Skip to main content
Skip table of contents

Microsoft Entra ID SSO

The purpose of thie section is to capture Azure AD/ADFS configuration needed in order to achieve a single sign on experience on hybrid joined Windows machines. These machines are also Citrix VDA’s and the authentication at operating system level is performed via the Veridium Citrix fasless component and the Veridium credential provider installed on the VDA’s.

In order to achieve SSO Office 365 apps on hybrid joined devices, an Azure AD Primary Refresh Token has to be issued by the appropriate authority. According to Microsoft’s documentation:

A Primary Refresh Token (PRT) is a key artifact of Microsoft Entra authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It's a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices.

What does the PRT contain?

A PRT contains claims found in most Microsoft Entra ID refresh tokens. In addition, there are some device-specific claims included in the PRT. They are as follows:

Device ID: A PRT is issued to a user on a specific device. The device ID claim deviceID determines the device the PRT was issued to the user on. This claim is later issued to tokens obtained via the PRT. The device ID claim is used to determine authorization for Conditional Access based on device state or compliance.

Session key: The session key is an encrypted symmetric key, generated by the Microsoft Entra authentication service, issued as part of the PRT. The session key acts as the proof of possession when a PRT is used to obtain tokens for other applications. Session key is rolled on Windows 10 or newer Microsoft Entra joined or Microsoft Entra hybrid joined devices if it's older than 30 days.

How is a PRT issued?

Device registration is a prerequisite for device based authentication in Microsoft Entra ID. A PRT is issued to users only on registered devices. For more in-depth details on device registration, see the article Windows Hello for Business and Device Registration. During device registration, the dsreg component generates two sets of cryptographic key pairs:

Device key (dkpub/dkpriv)

Transport key (tkpub/tkpriv)

The private keys are bound to the device’s TPM if the device has a valid and functioning TPM, while the public keys are sent to Microsoft Entra ID during the device registration process. These keys are used to validate the device state during PRT requests.

The articles assume that you already have:

  • a working Active Directory environment

  • a PKI infrastructure, a RAEP instance

  • a working Citrix environment along with a Storefront store and an accessible VDA with Veridium credential provider installed on it; this VDA has to be a hybrid joined device, meaning that the machine has to be joined both to an on-opremise Active Directory and Azure AD joined

  • Veridium Citrix fasless component installed and all the settings required for fasless authentication on the VDA

  • A Microsoft Azure AD tennant with a custom domain defined

  • A working ADFS server.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close