URL and attempt to sign in.
Confirm you are redirected to the 1Kosmos login screen. Scan the QR code with the 1Kosmos mobile app and complete biometric authentication.
Confirm you are returned to Citrix Workspace with the correct virtual apps and desktops displayed.
Attribute mappings
Source (1Kosmos) | Target (Citrix Cloud) | Description |
|---|---|---|
user.email | email / NameID | Primary identifier |
user.upn | cip_upn (userPrincipalName) | Required for AD identity lookup in Citrix Cloud |
user.objectGUID | cip_oid (objectGUID) | Used by Citrix Cloud to uniquely resolve the AD user |
user.displayName | displayName | User display name |
Integration notes
Citrix Cloud SAML authentication requires that the SAML assertion contain AD user attributes (UPN and objectGUID) so that Citrix Cloud can resolve the authenticated user against the Active Directory domain.
If these attributes are missing from the assertion, users will fail to log in even after successful biometric authentication. Some SAML providers prohibit reusing the same SP Entity ID across multiple applications.
If this applies to your configuration, use Citrix Cloud's scoped Entity ID feature by enabling Configure scoped SAML Entity ID during the SAML connection setup, which generates a unique Entity ID per connection.
