Support for Software as a Service apps
Software as a Service (SaaS) is a software distribution model to deliver software remotely as a web-based service. Commonly used SaaS apps include Salesforce, Workday, Concur, GoToMeeting, and so forth.
SaaS apps can be accessed using Citrix Workspace using the Citrix Gateway service. The Citrix Gateway service coupled with Citrix Workspace provides a unified user experience for the configured SaaS apps, configured virtual apps, or any other workspace resources.
SaaS apps delivery using the Citrix Gateway service provides you an easy, secure, robust, and scalable solution to manage the apps. SaaS apps delivered on the cloud have the following benefits:
- Simple configuration – Easy to operate, update, and consume.
- Single sign-on – Hassle free logon with Single sign-on.
- Standard template for different apps – Template based configuration of popular apps.
How SaaS apps are supported with the Citrix Gateway service
- Customer admin configures SaaS apps using Citrix Gateway service UI (citrix.cloud.com). The admin then adds subscribers (users) for the apps.
- Admin provides the service URL to the users to access Citrix Workspace.
- Users subscribed for an app can see the app upon logon to Citrix Workspace.
- To launch the app, a user clicks the enumerated SaaS app icon.
- SaaS app trusts the SAML assertion provided by the Citrix Gateway service and the app is launched.
Configured SaaS apps are aggregated along with virtual apps and other resources in Citrix Workspace for a unified user experience.
Ways to configure SaaS apps
SaaS apps can be configured and published in the following two ways:
Template based configuration - For configuration steps, see Configuring and publishing apps using template
Manual configuration - Configuration steps are as follows.
Configure and publish apps manually
The following configuration takes the Splunk app as an example to configure and publish an app manually:
On the Citrix Gateway service tile, click Manage.
Click Add a Web/SaaS app tab below the Single Sign On tile.
Click Skip to configure the Splunk app manually.
Select Outside my corporate network.
Enter the following details in the App Details section and click Save.
Name – Name of the application.
URL – URL with your customer ID. If SSO fails or when the Don’t use SSO option is selected, the user is redirected to this URL.
Customer domain name and Customer domain ID - Customer domain name and ID are used to create an app URL and other subsequent URLs in the SAML SSO page.
For example, if you are adding a Salesforce app, your domain name is
salesforceformyorgand ID is 123754, then the app URL is
Customer domain name and Customer ID fields are specific to certain apps.
Related Domains – The related domain is auto-populated based on the URL that you have provided. Related domain helps the service to identify the URL as part of the app and route traffic accordingly. You can add more than one related domain.
Icon – Click Change to change the app icon. The icon file size must be 128x128 pixels. If you do not change the icon, the default icon is displayed.
In the Enhanced Security section, select Enable enhanced security to choose the security options you would like to apply to the application.
The Enhanced Security section is available only if you are entitled to Secure Workspace Access service. For details, see https://www.citrix.com/products/citrix-cloud/.
The following enhanced security options can be enabled for the application.
- Restrict clipboard access: Disables cut/copy/paste operations between the app and system clipboard
- Restrict printing: Disables ability to print from within the Citrix Workspace app browser
- Restrict navigation: Disables the next/back app browser buttons
- Restrict downloads: Disables the user’s ability to download from within the app
- Display watermark: Displays a watermark on the user’s screen displaying the user name and IP address of the user’s machine
The following advanced app protection policies can be enabled for the application.
Restrict keylogging: Protects against key loggers. When a user tries to log on to the app using the user name and password, all the keys are encrypted on the key loggers. Also, all activities that a user performs on the app are protected against key logging. For example, if app protection policies are enabled for Office365 and the user edit an Office365 word document, all key strokes are encrypted on key loggers.
Restrict screen capture: Disables the ability to capture the screens using any of the screen capture programs or apps. If a user tries to capture the screen, a blank screen is captured.
- You can enable the advanced app protection policies only after enabling the Enable enhanced security option.
- The app protection policies are enabled per app because not all apps might require these restrictions.
- The app protection policies work only when the app is delivered through the Citrix embedded browser.
Select Launch application always in Citrix Secure Browser service to always launch an application in Secure Browser service regardless of other enhanced security settings.
The option to launch applications always in Citrix Secure Browser service is under Private Tech Preview.
The other enhanced security options are still enforced once the app is launched inside the Secure Browser.
If you are accessing the app from the Citrix Workspace app or from the Citrix Workspace for web, then the app is launched in the embedded browser or the native browser respectively until the policy is enforced on mobile devices.
Select Enforce policy on mobile device to enable the previously mentioned enhanced security options on your mobile device.
When Enforce Policy on Mobile Device is selected along with Enable enhanced security, the user experience for the application access is negatively impacted for the desktop users and the mobile users.
Select your preferred single sign-on type to be used for your application and click Save. SAML and Don’t use SSO single sign-on types are available.
SAML: Enter the following details for the SAML single sign-on section and click Save.
Sign Assertion - Signing assertion or response ensures message integrity when the response or assertion is delivered to the relying party(SP). You can select Assertion, Response, Both, or None.
Assertion URL – Assertion URL is provided by the application vendor. The SAML assertion is sent to this URL.
Relay State – The Relay State parameter is used to identify the specific resource the users access after they are signed in and directed to the relying party’s federation server. Relay State generates a single URL for the users. Users can click this URL to log on to the target application.
Audience – Audience is provided by the application vendor. This value confirms the SAML assertion is generated for the correct application.
Name ID Format – Select the supported name identifier format.
Name ID – Select the supported name ID.
Don’t use SSO – Use the Don’t use SSO option when you do not need to authenticate a user on the back-end server. When you select Don’t use SSO option the user is redirected to the URL configured under the App details section.
Download the metadata file by clicking the link under SAML Metadata. Use the downloaded metadata file to configure SSO on the SaaS apps server.
- You can copy the SSO login URL under Login URL and use this URL when configuring SSO on the SaaS apps server.
- You can also download the certificate from the Certificate list and use the certificate when configuring SSO on the SaaS apps server.
After you click Finish, the app is added to the library and you are presented with the following three options.
- Add Another App
- Edit App
Go to the Library
Assign users or user groups for the published apps
After an app is published, you can assign users or groups to the app.
On the Citrix Cloud screen, click Go to the Library. Alternatively, you can also click Library in the upper left menu.
Notice that the newly added app features in your library.
To assign users for the app, hover your pointer over the ellipses on the right, and click Manage Subscribers.
Click Choose a domain list and select a domain. Click Choose a group or user and assign users.
A subscribed user can be unsubscribed by selecting the user and clicking the delete icon next to Status.
To obtain the Workspace URL to be shared with app users, on Citrix Cloud, click the menu icon and navigate to Workspace Configuration.
Manage published apps
You can edit or delete a published app, and add more subscribers to the published app.
Edit a published app
To edit a published app, perform the following steps:
Go to Library and identify the app to be edited.
Hover your pointer over the ellipses on the right and click Edit.
Edit the entries under the App Details section and click Save.
Edit the entries under the Single Sign On section, click Save, and click Finish.
The following screen appears indicating that the app has been modified.
Delete a published app
To delete a published app, perform the following steps:
- Go to Library and identify the app to be deleted.
- Click the dot icon on the right and click Delete.
Manage subscribers for published app
To add more subscribers, perform the following steps:
- Go to Library and identify the app to be modified.
- Hover your pointer over the ellipses on the right, and click Manage Subscribers.
Launch a configured app - end-user flow
To launch a configured app, perform the following steps:
- Log on to Citrix Workspace with AD user credentials. The admin configured apps are displayed.
- Click the app to launch the app. The app is launched and the user is signed-in to the app.