Federated Authentication

Service

Citrix Product Documentation | https://docs.citrix.com April 23, 2024

Federated Authentication Service

Contents

Federated Authentication Service 2402 LTSR 2

Federated Authentication Service 2311 3

Federated Authentication Service 2308 4

Federated Authentication Service 2305 5

Federated Authentication Service 2303 5

Federated Authentication Service 2212 6

Federated Authentication Service 2209 6

Federated Authentication Service 2206 6

Federated Authentication Service 2203 6

Federated Authentication Service 2112 7

Federated Authentication Service 2109 7

Federated Authentication Service 2106 8

Federated Authentication Service 2103 8

Federated Authentication Service 1912 LTSR 8

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 1

Federated Authentication Service

Federated Authentication Service 2402 LTSR

April 12, 2024

Federated Authentication Service (FAS) is a privileged component designed to integrate with Active
Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an
Active Directory environment as if they had a smart card. This allows StoreFront to use a broader range
of authentication options, such as SAML (Security Assertion Markup Language) assertions. SAML is
commonly used as an alternative to traditional Windows user accounts on the Internet.

Federated Authentication Service 2402 LTSR is the latest Current Release version of FAS. This article
reflects features and configurations in this latest release.

Earlier releases

For documentation of earlier FAS releases, see:

• Federated Authentication Service 2311

• Federated Authentication Service 2308

• Federated Authentication Service 2305

• Federated Authentication Service 2303

• Federated Authentication Service 2212

• Federated Authentication Service 2209

• Federated Authentication Service 2206

• Federated Authentication Service 2203

• Federated Authentication Service 2112

• Federated Authentication Service 2109

• Federated Authentication Service 2106

• Federated Authentication Service 2103

• Federated Authentication Service 1912 LTSR

• XenApp and XenDesktop 7.15 Long Term Service Release

The product lifecycle strategy for Current Releases (CR) and Long Term Service Releases (LTSR) is de‑
scribed in Lifecycle Milestones.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 2

Federated Authentication Service

References

• Active Directory Certificate Services Overview

• Configuring Windows for Certificate Logon

Federated Authentication Service 2311

April 14, 2024

Federated Authentication Service (FAS) is a privileged component designed to integrate with Active
Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an
Active Directory environment as if they had a smart card. This allows StoreFront to use a broader range
of authentication options, such as SAML (Security Assertion Markup Language) assertions. SAML is
commonly used as an alternative to traditional Windows user accounts on the Internet.

Federated Authentication Service 2311 is the latest Current Release version of FAS. This article re‑
flects features and configurations in this latest release.

Earlier releases

For documentation of earlier FAS releases, see:

• Federated Authentication Service 2308

• Federated Authentication Service 2305

• Federated Authentication Service 2303

• Federated Authentication Service 2212

• Federated Authentication Service 2209

• Federated Authentication Service 2206

• Federated Authentication Service 2203

• Federated Authentication Service 2112

• Federated Authentication Service 2109

• Federated Authentication Service 2106

• Federated Authentication Service 2103

• Federated Authentication Service 1912 LTSR

• XenApp and XenDesktop 7.15 Long Term Service Release

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 3

Federated Authentication Service

The product lifecycle strategy for Current Releases (CR) and Long Term Service Releases (LTSR) is de‑
scribed in Lifecycle Milestones.

References

• Active Directory Certificate Services Overview

• Configuring Windows for Certificate Logon

Federated Authentication Service 2308

January 29, 2024

Federated Authentication Service (FAS) is a privileged component designed to integrate with Active
Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an
Active Directory environment as if they had a smart card. This allows StoreFront to use a broader range
of authentication options, such as SAML (Security Assertion Markup Language) assertions. SAML is
commonly used as an alternative to traditional Windows user accounts on the Internet.

Federated Authentication Service 2308 is the latest Current Release version of FAS. This article re‑
flects features and configurations in this latest release.

Earlier releases

For documentation of earlier FAS releases, see:

• Federated Authentication Service 2305

• Federated Authentication Service 2303

• Federated Authentication Service 2212

• Federated Authentication Service 2209

• Federated Authentication Service 2206

• Federated Authentication Service 2203

• Federated Authentication Service 2112

• Federated Authentication Service 2109

• Federated Authentication Service 2106

• Federated Authentication Service 2103

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 4

Federated Authentication Service

• Federated Authentication Service 1912 LTSR

• XenApp and XenDesktop 7.15 Long Term Service Release

The product lifecycle strategy for Current Releases (CR) and Long Term Service Releases (LTSR) is de‑
scribed in Lifecycle Milestones.

References

• Active Directory Certificate Services Overview

• Configuring Windows for Certificate Logon

Federated Authentication Service 2305

July 20, 2023

Federated Authentication Service (FAS) is a privileged component designed to integrate with Active
Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an
Active Directory environment as if they had a smart card. This allows StoreFront to use a broader range
of authentication options, such as SAML (Security Assertion Markup Language) assertions. SAML is
commonly used as an alternative to traditional Windows user accounts on the Internet.

Federated Authentication Service 2303

May 26, 2023

Multi‑tenant support in FAS

We are introducing support for Federated Authentication Service (FAS) across multi‑tenant environ‑
ments. FAS supports single sign‑on to DaaS in Citrix Workspace, typically when using AAD or other 3rd‑
part IdP for Citrix Workspace Authentication. Until now, it has not been possible to use FAS with multi‑
tenant (CSP) environments. This feature adds support for FAS across multi‑tenant environments, al‑
lowing the SSO functionality to be provided in these configurations.

For more information, see Enable Federated Authentication Service for a tenant customer.

For information about bug fixes, see Fixed issues.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 5

Federated Authentication Service

Federated Authentication Service 2212

March 22, 2023

This release of Federated Authentication Service includes no new features.
For information about bug fixes, see Fixed issues.

Federated Authentication Service 2209

March 22, 2023

This release of Federated Authentication Service includes no new features.
For information about bug fixes, see Fixed issues.

Federated Authentication Service 2206

March 22, 2023

This release of Federated Authentication Service (FAS) includes the following new features:

• Registration for FAS Servers. Updated the Citrix Cloud registration flow for Federated Authen‑
tication Service (FAS) servers to provide a consistent user experience, and improve the security
posture of FAS servers.
The new registration service for FAS removes the need to open a new browser on the server.
The registration service provides a consistent on‑premises user experience with other Citrix on‑
premises products, improves the security posture of FAS servers, and reduces the administrator
configuration on FAS servers. For more information, see Connect to Citrix Cloud.
• Event log improvements. Added new FAS event logs. For details of these event logs, see FAS
event logs.

For information about bug fixes, see Fixed issues.

Federated Authentication Service 2203

April 7, 2023

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 6

Federated Authentication Service

Federated Authentication Service 2203 (PDF Download)

Documentation for this product version is not the latest version. For the most recently updated con‑
tent, see the Federated Authentication Service current release documentation.
Note:

Links to external websites found in the PDF above take you to the correct pages, but links to other
sections within the PDF are no longer usable.

Federated Authentication Service 2112

April 7, 2023

Federated Authentication Service 2112 (PDF Download)

Documentation for this product version is not the latest version. For the most recently updated con‑
tent, see the Federated Authentication Service current release documentation.
Note:

Links to external websites found in the PDF above take you to the correct pages, but links to other
sections within the PDF are no longer usable.

Federated Authentication Service 2109

April 7, 2023

Federated Authentication Service 2109 (PDF Download)

Documentation for this product version is not the latest version. For the most recently updated con‑
tent, see the Federated Authentication Service current release documentation.
Note:

Links to external websites found in the PDF above take you to the correct pages, but links to other
sections within the PDF are no longer usable.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 7

Federated Authentication Service

Federated Authentication Service 2106

April 7, 2023

Federated Authentication Service 2106 (PDF Download)

Documentation for this product version is not the latest version. For the most recently updated con‑
tent, see the Federated Authentication Service current release documentation.
Note:

Links to external websites found in the PDF above take you to the correct pages, but links to other
sections within the PDF are no longer usable.

Federated Authentication Service 2103

April 7, 2023

Federated Authentication Service 2103 (PDF Download)

Documentation for this product version is not the latest version. For the most recently updated con‑
tent, see the Federated Authentication Service current release documentation.
Note:

Links to external websites found in the PDF above take you to the correct pages, but links to other
sections within the PDF are no longer usable.

Federated Authentication Service 1912 LTSR

March 22, 2023

Note:

This documentation supports Federated Authentication Service 1912, which is a baseline com‑
ponent for Citrix Virtual Apps and Desktops 7 1912 LTSR. For the most recently updated content,
see the Federated Authentication Service current release documentation. The product lifecycle
strategy for Current Releases (CR) and Long Term Service Releases (LTSR) is described in Lifecycle
Milestones.

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 8

Federated Authentication Service (FAS) is a privileged component designed to integrate with Active
Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an
Active Directory environment as if they had a smart card. This allows StoreFront to use a broader range
of authentication options, such as SAML (Security Assertion Markup Language) assertions. SAML is
commonly used as an alternative to traditional Windows user accounts on the Internet.

The following diagram shows FAS integrating with a Microsoft Certification Authority and providing
support services to StoreFront and Citrix Virtual Apps and Desktops Virtual Delivery Agents (VDAs).

Trusted StoreFront servers contact FAS as users request access to the Citrix environment. FAS grants
a ticket that allows a single Citrix Virtual Apps or Citrix Virtual Desktops session to authenticate with a
certificate for that session. When a VDA needs to authenticate a user, it connects to FAS and redeems
the ticket. Only FAS has access to the user certificate’s private key; the VDA must send each signing
and decryption operation that it needs to perform with the certificate to FAS.

References

• Active Directory Certificate Services https://docs.microsoft.com/en‑us/previous‑versions/win

dows/it‑pro/windows‑server‑2012‑R2‑and‑2012/hh831740(v=ws.11)
• Configuring Windows for Certificate Logon http://support.citrix.com/article/CTX206156
Federated Authentication Service

© 2024 Cloud Software Group, Inc. All rights reserved. Cloud Software Group, the Cloud Software Group logo, and other

marks appearing herein are property of Cloud Software Group, Inc. and/or one or more of its subsidiaries, and may be

registered with the U.S. Patent and Trademark Office and in other countries. All other marks are the property of their

respective owner(s).

© 1999–2024 Cloud Software Group, Inc. All rights reserved. 10