How to use Citrix SSO app from your Android device


  • Citrix SSO refers to Citrix Secure Sign-On and is used interchangeably in Citrix SSO help documentation.

  • For administrator-specific instructions on Citrix SSO for Android, see Citrix SSO for Android devices.

Install the Citrix SSO app from your Play Store. First-time users must create a connection to NetScaler Gateway by adding the server in non-MDM case. For subsequent uses, you can connect to an existing connection or add a connection, and edit existing connections as well, if allowed by your administrator in an MDM deployment. You can also view the logs and take appropriate actions accordingly.


  • Connections deployed via MDM cannot be edited.

  • Starting from Citrix SSO for Android 23.8.1, you might be prompted to grant the Query all packages consent to the Citrix SSO app. Once the consent is granted, the Citrix SSO app:

    • Receives the package install notification from the operating system.
    • Restarts the Always On VPN.

    When you connect to your VPN profile for the first time, you are prompted to provide consent (required by Google policies) to collect information of the installed package. If the you grant the consent, the VPN connection is initiated. If you deny the consent, the VPN connection is aborted. The consent screen does not reappear once the consent has been granted.

Add a connection

Note: This step is required only in a non-MDM case.

After you install the Citrix SSO app and open the app, the following screen appears.

Sso app first screen

  1. Click + to add a connection.

  2. Enter the base URL (for example, and the name for the VPN connection. Optionally, you can enter the user name.

    Add a connection

  3. Click Save and then click Save and Connect or Just Save as appropriate.

    Save or connect to the connection

  4. Provide authentication credentials for your server and tap LOG IN or Done on the keypad.

    Enter authentication credentials

The connection request message appears. Click OK.

Note: This message appears only the first time that any VPN connection is established by the Citrix SSO app. If user allows the connection first time, this message is not shown again until the user uninstalls and reinstalls the app.

Connection request confirmation message

Note: To log out from Citrix SSO, turn the VPN switch OFF.

Log out using the vpn switch

Modify or delete an existing connection

You can edit or delete a connection after you log out from the Citrix SSO app.

Tap and hold the server name and select Edit Connection or Delete Connection.

Edit or delete a connection

Reconnect to NetScaler Gateway after a VPN connection failure - Preview

Starting from release 23.10.1, Citrix SSO for Android prompts you to reauthenticate with NetScaler Gateway when a VPN connection is lost. You are notified on the Citrix SSO UI and the notification panel of your Android device indicating that the connection to NetScaler Gateway is lost and that you must reauthenticate to resume the connection.


This feature is in preview.

Reauthenticate with NetScaler Gateway

Block untrusted servers

Citrix SSO does not connect to untrusted servers, by default. Untrusted servers refer to servers using self-signed certificates or not having trusted root certificate for the gateway. To allow these types of connections, you can turn Block Untrusted Servers switch OFF.

Block untrusted servers

Enable debug logs

Capturing debug logs is a critical part of troubleshooting or reporting issues to Citrix Support. Tap the Debug Logging switch ON to turn on debug logging for the Citrix SSO. You can email the logs when troubleshooting connection issues using the Email Logs link.

View debug logs

View statistics

You can view the connection statistics when VPN is connected.

View connection statistics

Password tokens

You can add a 6-digit password token as a second factor authentication. This code uses the time-based one time password protocol to generate the OTP code.

You can add a password token manually or register a password token using the QR code scan method. Second factor authentication using push notifications is not be enabled if you choose to enter the token manually.

Register a password token

  1. Log in to your organization’s manage one-time PIN page in your web browser on a desktop or a laptop.

  2. Click Add Device.

  3. Enter a name for your device, then click Go.

    A QR code is generated.

Add a password token by scanning the QR code on the browser

  1. Navigate to Tokens tab on the Home view.

  2. Tap + and tap Scan QR Code.

  3. Focus the camera on the QR code on your browser.

Citrix SSO auto-populates the device name and secret key.

Alternatively, you can manually enter the secret key that appears above the QR code.

Citrix SSO validates the QR code and then registers with gateway for push notifications. If there are no errors in the registration process, the token is successfully added to the tokens tab.


  • You must allow camera permissions for Citrix SSO to capture the QR code.
  • You must enable the device PIN/password on your device.

Add a password token manually

  1. Navigate to Tokens tab on the Home view.

  2. Tap + and tap Enter Manually.

  3. Enter the device name and the secret key as it appears on the password token generated on the browser.

Help topics

For more information about how to use the Citrix SSO app, see Help.

SSO for Android help topics

How to use Citrix SSO app from your Android device