Citrix Secure Private Access

The Citrix Secure Private Access service enables the administrators to provide a cohesive experience integrating single sign-on, remote access, and content inspection into a single solution for end-to-end access control. IT administrators can govern access to approved SaaS apps with a simplified single sign-on experience. With the Citrix Secure Private Access service, administrators can also protect the organization’s network and end user devices from malware and data leaks by filtering access to specific websites and website categories. Administrators can enforce enhanced access security policies for secure access to SaaS applications. Once authenticated, employees have access to all critical business applications from any device irrespective of whether they are in the office premises, at home, or traveling.

Administrators can monitor user activities, such as malicious, dangerous, or unknown websites visited, and the bandwidth consumed, and risky download and upload behaviors. Using the Analytics around websites and website categories accessed, administrators can take corrective action to protect the enterprise network. At the same time, the service provides end users seamless and secure access to all their hosted apps.

Administrators can also restrict actions, such as restricted printing, downloads, and clipboard access (copy-paste).

The following diagram is a visual depiction of the Secure Private Access service.

Overview of Secure Private Access

Key capabilities of Citrix Secure Private Access

Following are some of the key tasks that you can complete with the Citrix Secure Private Access service:

  • Publish SaaS apps with single sign-on access - Once the user is authenticated to Citrix Workspace with a primary identity, subsequent authentication challenges to SaaS and web apps are automatically fulfilled by the single sign-on feature in the Citrix Cloud using SAML assertions.

By default, the SAML assertion utilizes the email address associated with the user’s Active Directory account (identity provider) with the email address associated with the user’s SaaS or web app account (service provider).

  • Set enhanced security policies for SaaS apps. (For example, watermark, copy-paste restriction, and prevent downloads.) - To protect content, organizations incorporate enhanced security policies within the SaaS applications. Each policy enforces a restriction on the Citrix Enterprise Browser when using Workspace app for desktop or on Secure Browser when using Workspace app web or mobile.
    • Preferred browser: Disables local browser use and relies on the Citrix Enterprise Browser engine (Workspace app - desktop) or Secure Browser (Workspace app – mobile and web).
    • Restrict clipboard access: Disables cut/copy/paste operations between the app and endpoint clipboard.
    • Restrict printing: Disables ability to print from within the app browser.
    • Restrict downloads: Disables the user’s ability to download from within the SaaS app.
    • Display watermark: Overlays a screen-based watermark showing the user name and IP address of the endpoint. If a user tries to print or take a screenshot, the watermark appears as displayed on the screen.
  • Provide contextual access - Although an authorized SaaS app is considered safe, content in the SaaS app actually can be dangerous - constituting a security risk. When a user clicks a hyperlink within a SaaS app, the traffic is routed through the web filtering feature, which provides a risk assessment for the hyperlink. Based on the hyperlink’s risk assessment, and the customized list of URL categories, the web filtering feature allows, denies, or redirects the hyperlink request from the user as follows:
    • Approved: The hyperlink is considered safe and the Citrix Enterprise Browser accesses within the Workspace app accesses the hyperlink.
    • Denied: The hyperlink is considered dangerous and access is denied.
    • Redirected: The hyperlink request is redirected to the Secure Browser service, where the user’s internet browsing activities are isolated from the endpoint device, the corporate network, and the SaaS app.
  • Security and performance analytics - Users invariably access SaaS apps that have enhanced security inherent in them. Workspace app, the Secure Private Access service, and the Secure Browser service provide the Security analytics service with information about the following user and application behaviors. These analytics impact the user’s overall risk score:
    • App launch time
    • App end time
    • Print action
    • Clipboard access
    • URL Access
    • Data upload
    • Data download

The web filtering feature evaluates the risk of each hyperlink selected within the SaaS application. Accessing these sites and monitoring changes in user behavior increases the user’s overall risk score because it signals the endpoint device is compromised and started to infect or encrypt data or the user and device are stealing intellectual property.


Launching of SaaS or Web apps through StoreFront is deprecated.

Citrix Secure Private Access