Citrix Gateway SaaS and O365 Cloud Citrix Validated Reference Design


Software as a Service (SaaS) is a software distribution model to deliver software remotely as a web-based service. Commonly used SaaS apps including Microsoft Office 365 subscriptions.

SaaS apps can now be accessed using Citrix Workspace using Citrix Gateway service. The Citrix Gateway service coupled with Citrix Workspace provides a unified user experience for the configured SaaS apps, configured virtual apps, or any other workspace resources.

SaaS apps delivery using Citrix Gateway service provides you an easy, secure, robust, and scalable solution to manage the apps. SaaS apps delivered on the cloud have the following benefits:

Simple configuration – Easy to operate, update, and consume. Single sign-on – Hassle-free log on with Single sign-on. Standard template for different apps – Template based configuration of popular apps.

Citrix Gateway SaaS Application

Within the App Details section, fill out as follows:

  • Location = Outside my corporate network

  • Name = Office 365 * URL =

  • Related Domains: *

  • Description = (default)


Within the Single Sign On section, fill out as follows:

  • Assertion URL =

  • Audience = urn:federation:MicrosoftOnline

  • Name ID Format = Persistent

  • Name ID = Active Directory GUID

  • Advanced Attributes:

    Attribute Name: IDPEmail

    Attribute Format: Unspecified

    Attribute Value: Email


O365 SaaS Application Federation to Citrix Gateway

PowerShell commands to configure FEDERATED Mode on Microsoft Cloud:

  • PS> connect-msolservice

Note: A Microsoft Cloud Account should be used to connect to msolservice.

For example,

  • PS> Install-Module AzureAD -Force
  • PS> Import-Module AzureAD -Force
  • PS> Install-Module MSOnline -Force
  • PS> Import-module MSOnline -Force

Configure the Federation settings unique to the Citrix Gateway Customer subscription:

  • PS> $dom = ""

Note: the namespace is the user authentication domain

  • PS> $fedBrandName = "CitrixNS(TME)"
  • PS> $url = ""
  • PS> $uri = ""
  • PS> $ecpUrl = ""

Note: customerID is the Citrix Workspace URL

Supply the SAML IdP certificate from Citrix Gateway:

  • PS> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\cert\saml_idp.crt")
  • PS> $certData = [system.convert]::tobase64string($cert.rawdata)

Execute the PS string to complete the msol Federation to Citrix Gateway:

  • PS> Set-MsolDomainAuthentication -DomainName $dom –federationBrandName $fedBrandName -Authentication Federated -PassiveLogOnUri $uri -SigningCertificate $certData -IssuerUri $uri -ActiveLogOnUri $ecpUrl -LogOffUri $url -PreferredAuthenticationProtocol SAMLP

Validate the Domain Federation and settings are complete:

  • PS> Get-MsolDomainFederationSettings



FederationBrandName customerID(TME)



PassiveLogOnUri https://citrix.comcustomerID


Office 365 Suite Applications

  • Outlook

  • OneDrive for Business

  • Word

  • Excel

  • PowerPoint

  • OneNote

  • SharePoint

  • Teams

  • Yammer

  • Dynamics 365

  • Flow

Azure PowerShell Module Reference

Azure PowerShell Command Reference

Deploy Office 365 Directory Synchronization in Microsoft Azure

Citrix Gateway SaaS and O365 Cloud Citrix Validated Reference Design