HowTo: Integrate Citrix Enterprise Browser with Local Browser

Introduction

Recently I have had a customer who is moving into the Citrix Workspace service, and as a part of the move wanted to integrate their external SaaS apps and their internal Web apps into the Citrix Workspace service portal using Secure Private Access (SPA). The idea is to improve user experience, so ALL of the applications will be accessible from a single portal as well as improve security as the SPA apps will be accessed using Citrix Enterprise Browser (CEB).

Currently, users will access Citrix Windows applications using a Web browser. Any SaaS or internal Web application will be accessed either directly by typing the URL or using the MyApps portal in Azure.

Now, the CEB is enforced for SPA apps if you are accessing your applications through the fully configured Citrix Workspace app (CWA). However, as most users only use web browsers to access their Citrix applications, the SPA apps were opening in the local browser and not in the CEB.

Desired Architecture

The following diagram shows the desired solution for the client. The diagram shows external access, but the access for internal users would be very similar, with the exception that connectivity to the SPA apps would be proxied through Connector Appliance.

1. The user launches a web browser on the endpoint, connects to Workspace, and enters username and password.
2. Workspace uses an identity broker micro-service to authenticate the user to the configured identity provider (in this case Azure AD).
3. Workspace uses primary identity to generate a list of authorized resources, which are displayed within local browser.
4. When the user selects a SaaS app, the local browser sends the request to Workspace, where the single sign-on micro-service requests a one-time use from the Gateway service.
5. The local browser initiates a connection to the Gateway service.
6. The Gateway Service uses claims from the primary identity to create an assertion about the user.
7. The Citrix Enterprise Browser is launched and redirected to the SaaS app login page where the assertion is presented.
8. The SaaS app contacts the Gateway service to validate the assertion and authenticates the user.
9. Once authenticated, communication occurs directly between the Citrix Enterprise Browser and the SaaS application.

Solution

When the local browser is used the only way to force an SPA application to start with CEB is to create a rule that will have a restriction. As the client did not want any restrictions at this time what we have done is create a rule that will have “Access with restrictions” selected, but no restrictions configured and Allow access enabled within the rule as shown in the following screenshot:

This configuration will allow you to start your SPA apps within Citrix Enterprise Browser from your local browser, with no restrictions.

If you need restrictions for your SPA apps, enable them, and the behaviour of the Citrix Enterprise Browser will be the same. This was a fairly unique use case in that the restrictions were not desired.

Hope this helps.