We are excited to announce multi-tenant support of Citrix Federated Authentication Service (FAS) for Managed Service Providers (MSP, previously Citrix Service Providers) is now generally available!
Citrix released DaaS multi-tenant support for MSPs at the end of 2019, which allowed SMB customers to share the partner’s instance of DaaS isolated through dedicated or shared resource locations in the partner’s cloud account.
With the multi-tenant deployment, when using Active Directory (AD) or AD and token authentications, users can SSO to their DaaS in the workspace. However, because more and more customers of our MSP partners leverage other identity providers like Azure AD, Okta, SAML 2.0, and others for authentication, they need multi-tenant support from FAS for single sign-on (SSO) when the users launch their apps and desktops.
How Does FAS Multi-tenant Support Work?
With a multi-tenant DaaS deployment, each tenant customer is “federated” with a partner’s domain in a resource location. Based on that relationship, when a tenant user launches a VDA:
- The workspace first calls RequestAddress to choose a VDA and get its address. The response also returns the MSP’s resource location (RL).
- The workspace sends an assert identity request to FASHub with the tenant’s customer ID and the MSP’s RL ID.
- FASHub sends a request to the identity service with the tenant’s customer ID, and the identity service returns an MSP’s ID.
- FASHub finds a FAS server using the MSP’s ID and RL ID and sends an assert identity request to the FAS server.
- The FAS server returns a ticket, which then returns to the workspace.
- The workspace will call RequestAddress again to the VDA, this time with the FAS ticket.
The above process is shown here:
How Do I Enable This for My Tenant?
Before you get into the FAS-specific settings, we recommend that you have a basic multi-tenant deployment setup and ensure it is functioning to avoid potential troubleshooting complexities. As a pre-requisite for this feature, you must configure “Federated Domain” for the tenant.
Now install FAS in the Active Directory (AD) forest where the MSP’s resource location for the tenant is located. Connect FAS to the cloud resource location associated with that AD forest.
Enabling FAS for a tenant of multi-tenant DaaS is simple. Just go to Workspace Configuration → Authentication in the tenant customer’s cloud account, select the authentication that you’ve set up, and switch on Federate Authentication Service.
Ready to get started? Here is the product documentation to guide you through the process!