Support for Enterprise web apps

Web apps delivery using the Secure Private Access service enables enterprise specific applications to be delivered remotely as a web-based service. Commonly used web apps include SharePoint, Confluence, OneBug, and so on.

Web apps can be accessed using Citrix Workspace using the Secure Private Access service. The Secure Private Access service coupled with Citrix Workspace provides a unified user experience for the configured Web apps, SaaS apps, configured virtual apps, or any other workspace resources.

SSO and remote access to web apps are available as part of the following service packages:

  • Gateway Service Standard
  • Workspace Standard, Workspace Premium, or Workspace Premium Plus

System requirements

You need any one of the connector types for the Enterprise web apps.

Connector Appliance - You can use the Connector Appliance with the Citrix Secure Private Access service to support VPN-less access to the Enterprise Web apps in the customers’ data center. For details, see Secure Workspace Access with Connector Appliance.


  • Citrix Gateway Connector is planned to be deprecated in the upcoming release. Citrix recommends that you migrate to Connector Appliance that is a single Zero Trust Network Access connector. For details on Connector Appliance, see Connector Appliance for Cloud Services.

  • To migrate your Gateway Connector to Connector Appliance, see Migrate Gateway Connector to Connector Appliance.

  • For TCP apps, Connector Appliance must be used.

Citrix Gateway Connector – A virtual appliance that facilitates the remote access to the Enterprise web apps. Citrix Gateway Connector is a virtual appliance. The virtual machine specification must at least have:

  • Number of vCPUs must be exactly 2.
  • 4 GB RAM minimum.
  • 1 Network Adapter (virtual NIC). You can add an extra virtual NIC upon requirement.

Install the Gateway Connector before configuring the Enterprise web apps for a cleaner approach.

For more information about Citrix Gateway Connector, see Citrix Gateway Connector.


If there are SSL intercepting devices in the on-premises data center where the Citrix Gateway Connector must be deployed, the connector registration does not succeed if SSL interception is enabled for these FQDNs. The SSL interception must be disabled for these FQDNs for successful connector registration. For more information on Citrix Gateway Connector, see Citrix CloudGateway Connector.

How it works

The Citrix Secure Private Access service securely connects to the on-premises data center using the connector, which is deployed on-premises. This connector acts as a bridge between Enterprise web apps deployed on-premises and the Citrix Secure Private Access service. These connectors can be deployed in an HA pair and require only an outbound connection.

A TLS connection between the Gateway connector and the Citrix Secure Private Access service in the cloud secures the on-premises applications that are enumerated into the cloud service. Web applications are accessed and delivered through Workspace using a VPN-less connection.

The following figure illustrates accessing web applications using Citrix Workspace.

How web apps work

To configure an Enterprise web app

  1. On the Secure Private Access tile, click Manage.

  2. On the Secure Private Access landing page, click Continue and then click Add an app.


    The Continue button appears only for the first time that you use the wizard. In the subsequent usages, you can directly navigate to the Applications page and then click Add an app.

  3. Select the app that you want to add and click Skip.

  4. In Where is the application location?, select the location.

  5. Enter the following details in the App Details section and click Next.

    SPA app details

    • App type – Select the app type. You can select from HTTP/ HTTPS or UDP/TCP apps.

    • App name – Name of the application.

    • App description - A brief description of the app. This description that you enter here is displayed to your users in the workspace.

    • App icon – Click Change icon to change the app icon. The icon file size must be 128x128 pixels. If you do not change the icon, the default icon is displayed.

      If you do not want to display the app icon, select Do not display application icon to users.

    • Select Direct Access to enable users access the app directly from a client browser. For details, see Direct access to Enterprise web apps.

    • URL – URL with your customer ID. The URL must contain your customer ID (Citrix Cloud customer ID). To get your customer ID, see Sign up for Citrix Cloud. In case SSO fails or you do not want to use SSO, the user is redirected to this URL.

      Customer domain name and Customer domain ID - Customer domain name and ID are used to create the app URL and other subsequent URLs in the SAML SSO page.

      For example, if you are adding a Salesforce app, your domain name is salesforceformyorg and ID is 123754, then the app URL is

      Customer domain name and Customer ID fields are specific to certain apps.

    • Related Domains – The related domain is auto-populated based on the URL that you have provided. Related domain helps the service to identify the URL as part of the app and route traffic accordingly. You can add more than one related domain.

  6. Click Next.

  7. In the Enhanced Security section, select Enable enhanced security to choose the security options you would like to apply to the application.

    SPA enhanced security

  8. Select Enable enhanced security to enable all the security options available for the apps.


    The Enhanced Security section is available only if you are entitled to Citrix Secure Private Access service. For details, see

    • You can also enable the following enhanced security options as per the requirement.

      • Restrict clipboard access: Disables cut/copy/paste operations between the app and system clipboard
      • Restrict printing: Disables ability to print from within the Citrix Workspace app browser
      • Restrict downloads: Disables the user’s ability to download from within the app
      • Display watermark: Displays a watermark on the user’s screen displaying the user name and IP address of the user’s machine
    • Enable advanced security policies for the app.

      • Restrict keylogging: Protects against key loggers. When a user tries to log on to the app using the user name and password, all the keys are encrypted on the key loggers. Also, all activities that the user performs on the app are protected against key logging. For example, if app protection policies are enabled for Office365 and the user edit an Office365 word document, all key strokes are encrypted on key loggers.

      • Restrict screen capture: Disables the ability to capture the screens using any of the screen capture programs or apps. If a user tries to capture the screen, a blank screen is captured.

    • Select Launch application always in Citrix Secure Browser service to always launch an application in the Secure Browser service regardless of other enhanced security settings.


      • The other enhanced security options are still enforced once the app is launched inside the Secure Browser.

      • If you are accessing the app from the Citrix Workspace app or from the Citrix Workspace for web, then the app is launched in the embedded browser or the native browser respectively until the policy is enforced on mobile devices.

    • Select Enforce policy on mobile device to enable the previously mentioned enhanced security options on your mobile device.


      When Enforce Policy on Mobile Device is selected along with Enable enhanced security, the user experience for the application access is negatively impacted for the desktop users and the mobile users.

  9. Click Next.

  10. Select your preferred single sign-on type to be used for your application and click Save. The following single sign-on types are available.

    SPA single sign-on

    • Basic – If your back-end server presents you with a basic-401 challenge, choose Basic SSO. You do not need to provide any configuration details for the Basic SSO type.
    • Kerberos – If your back-end server presents you with the negotiate-401 challenge, choose Kerberos. You do not need to provide any configuration details for the Kerberos SSO type.
    • Form-Based – If your back-end server presents you with an HTML form for authentication, choose Form-Based. Enter the configuration details for the Form-Based SSO type.
    • SAML - Choose SAML for SAML-based SSO into web applications. Enter the configuration details for SAML SSO type.
    • Don’t use SSO – Use the Don’t use SSO option when you do not need to authenticate a user on the back end server. When the Don’t use SSO option is selected, the user is redirected to the URL configured under the App details section.

    Form based details: Enter the following form-based configuration details in the Single Sign On section and click Save.

    Save config1

    • Action URL - Type the URL to which the completed form is submitted.
    • Logon form URL – Type the URL on which the logon form is presented.
    • Username Format - Select a format for the user name.
    • Username Form Field – Type a user name attribute.
    • Password Form Field – Type a password attribute.

    SAML: Enter the following details in the Sign sign on section and click Save.

    Save config2

    • Sign Assertion - Signing assertion or response ensures message integrity when the response or assertion is delivered to the relying party(SP). You can select Assertion, Response, Both, or None.
    • Assertion URL – Assertion URL is provided by the application vendor. The SAML assertion is sent to this URL.
    • Relay State – The Relay State parameter is used to identify the specific resource the users access after they are signed in and directed to the relying party’s federation server. Relay State generates a single URL for the users. Users can click this URL to log on to the target application.
    • Audience – Audience is provided by the application vendor. This value confirms that the SAML assertion is generated for the correct application.
    • Name ID Format – Select the supported name identifier format.

    • Name ID – Select the supported name ID.
  11. In Advanced attributes (optional), add additional information about the user that is sent to the application for access control decisions.

  12. Download the metadata file by clicking the link under SAML Metadata. Use the downloaded metadata file to configure SSO on the SaaS apps server.


    • You can copy the SSO login URL under Login URL and use this URL when configuring SSO on the SaaS apps server.
    • You can also download the certificate from the Certificate list and use the certificate when configuring SSO on the SaaS apps server.
  13. Click Next.

  14. In the App Connectivity section, define routing for the related domains of applications, if the domains must be routed externally or internally through Citrix Gateway connectors. For details, see Route tables to resolve conflicts if the related domains in both SaaS and web apps are the same.

    SPA application connectivity

  15. Click Next.

  16. In the App Subscribers section, assign users or groups to the app.

    SPA application subscribers

    • In Choose a domain, select the domain applicable to the app, and then in Choose a group or user, select the group or user to whom you are subscribing this app. You can differentiate between a user and a group based on the appearance of the alphabets U or G that against the name.

    • Click Save. The subscriber details are loaded automatically.

You can unsubscribe a subscribed user or a group by clicking the delete icon next to Status.

  1. Click Finish.

    After you click Finish, the app is added to the Applications page. You can delete, manage subscribers, or edit an app from the Applications page after you have configured the application. To do so, click the ellipsis button on an app and select the actions accordingly.

    • Manage Subscribers
    • Edit Application
    • Delete
Support for Enterprise web apps