Support for Software as a Service apps
Software as a Service (SaaS) is a software distribution model to deliver software remotely as a web-based service. Commonly used SaaS apps include Salesforce, Workday, Concur, GoToMeeting, and so forth.
SaaS apps can be accessed using Citrix Workspace using the Secure Private Access service. The Secure Private Access service coupled with Citrix Workspace provides a unified user experience for the configured SaaS apps, configured virtual apps, or any other workspace resources.
SaaS app delivery using the Secure Private Access service provides you an easy, secure, robust, and scalable solution to manage the apps. SaaS apps delivered on the cloud have the following benefits:
- Simple configuration – Easy to operate, update, and consume.
- Single sign-on – Hassle free logon with Single sign-on.
- Standard template for different apps – Template based configuration of popular apps.
How SaaS apps are supported with the Secure Private Access service
- Customer admin configures SaaS apps using the Secure Private Access service UI.
- Admin provides the service URL to the users to access Citrix Workspace.
- To launch the app, a user clicks the enumerated SaaS app icon.
- SaaS app trusts the SAML assertion provided by the Secure Private Access service and the app is launched.
- To grant access to the apps for the users, admins are required to create access policies. In access policies, admins add app subscribers and configure security controls. For details, see Create access policies.
- Configured SaaS apps are aggregated along with virtual apps and other resources in Citrix Workspace for a unified user experience.
Configure a SaaS app
Configuring a SaaS app involves the following high-level steps.
On the Secure Private Access tile, click Manage.
Click Continue and then click Add an app.
- The Continue button appears only for the first time that you use the wizard. In the subsequent usages, you can directly navigate to the Applications page and then click Add an app.
- You can add a SaaS app manually by entering the app details or select an app template that is available for a list of popular SaaS apps. The template pre-fills much of the information required for configuring applications. However, the information specific to the customer must still be provided. For SaaS app configuration template details, see SaaS app server specific configuration.
- Configure the app.
- To enter the app details manually, click Skip.
- To configure the app using a template, click Next.
The Outside my corporate network is enabled by default for a SaaS app.
Enter the following details in the App Details section and click Next.
App name – Name of the application.
App description - A brief description of the app. This description that you enter here’s displayed to your users in the workspace.
App category - Add the category and the subcategory name (if applicable) under which the app that you’re publishing must appear in the Citrix Workspace UI. You can add a new category for each app or use existing categories from the Citrix Workspace UI. Once you specify a category for a web or a SaaS app, the app shows up in the Workspace UI under the specific category.
- The category/subcategories are admin configurable and admins can add a new category for every app.
- The App category field is applicable for HTTP/HTTPS apps and is hidden for TCP/UDP apps.
The category/subcategories names must be separated by a backslash. For example, Business And Productivity\Engineering. Also, this field is case sensitive. Admins must ensure that they define the correct category. If there’s a mismatch between the name in the Citrix Workspace UI and the category name entered in the App category field, the category gets listed as a new category.
For example, if you enter the Business and Productivity category incorrectly as Business And productivity in the App category field, then a new category named Business and productivity gets listed in the Citrix Workspace UI in addition to the Business And Productivity category.
App icon – Click Change icon to change the app icon. The icon file size must be 128x128 pixels. If you do not change the icon, the default icon is displayed.
If you do not want to display the app icon, select Do not display application icon to users.
URL – URL with your customer ID. The URL must contain your customer ID (Citrix Cloud customer ID). To get your customer ID, see Sign up for Citrix Cloud. In case SSO fails or you do not want to use SSO, the user is redirected to this URL.
Customer domain name and Customer domain ID - Customer domain name and ID are used to create the app URL and other subsequent URLs in the SAML SSO page.
For example, if you’re adding a Salesforce app, your domain name is
salesforceformyorgand ID is 123754, then the app URL is
Customer domain name and Customer ID fields are specific to certain apps.
Related Domains – The related domain is auto-populated based on the URL that you’ve provided. Related domain helps the service to identify the URL as part of the app and route traffic accordingly. You can add more than one related domain.
Click Add application to favorites automatically to add this app as a favorite app in Citrix Workspace app.
- Click Allow user to remove from favorites to allow app subscribers to remove the app from the favorites apps list in Citrix Workspace app. When you select this option, a yellow star icon appears at the top left-hand corner of the app in Citrix Workspace app.
Click Do not allow user to remove from favorites to prevent subscribers from removing the app from the favorites apps list in Citrix Workspace app. When you select this option, a star icon with a padlock appears at the top left-hand corner of the app in Citrix Workspace app.
If you remove the apps marked as favorites from the Secure Private Access service console, then these apps must be removed manually from the favorites list in Citrix Workspace. The apps aren’t auto deleted from the Workspace app if removed from the Secure Private Access service console.
- Click Next.
- To enable zero-trust-based access to the apps, apps are denied access, by default. Access to the apps is enabled only if an access policy is associated with the application. For details, see Denied access to the apps, by default.
- If multiple apps are configured with the same FQDN or some variation of the wildcard FQDN, this might result in a conflicting configuration. For details, see Conflicting configuration that might result in app access issues.
In the Single Sign On section, select your preferred single sign-on type to be used for your application and click Save. The following single sign-on types are available.
Don’t use SSO – Use the Don’t use SSO option when you do not need to authenticate a user on the back end server. When the Don’t use SSO option is selected, the user is redirected to the URL configured under the App details section.
SAML - Choose SAML for SAML-based SSO into web applications. Enter the configuration details for SAML SSO type.
Enter the following details in the Sign sign on section and click Save.
- Sign Assertion - Signing assertion or response ensures message integrity when the response or assertion is delivered to the relying party(SP). You can select Assertion, Response, Both, or None.
- Assertion URL – Assertion URL is provided by the application vendor. The SAML assertion is sent to this URL.
- Relay State – The Relay State parameter is used to identify the specific resource the users access after they’re signed in and directed to the relying party’s federation server. Relay State generates a single URL for the users. Users can click this URL to log on to the target application.
- Audience – Audience is provided by the application vendor. This value confirms that the SAML assertion is generated for the correct application.
- Name ID Format – Select the supported name identifier format.
- Name ID – Select the supported name ID.
- Select Launch the app using the specific URL (SP initiated) to override the identity provider-initiated flow and use only the service provider-initiated flow.
In Advanced attributes (optional), add additional information about the user that is sent to the application for access control decisions.
Download the metadata file by clicking the link under SAML Metadata. Use the downloaded metadata file to configure SSO on the SaaS apps server.
- You can copy the SSO login URL under Login URL and use this URL when configuring SSO on the SaaS apps server.
- You can also download the certificate from the Certificate list and use the certificate when configuring SSO on the SaaS apps server.
In the App Connectivity section, define routing for the related domains of applications, if the domains must be routed externally or internally through Citrix Connector Appliances. For details, see Route tables to resolve conflicts if the related domains in both SaaS and web apps are the same.
After you click Finish, the app is added to the Applications page. You can edit or delete an app from the Applications page after you’ve configured the application. To do so, click the ellipsis button on an app and select the actions accordingly.
- Edit Application
When you publish a Web or a SaaS app from the Secure Private Access service and if that app isn’t hidden, the Citrix Enterprise Browser app shows up automatically in the Citrix Workspace UI. In addition, the Citrix Enterprise Browser is also added as a favorite app, by default. End users can launch the workspace browser without a URL and access internal websites using the workspace browsers.
For a complete end-to-end configuration of an app, see Admin guided workflow for easy onboarding and set up.