Citrix Gateway Service SSO with Access Control Citrix Validated Reference Design
Citrix Gateway Service
Citrix Gateway Service is a Citrix offering that provides authentication, single sign-on, and enables fast and secure delivery of Citrix VDI and SaaS applications.
Citrix Gateway Service also provides SSO to SaaS and Web Applications. The Software as a Service (SaaS) SSO feature is a cloud based, fully managed service in Citrix Cloud that provides remote access and Single-Sign-On to publicly hosted SaaS applications and corporate hosted Web applications.
SaaS apps can now be accessed using Citrix Gateway Service within the users Workspace subscription. The Citrix Gateway Service provides authenticated access to third-party SaaS applications running in publicly hosted external SaaS application providers.
The Citrix Gateway Service coupled with Citrix Workspace provides a unified user experience for the configured SaaS apps, configured virtual apps, or any other workspace resources.
SaaS apps delivery using NetScaler Gateway Service provides you an easy, secure, robust, and scalable solution to manage the apps. SaaS apps delivered on the cloud have the following benefits:
Simple configuration – Easy to operate, update, and consume.
Single sign-on – Hassle free logon with Single sign-on.
Standard template for different apps – Template based configuration of popular apps.
Citrix Gateway Service Features
- Simplicity: Reduce NetScaler deployment and management complexity using a cloud-based offering
- Always Current: Simplify management of Citrix Gateway with always up-to-date product
- Security and High availability: Improve security and availability of XenApp and XenDesktop Services
- Speed: Provide faster and easier way to deploy and manage Citrix Gateway
- Convenience: Gateway services packaged and sold together to simplify meeting the use cases that IT most commonly faces
Citrix Gateway Service Reduce costs, simplify management, and improve the user experience with secure remote access.
Access Control service overview
Using the Access Control service, administrators can provide a cohesive experience that integrates single sign-on, remote access, and content inspection into a single solution for end-to-end access control. IT administrators can govern access to approved SaaS apps with a simplified single sign-on experience. With the Access Control service, administrators can also protect the organization’s network and end user devices from malware and data leaks by filtering access to specific websites and website categories. Administrators can enforce enhanced access security policies for secure access to SaaS applications. Once authenticated, employees have access to all critical business applications from any device irrespective of whether they are in the office premises, at home, or traveling.
Administrators can monitor user activities, such as
- malicious, dangerous, or unknown websites visited
- the bandwidth consumed
- risky download and upload behaviors.
Using the Analytics around websites and website categories accessed, administrators can take corrective action to protect the enterprise network. At the same time, the service provides end users seamless and secure access to all their hosted apps.
Administrators can also restrict actions, such as restricted printing, downloads, and clipboard access (copy-paste).
The following diagram is a visual depiction of the Access Control service.
Gateway Service with Access Control Features
Some of the key tasks that you can complete with the Access Control service are as follows:
Publish SaaS apps with single sign-on access.
Set enhanced security policies for SaaS apps. (For example, watermark, copy-paste restriction, and prevent downloads.)
Define access policy for website categories and websites to be blocked.
Define access policy for website categories and websites to be redirected to Secure Browser service.
Understand users and websites activity in the context of SaaS apps and correlate it to defined policies.
Make policy changes to allow or block website access, and enable access in a secure browser service session.
Citrix Gateway Service SaaS publishing steps
Getting started in four easy steps
- Sign Up for Citrix Cloud
- Request for the NetScaler Gateway Service Trial
- NetScaler Gateway Service is provisioned
- Access the NetScaler Gateway Service UI
Citrix Gateway Service SaaS Application Configuration
In this example, we walk through the configuration steps necessary to configure Citrix Gateway Service with the SalesForce.com SaaS application.
Configure end user access to SaaS, web, and virtual applications configured
Configure a workspace to securely deliver access to apps from any device. Go to Workspace configuration Manage and add SaaS applications from the library Go to library | Add a SaaS app
To add a SaaS app from the Citrix Gateway Service Application Catalog, complete the steps below
Access the Citrix Subscription instance at the following url
Citrix Cloud Account Login and provide your organizations login credentials.
Launch the Citrix Gateway Service tile from Citrix Cloud administration portal.
Launch “Get Started” link to configure an SSO SaaS Application.
Select a SaaS application template from the Application Catalog list.
In this example, we are going to configure Salesforce for SSO as a Workspace SaaS application.
Complete the required SaaS application specific parameters:
In this example, we select “Outside my corporate network” as this is a SaaS application hosted by a third party application subscription.
Manage the SaaS application subscribers of the Workspace.
Assign users to the SaaS application from the users domain.
You authenticate to your workspace via the following credentials:
- Windows Active Directory
- Azure Active Directory
Access Control for SaaS Applications Configuration
Citrix Access Control (CAC), which builds on the SSO and multifactor authentication (MFA) capabilities included in the gateway service to offer more granular policy control for the access and use of SaaS and web applications. Together with advanced analytics based on user behavior analysis and their risk scores, CAC strengthens the overall security posture of delivering the secure digital workspace to the enterprise end users.
Access Control enhanced Security settings
- Enable enhanced security: launches and monitors the web or SaaS application in the Citrix embedded browser, and routes unknown traffic to Access Control.
- Restrict clipboard access: disables cut/copy/paste operations between the app and system clipboard
- Restrict printing: disables ability to print from within the app browser.
- Restrict navigation: disables the next/back app browser buttons.
- Restrict downloads: disables the user’s ability to download from within the app.
- Display watermark: displays a watermark on the user’s screen displaying user name and IP address of the user’s machine.
Access Control for content access settings
Configure web filtering to allow/block end user access, and redirect them to the Citrix Secure Browser Service.
- Select Configure Content Access
- Select Edit
- Enable Filter websites list
- Add / Remove Blocked or Allowed websites
- Add / Remove Blocked or Allowed websites categories
Launching the Citrix Workspace Application with Access Control
The Workspace SaaS application is at the following FQDN for US-Americas hosted subscriptions:
You can access your workspace experience via Workspace app, which is available in 3 flavors:
- Desktop (Windows/Mac)
- Mobile (iOS/Android)
- Web (HTML5)
Using a Web Browser, connect to the Workspace url.
Select the SaaS application tile within the Workspace.
The application is launched seamlessly in a browser tab, with native SSO.
In this article
- Citrix Gateway Service
- Citrix Gateway Service Features
- Access Control service overview
- Gateway Service with Access Control Features
- Citrix Gateway Service SaaS publishing steps
- Getting started in four easy steps
- Citrix Gateway Service SaaS Application Configuration
- Configure end user access to SaaS, web, and virtual applications configured
- Access Control for SaaS Applications Configuration
- Access Control enhanced Security settings
- Access Control for content access settings
- Launching the Citrix Workspace Application with Access Control
- Reference Links