Advanced Concepts

Citrix Gateway Service SSO with Access Control Citrix Validated Reference Design

Citrix Gateway Service

Citrix Gateway Service is a Citrix offering that provides authentication, single sign-on, and enables fast and secure delivery of Citrix VDI and SaaS applications.

Citrix Gateway Service also provides SSO to SaaS and Web Applications. The Software as a Service (SaaS) SSO feature is a cloud based, fully managed service in Citrix Cloud that provides remote access and Single-Sign-On to publicly hosted SaaS applications and corporate hosted Web applications.

SaaS apps can now be accessed using Citrix Gateway Service within the users Workspace subscription. The Citrix Gateway Service provides authenticated access to third-party SaaS applications running in publicly hosted external SaaS application providers.


The Citrix Gateway Service coupled with Citrix Workspace provides a unified user experience for the configured SaaS apps, configured virtual apps, or any other workspace resources.

SaaS apps delivery using NetScaler Gateway Service provides you an easy, secure, robust, and scalable solution to manage the apps. SaaS apps delivered on the cloud have the following benefits:

  • Simple configuration – Easy to operate, update, and consume.

  • Single sign-on – Hassle free logon with Single sign-on.

  • Standard template for different apps – Template based configuration of popular apps.

Citrix Gateway Service Features

  • Simplicity: Reduce NetScaler deployment and management complexity using a cloud-based offering
  • Always Current: Simplify management of Citrix Gateway with always up-to-date product
  • Security and High availability: Improve security and availability of XenApp and XenDesktop Services
  • Speed: Provide faster and easier way to deploy and manage Citrix Gateway
  • Convenience: Gateway services packaged and sold together to simplify meeting the use cases that IT most commonly faces

Citrix Gateway Service Reduce costs, simplify management, and improve the user experience with secure remote access.

Access Control service overview

Using the Access Control service, administrators can provide a cohesive experience that integrates single sign-on, remote access, and content inspection into a single solution for end-to-end access control. IT administrators can govern access to approved SaaS apps with a simplified single sign-on experience. With the Access Control service, administrators can also protect the organization’s network and end user devices from malware and data leaks by filtering access to specific websites and website categories. Administrators can enforce enhanced access security policies for secure access to SaaS applications. Once authenticated, employees have access to all critical business applications from any device irrespective of whether they are in the office premises, at home, or traveling.

Administrators can monitor user activities, such as

  • malicious, dangerous, or unknown websites visited
  • the bandwidth consumed
  • risky download and upload behaviors.

Using the Analytics around websites and website categories accessed, administrators can take corrective action to protect the enterprise network. At the same time, the service provides end users seamless and secure access to all their hosted apps.

Administrators can also restrict actions, such as restricted printing, downloads, and clipboard access (copy-paste).

The following diagram is a visual depiction of the Access Control service.

Gateway Service with Access Control Features

Some of the key tasks that you can complete with the Access Control service are as follows:

  • Publish SaaS apps with single sign-on access.

  • Set enhanced security policies for SaaS apps. (For example, watermark, copy-paste restriction, and prevent downloads.)

  • Define access policy for website categories and websites to be blocked.

  • Define access policy for website categories and websites to be redirected to Secure Browser service.

  • Understand users and websites activity in the context of SaaS apps and correlate it to defined policies.

  • Make policy changes to allow or block website access, and enable access in a secure browser service session.

Citrix Gateway Service SaaS publishing steps

Support for Software as a Service Apps

Getting started in four easy steps

  1. Sign Up for Citrix Cloud
  2. Request for the NetScaler Gateway Service Trial
  3. NetScaler Gateway Service is provisioned
  4. Access the NetScaler Gateway Service UI

Get Started with Citrix Cloud Here

Get Started with Citrix Workspace Here

Citrix Gateway Service SaaS Application Configuration

In this example, we walk through the configuration steps necessary to configure Citrix Gateway Service with the SaaS application.

Configure end user access to SaaS, web, and virtual applications configured

Configure a workspace to securely deliver access to apps from any device. Go to Workspace configuration Manage and add SaaS applications from the library Go to library | Add a SaaS app


To add a SaaS app from the Citrix Gateway Service Application Catalog, complete the steps below

Access the Citrix Subscription instance at the following url

Citrix Cloud Account Login and provide your organizations login credentials.

  1. Launch the Citrix Gateway Service tile from Citrix Cloud administration portal.


  2. Launch “Get Started” link to configure an SSO SaaS Application.


  3. Select a SaaS application template from the Application Catalog list.

    In this example, we are going to configure Salesforce for SSO as a Workspace SaaS application.


  4. Complete the required SaaS application specific parameters:


    In this example, we select “Outside my corporate network” as this is a SaaS application hosted by a third party application subscription.


  5. Manage the SaaS application subscribers of the Workspace.


  6. Assign users to the SaaS application from the users domain.


    You authenticate to your workspace via the following credentials:

    • Windows Active Directory
    • Azure Active Directory


Access Control for SaaS Applications Configuration

Citrix Access Control (CAC), which builds on the SSO and multifactor authentication (MFA) capabilities included in the gateway service to offer more granular policy control for the access and use of SaaS and web applications. Together with advanced analytics based on user behavior analysis and their risk scores, CAC strengthens the overall security posture of delivering the secure digital workspace to the enterprise end users.

Access Control enhanced Security settings

  • Enable enhanced security: launches and monitors the web or SaaS application in the Citrix embedded browser, and routes unknown traffic to Access Control.
  • Restrict clipboard access: disables cut/copy/paste operations between the app and system clipboard
  • Restrict printing: disables ability to print from within the app browser.
  • Restrict navigation: disables the next/back app browser buttons.
  • Restrict downloads: disables the user’s ability to download from within the app.
  • Display watermark: displays a watermark on the user’s screen displaying user name and IP address of the user’s machine.


Access Control for content access settings

Configure web filtering to allow/block end user access, and redirect them to the Citrix Secure Browser Service.

  • Select Configure Content Access
  • Select Edit
  • Enable Filter websites list
    • Add / Remove Blocked or Allowed websites
    • Add / Remove Blocked or Allowed websites categories

Launching the Citrix Workspace Application with Access Control

The Workspace SaaS application is at the following FQDN for US-Americas hosted subscriptions:

Citrix Cloud Account Login

You can access your workspace experience via Workspace app, which is available in 3 flavors:

  • Desktop (Windows/Mac)
  • Mobile (iOS/Android)
  • Web (HTML5)
  1. Using a Web Browser, connect to the Workspace url.



  2. Select the SaaS application tile within the Workspace.


  3. The application is launched seamlessly in a browser tab, with native SSO.