PoC Guide: Adaptive Access to SaaS and Private Web Apps

Overview

As users consume more SaaS-based applications, organizations must unify all sanctioned apps and simplify user login operations while enforcing authentication standards. Organizations must be able to secure these applications even though they exist beyond the confines of the data center. Citrix Workspace provides organizations with secure access to SaaS apps.

In this scenario, a user authenticates to Citrix Workspace using Active Directory, Azure Active Directory, Okta, Google, or Citrix Gateway as the primary user directory. Citrix Workspace provides single sign-on services for a defined set of SaaS applications.

Single sign-on Overview

If the Citrix Secure Private Access service is assigned to the Citrix subscription, enhanced security policies, ranging from applying screen-based watermarks, restricting printing/downloading actions, screen grabbing restrictions, keyboard obfuscation, and protecting users from untrustworthy links are applied on top of the SaaS applications.

The following animation shows a user accessing a SaaS application with Citrix providing SSO and secured with Citrix Secure Private Access.

Citrix SSO Demo

This demonstration shows an IdP-initiated SSO flow where the user launches the application within Citrix Workspace. This PoC guide also supports a SP-initiated SSO flow where the user tries to access the SaaS app directly from their preferred browser. Also, this guide demonstrates the use of Adaptive Access policies to provide conditional access depending on conditions such as user role, network location, or device posture.

This proof of concept guide demonstrates how to:

  1. Setup Citrix Workspace
  2. Integrate a primary user directory
  3. Incorporate Single Sign-On for SaaS applications
  4. Validate the configuration
  5. Configure and validate Adaptive Access

Setup Citrix Workspace

The initial steps for setting up the environment is to get Citrix Workspace prepared for the organization, which includes

Set Workspace URL

  1. Connect to Citrix Cloud and log in as your administrator account
  2. Within Citrix Workspace, access Workspace Configuration from the upper-left menu
  3. From the Access tab, enter a unique URL for the organization and select Enabled

Workspace URL

Verify

Citrix Workspace takes a few moments to update services and URL settings. From a browser, verify that the custom Workspace URL is active. However, logon is not available until a primary user directory gets defined and configured.

Integrate a Primary User Directory

Before users can authenticate to Workspace, a primary user directory must be configured. The primary user directory is the only identity that the user requires as all requests for apps within Workspace use single sign-on to secondary identities.

An organization can use any one of the following primary user directories

  • Active Directory: To enable Active Directory authentication, a cloud connector must be deployed within the same data center as an Active Directory domain controller by following the Cloud Connector Installation guide.
  • Active Directory with Time-Based One Time Password: Active Directory-based authentication can also include multifactor authentication with a Time-based One Time Password (TOTP). This guide details the required steps to enable this authentication option.
  • Azure Active Directory: Users can authenticate to Citrix Workspace with an Azure Active Directory identity. This guide provides details on configuring this option.
  • Citrix Gateway: Organizations can use an on-premises Citrix Gateway to act as an identity provider for Citrix Workspace. This guide provides details on the integration.
  • Okta: Organizations can use Okta as the primary user directory for Citrix Workspace. This guide provides instructions for configuring this option.
  • SAML 2.0: Organizations can use the SAML 2.0 provider of choice with their on-premises Active Directory (AD). This guide provides instructions for configuring this option.

Configure single sign-on

To successfully integrate SaaS apps with Citrix Workspace, the administrator needs to do the following

  • Configure a SaaS app
  • Authorize a SaaS app

Configure a SaaS App

  • Within Citrix Workspace, select Manage from the Secure Private Access tile.
  • Select Applications
  • Select Add an app
  • In the Choose a template wizard, search, and choose the correct template, which in this instance is Zoho, and click Next

Setup SaaS App 01

  • In the App Details window, type in the organization’s unique domain name for the SaaS application. The URL and Related Domains will automatically populate
  • Select Next

Note: Enhanced security policies use the related domains field to determine the URLs to secure. One related domain is automatically added based on the URL in the previous step. Enhanced security policies require related domains for the application. If the application uses multiple domain names, the must be added into the related domains field, which is often *.<companyID>.SaaSApp.com (as an example *.citrix.slack.com)

Setup SaaS App 02

  • In the Single Sign-On window, copy the Login URL (1)
  • Select Download to download the X.509 certificate in PEM format (2)

Setup SaaS App 03

  • Within the Zoho Account app, select Organization > SAML Authentication to bring up settings
    (Requires a permanent or trial Enterprise license with Enterprise user objects created)
  • Select Setup Now

Setup SaaS App 04

  • For the Sign-in URL and Change Password URL, paste the Login URL obtained from the Citrix Secure Private Access configuration
  • For the X.509 Certificate, upload the .PEM file you downloaded from the Citrix Secure Private Access configuration
  • For the Zoho Service, enter “People
  • Select Configure

Setup SaaS App 05

  • Within Citrix Secure Private Access Configuration, select Next
  • In the App Connectivity window, notice the required domains automatically set to route externally, and select Save

Setup SaaS App 06

  • Select Finish

Authorize a SaaS App and configure enhanced security

  • Within the Secure Private Access menu, select Access Policies
  • In the Access Policy section, select Create policy
  • Enter the Policy name and a brief Policy description
  • In the Applications drop-down list, search for “Zoho People” and select it

Note

You can create multiple access rules and configure different access conditions for different users or user groups within a single policy. These rules can be applied separately for both HTTP/HTTPS and TCP/UDP applications, all within a single policy. For more information on multiple access rules, see Configure an access policy with multiple rules.

Authorize SaaS App 01

  • Select Create Rule to create rules for the policy
  • Enter the rule name and a brief description of the rule, and select Next

Authorize SaaS App 02

  • Add the appropriate users/groups who are authorized to launch the app, and select Next

Note

Click + to add multiple conditions based on the context.

Authorize SaaS App 03

  • Specify if the HTTP/HTTPS app can be accessed with or without restrictions
    The following screenshot has watermarking restriction configured.
    If no enhanced security is needed, change “Allow access with restrictions” to “Allow access”.
  • Specify the TCP/UDP apps action
    The following screenshot denies access to TCP/UDP apps.
  • Select Next

Authorize SaaS App 04

  • The Summary page displays the policy rule details
    Verify the details and select Finish

Authorize SaaS App 05

  • In the Create policy dialog, verify that Enable policy on save is checked, and select Save.

Note: For initial SSO testing, it is always a good idea to configure enhanced security with the option “Open in remote browser” set.

Authorize SaaS App 06

Validate the Configuration

IdP-Initiated Validation

  • Log into Citrix Workspace as a user
  • Select the configured SaaS application.
  • The SaaS App successfully launches
  • The user automatically signs on to the app
  • Enhanced security is applied

Citrix SSO Demo

SP-Initiated Validation

  • Launch a browser
  • Go to the company-defined URL for the SaaS application
  • The browser directs the browser to Citrix Workspace for authentication
  • Once the user authenticates with the primary user directory, the SaaS app launches in the local browser if enhanced security is disabled. If enhanced security is enabled, a Secure Browser instance launches the SaaS app

Configure and validate Adaptive Access

Admin

  • Within the Citrix Secure Private Access tile, select Manage
  • Select Access Policies from the menu on the left
  • In the search field enter “Zoho” (1)
  • Click on the three dots (2) and select Edit (3) to open the existing Zoho access policy

Authorize SaaS App 07

  • Click Create Rule to create a second rule for this policy
  • Enter the rule name and a brief description of the rule, and select Next

Authorize SaaS App 08

  • Add the appropriate users/groups who are authorized to launch the app
  • Select + to add a second condition

Note

Based on the context, the following conditions can be applied.

  • Select Network location and select “Create network location

Authorize SaaS App 09

  • Enter the Location name and Location tag, and for the Public IP address range, look up the public IP address of the PoC endpoint and enter that followed by /32, indicating it’s a host IP address
  • Select Save

Authorize SaaS App 10

  • In the Create new rule dialog, select the before created network Location tag, and select Next

Authorize SaaS App 11

  • Specify if the HTTP/HTTPS app can be accessed with or without restriction, or access is denied
    The following screenshot denies access to HTTP/HTTPS apps.
  • Specify the TCP/UDP apps action
    The following screenshot denies access to TCP/UDP apps.
  • Select Next

Authorize SaaS App 12

  • The Summary page displays the policy rule details
    Verify the details and select Finish

Authorize SaaS App 13

  • In the Create policy dialog, reorder the access policy priority, and select Save

Authorize SaaS App 14

User

  • Log into Citrix Workspace as a user
  • Select Apps from the menu on the left
  • Observe that the Adaptive Access, Network Location policy has been applied, and Zoho People is now missing from the list of available apps

Adaptive Access

Troubleshooting

Enhanced Security Policies Failing

Users might experience the enhanced security policies (watermark, printing, or clipboard access) fail. Typically, this happens because the SaaS application uses multiple domain names. Within the application configuration settings for the SaaS app, there was an entry for Related Domains

Setup SaaS App 02

The enhanced security policies are applied onto those related domains. To identify missing domain names, an administrator can access the SaaS app with a local browser and do the following:

  • Navigate to the section of the app where the policies fail
  • In Google Chrome and Microsoft Edge (Chromium version), select the three dots in the upper right side of the browser to show a menu screen
  • Select More Tools
  • Select Developer Tools
  • Within the developer tools, select Sources. This provides a list of access domain names for that application section. To enable the enhanced security policies for this app, those domain names must be entered into the related domains field within the app configuration. Related domains are added like the following *.domain.com

Enhanced Security Troubleshooting 01

PoC Guide: Adaptive Access to SaaS and Private Web Apps