Configure access to workspaces
Citrix recommends using the latest version of Citrix Workspace app to access workspaces. Citrix Workspace app replaces Citrix Receiver. You can also access workspaces using the latest version of Microsoft Edge, Google Chrome, Mozilla Firefox, or Apple Safari with the Workspace URL.
This article summarizes the steps involved in configuring and using:
- The Workspace URL
- The Citrix Workspace app (formerly Citrix Receiver).
- Citrix Gateways or the Citrix Gateway service for external connectivity.
- Identity providers for authentication to workspaces.
Subscribers can access Citrix Workspace through a browser with the Workspace URL or through the Citrix Workspace app installed on their devices.
The Workspace URL is customizable and is enabled by default. For instructions on editing the Workspace URL, see Workspace URL in this article.
Citrix Workspace app replaces Citrix Receiver as the natively installed app that provides access to the Workspace user interface (UI). For information about the Citrix Workspace app and transitioning from Citrix Receiver, see Citrix Workspace app (formerly Citrix Receiver) in this article.
Remote subscribers can gain external access to their workspaces if you configure external connectivity with Citrix Gateway or the Citrix Gateway service. For information on enabling remote access to workspaces, see External connectivity in this article.
Alternatively, for internal connectivity only, you can use Citrix Workspace on its own or host StoreFront on-premises. For internal connectivity, the endpoint must connect directly to the IP address of the Virtual Delivery Agent (VDA).
Citrix Workspace supports a growing list of identity providers that you connect to Citrix Cloud and then enable in Workspace Configuration to authenticate subscribers to their workspaces. For information on configuring authentication for Workspace subscribers, see Authentication to workspaces in this article.
Citrix Workspace also supports the following authentication options:
- Tokens as a second factor of authentication for signing in to workspaces with Active Directory. For more information on setting up multifactor authentication (MFA) to workspaces, see Two-factor authentication.
- Citrix Federated Authentication Service (FAS) to provide single sign-on (SSO) to DaaS in Citrix Workspace. For more information on setting up SSO with FAS, see Enable single sign-on for Workspaces with Citrix Federated Authentication Service.
The Workspace URL is ready to use and can be found in Citrix Cloud > Workspace Configuration > Access, where you can enable, edit, and disable your Workspace URL.
The first part of the Workspace URL is customizable. For example, you can change the URL from
You can change the Workspace URL only when it’s enabled. If the URL is disabled, you must re-enable it first.
To enable the Workspace URL, navigate to Workspace Configuration > Access and select the toggle to enable it. Re-enabling the Workspace URL can take up to 10 minutes to take effect.
The first part of the Workspace URL represents the organization using the Citrix Cloud account, and must comply with the Cloud Software Group End User Agreement. Misuse of third party intellectual property rights, including trademarks, might result in revocation and reassignment of the URL or suspension of the Citrix Cloud account.
To customize your URL, go to Workspace Configuration > Access and select Edit. The customizable part of the URL:
- Must be between 6 and 63 characters long. If you want to change the customizable part of the URL to fewer than 6 characters, open a ticket in Citrix Cloud.
- Must consist of only letters and numbers.
- Can’t include Unicode characters.
When you rename a URL, the old URL is immediately removed and is no longer available. Tell subscribers what the new URL is and manually update all local Citrix Workspace apps to use the new URL.
You can disable the Workspace URL to prevent users from authenticating through Citrix Workspace. For example, you might want subscribers to use an on-premises StoreFront URL to access resources, or you might want to prevent access during maintenance.
Disabling the Workspace URL can take up to 10 minutes to take effect.
Disabling the workspace URL has the following effects:
- All service integrations are disabled. Subscribers can’t access data and applications from services in Citrix Workspace.
- You can’t customize the Workspace URL. You must re-enable the URL before you can change it.
- Anyone visiting the URL receives a message in their browser indicating that the workspace can’t be found or that resources can’t be loaded.
Citrix Workspace app (formerly Citrix Receiver)
Citrix Receiver has reached End of Life (EoL) and is no longer supported. If you continue to use Citrix Receiver, technical support is limited to the options described in Lifecycle Milestones and Definitions. For information about EoL milestones for Citrix Receiver by platform, refer to Lifecycle milestones for Citrix Workspace app and Citrix Receiver.
Citrix Workspace app is a natively installed app that replaces Citrix Receiver for accessing workspaces.
The following table shows the authentication methods supported by Citrix Workspace app. The table includes authentication methods relevant to specific versions of Citrix Receiver, which Citrix Workspace app replaces.
|Citrix Workspace app
|Active Directory Authentication
|Active Directory plus Token Authentication
|Azure Active Directory authentication
|Citrix Workspace for Windows
|Yes (Workspace app; Receiver 4.9 LTSR CU2 and later only; Receiver 4.11 CR and later only)
|Citrix Workspace for Linux
|Yes (Workspace app; Receiver 13.8 and later only)
|Citrix Workspace for Mac
|Citrix Workspace for iOS
|Citrix Workspace for Android
|Yes (Workspace app; Receiver 3.13 and later only)
For more information about supported features in Citrix Workspace app by platform, refer to the Citrix Workspace app feature matrix.
For an overview of TLS and SHA2 support with Citrix Receivers, see the CTX23226 Support article.
Citrix Workspace app replaces, and extends the capabilities of, Citrix Receiver.
Citrix Workspace app delivers access for subscribers to SaaS, Web, and virtual apps with a single sign-on (SSO) experience. For information on single sign-on for workspace subscribers, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.
This access control feature isn’t supported in Citrix Receiver. Thus, with the same services and access control enabled, Citrix Receiver users still see the purple UI, but without Web and SaaS apps. Additionally, Files isn’t supported in Citrix Receiver and subscribers can’t access them this way.
Azure Active Directory (AAD) also isn’t compatible with Citrix Receiver. If subscribers attempt to access Workspace with Citrix Receiver when AAD is enabled as the authentication method, they see a message that the device isn’t supported. Once they upgrade to Citrix Workspace app, they can access their workspaces.
Customers that upgrade to Citrix Workspace app (or use a Web browser) see the new UI. For more information on what the subscriber experience of this UI is, visit Manage your workspace experience.
Aside from a new UI, the Citrix Workspace app allows subscribers to use all the new functionality that you’ve enabled. Subscribers can access Files, see DaaS, and access Web and SaaS apps through the Citrix Gateway service.
If you have a StoreFront (on-premises) deployment, upgrading from Citrix Receiver to Citrix Workspace app only changes the icon to open Citrix Workspace app.
Citrix Cloud Government users continue to see their purple UI when using the Citrix Workspace app or when accessing Workspace from a Web browser.
Provide secure access for remote subscribers by adding Citrix Gateways or the Citrix Gateway service to resource locations.
Citrix supports the following external connectivity options:
- Citrix hosts Citrix Gateway and Citrix ADC
- You host Citrix Gateway and Citrix ADC on-premises
You can add Citrix Gateways from Workspace Configuration > Access > External Connectivity or from Citrix Cloud > Resource Locations.
The External Connectivity part of the Workspace Configuration > Access page isn’t available in Citrix Virtual Apps Essentials. The Citrix Virtual Apps Essentials service uses the Citrix Gateway service, which requires no additional configuration.
Authentication to workspaces
Configuring workspace authentication for subscribers is a two-step process:
- Define one or more identity providers in Identity and Access Management. For instructions, visit Identity and access management.
- Choose one of your configured identity providers as the authentication method used by subscribers to sign into their workspaces in Workspace Configuration. For instructions, visit Choose or change authentication methods.
Configuring more identity providers in Identity and Access Management gives you more options to choose from in Workspace Configuration for how subscribers sign into their workspaces.
Subscribers can authenticate to their workspaces using one of the following methods:
- Active Directory
- Active Directory plus token
- Azure Active Directory
- Citrix Gateway
- SAML 2.0
For more information on supported methods for subscriber authentication to workspaces, visit Secure workspaces.
Active Directory (AD) requires that you have at least two Citrix Cloud Connectors installed in the on-premises AD domain. For information about Citrix Cloud Connector, visit Citrix Cloud Connector.
AD plus Token is the default identity provider used to authenticate subscribers to workspaces. Subscribers generate tokens as a second factor of authentication using any app that follows the Time-Based One-Time Password (TOTP) standard, such as Citrix SSO. For information on setting up token-based two-factor authentication, see Two-factor authentication.
You choose an identity provider as your primary authentication method for Citrix Workspace in Workspace Configuration. The identity provider you choose must first be configured in Identity and Access Management. Changing the identity provider in Workspace Configuration doesn’t affect the identity providers you’ve configured in Identity and Access Management.
Configuring identity providers in Identity and Access Management doesn’t change the primary authentication method for signing into Citrix Workspace. To change the primary authentication method for signing into Citrix Workspace you must:
- Configure the new identity provider in Identity and Access Management.
- Change the identity provider in Workspace Configuration.
You can configure and change your primary authentication method for Citrix Workspace without breaking your production environment. If you’d like to test the new identity provider, you can either create a test Citrix Cloud organization or plan to change the authentication method in Workspace Configuration when subscribers aren’t using their workspaces.
Citrix Workspace offers a seamless experience by providing single sign-on (SSO) to secondary resources once the subscriber has signed in to their workspace. Together with the Citrix Gateway service, Citrix Secure Private Access provides SSO to SaaS and Web apps as an integrated part of Citrix Workspace.
Beyond SSO capabilities, Citrix Secure Private Access allows you to set enhanced security policies, configure contextual access, and collect analytics. For more information about Citrix Secure Private Access, visit Citrix Secure Private Access.
Alongside SaaS and Web apps, Active Directory (AD) and AD plus Token already provide SSO to DaaS apps and desktops after subscribers sign in to their workspaces.
If you select a different identity provider for the subscriber’s initial authentication to Citrix Workspace, you might also install and configure the Citrix Federated Authentication Service (FAS). With FAS, subscribers enter their credentials only once to access their DaaS, just as they do with SaaS and Web apps.
FAS is typically adopted if you’re using one of the following identity providers for Workspace authentication:
- Azure AD
- SAML 2.0
- Citrix Gateway
Depending on how you configure Citrix Gateway, you might not need FAS for SSO to DaaS. For more information on configuring Citrix Gateway, visit Create an OAuth IdP policy on the on-premises Citrix Gateway.
For more information about FAS, see Enable single sign-on for workspaces with Citrix Federated Authentication Service.