Apps configuration using a template
SaaS apps configuration with single sign-on on the Citrix Gateway service is simplified by provisioning a template list for popular SaaS apps. The SaaS app to be configured can be selected from the list.
The template pre-fills much of the information required for configuring applications. However, the information specific to the customer must still be provided.
The following section has the steps to be performed on the Citrix Gateway service for configuring and publishing an app using a template. The configuration steps to be performed on the app server is presented in the subsequent section.
Configuring and publishing apps using template - Citrix Gateway service specific configuration
The following configuration takes the Aha app as an example to configure and publish an app using a template.
On the Citrix Gateway service tile, click Manage.
Click Add a Web/SaaS app tab below the Single Sign On tile.
Select the app you want to configure using the Choose a Template list and click Next.
Enter the following details in the App Details section and click Save.
Name – Name of the application.
URL – URL with your customer ID. The user is redirected to this URL if; - SSO fails or - Don’t use SSO option is selected.
Customer domain name and Customer domain ID - Customer domain name and ID are used to create an app URL and other subsequent URLs in the SAML SSO page.
For example, if you are adding a Salesforce app, your domain name is
salesforceformyorgand ID is 123754, then the app URL is
Customer domain name and Customer ID fields are specific to certain apps.
Related Domains – The related domain is auto-populated based on the URL that you have provided. Related domain helps the service to identify the URL as part of the app and route traffic accordingly. You can add more than one related domain.
Icon – Click Change icon to change the app icon. The icon file size must be 128x128 pixels. If you do not change the icon, the default icon is displayed.
In the Enhanced Security section, select Enable enhanced security to choose the security options you would like to apply to the application and click Next.
The Enhanced Security section is available only if you are entitled to Secure Workspace Access service. For details, see https://www.citrix.com/products/citrix-cloud/.
The following enhanced security options can be enabled for the application.
- Restrict clipboard access: Disables cut/copy/paste operations between the app and system clipboard
- Restrict printing: Disables ability to print from within the Citrix Workspace app browser
- Restrict navigation: Disables the next/back app browser buttons
- Restrict downloads: Disables the user’s ability to download from within the app
- Display watermark: Displays a watermark on the user’s screen displaying the user name and IP address of the user’s machine
The following advanced app protection policies can be enabled for the application.
Restrict keylogging: Protects against key loggers. When a user tries to log on to the app using the user name and password, all the keys are encrypted on the key loggers. Also, all activities that a user performs on the app are protected against key logging. For example, if app protection policies are enabled for Office365 and the user edit an Office365 word document, all key strokes are encrypted on key loggers.
Restrict screen capture: Disables the ability to capture the screens using any of the screen capture programs or apps. If a user tries to capture the screen, a blank screen is captured.
- You can enable the advanced app protection policies only after enabling the Enable enhanced security option.
- The app protection policies are enabled per app because not all apps might require these restrictions.
- The app protection policies work only when the app is delivered through the Citrix embedded browser.
Select Launch application always in Citrix Secure Browser service to always launch an application in Secure Browser service regardless of other enhanced security settings.
The other enhanced security options are still enforced once the app is launched inside the Secure Browser.
If you are accessing the app from the Citrix Workspace app or from the Citrix Workspace for web, then the app is launched in the embedded browser or the native browser respectively until the policy is enforced on mobile devices.
Select Enforce policy on mobile device to enable the previously mentioned enhanced security options on your mobile device.
When Enforce Policy on Mobile Device is selected along with Enable enhanced security, the user experience for the application access is negatively impacted for the desktop users and the mobile users.
Enter the following SAML configuration details in the Single Sign On section and click Save.
Assertion URL – SaaS app SAML assertion URL provided by the application vendor. The SAML assertion is sent to this URL.
Relay State – The Relay State parameter is used to identify the specific resource the users access after they are signed in and directed to the relying party’s federation server. Relay State generates a single URL for the users. Users can click this URL to log on to the target application.
Audience – Service provider for whom the assertion is intended.
Name ID Format – Supported format type of user.
Name ID – Name of the format type of user.
When the Don’t use SSO option is selected, the user is redirected to the URL configured under App Details section.
Download the metadata file by clicking the link under SAML Metadata. Use the downloaded metadata file to configure SSO on the SaaS apps server.
- You can copy the SSO login URL under Login URL and use this URL when configuring SSO on the SaaS apps server.
- You can also download the certificate from the Certificate list and use the certificate when configuring SSO on the SaaS apps server.
The following screen appears indicating that the app has been added to the Library.
Perform the application server specific configuration for configuring and publishing the app using the template. For details on each app server specific configuration, see SaaS app server specific configuration.