VMware Identity Manager uses the Integration Broker component and the Citrix Web Interface SDK or Citrix StoreFront REST API to launch Citrix-published applications from the Workspace ONE portal or app. You can configure internal and external access to the Citrix-published resources. End users must install Citrix Receiver on their systems or devices to launch the applications and desktops.

Launch Architecture Diagram (Internal Access)


Launch Diagram

  1. A user launches a Citrix-published application or desktop from the Workspace ONE portal or app.
  2. The request goes to the VMware Identity Manager service, connector, and Integration Broker.
  3. The Integration Broker communicates with the Citrix server farm through the Web Interface SDK or StoreFront REST API to authenticate and request the ICA file.
  4. The ICA file is retrieved and passed to the Workspace ONE portal or app.
  5. The ICA file is passed to the Citrix Receiver.
  6. The Citrix Receiver launches the application or desktop.

Launch Architecture Diagram (External Access with StoreFront)

external launch with StoreFront
  1. A user launches a Citrix-published application or desktop from the Workspace ONE portal or app.
  2. The request goes to the VMware Identity Manager service, connector, and Integration Broker.
  3. To communicate with the Citrix server farm to authenticate and request the ICA file, the Integration Broker sends a request to NetScaler through the StoreFront REST API.
  4. NetScaler forwards the request to the StoreFront server.
  5. The ICA file is retrieved and passed to the Workspace ONE portal or app.
  6. The ICA file is passed to the Citrix Receiver.
  7. Citrix Receiver communicates with Netscaler.
  8. NetScaler communicates with the Citrix STA server with the STA ticket and gets the Citrix session server information.
  9. NetScaler communicates with the Citrix Session Host server and creates a session for application launch.
    Note: In version 7.x, the Citrix Session Host server is the Citrix VDA server. In version 6.5, it is the Citrix Worker server.

Launch Architecture Diagram (External Access with Web Interface SDK)


External Launch with Web Interface SDK

  1. A user launches a Citrix-published application or desktop from the Workspace ONE portal or app.
  2. The request goes to the VMware Identity Manager service, connector, and Integration Broker.
  3. The Integration Broker communicates with the Citrix server farm through the Web Interface SDK to authenticate and request the ICA file.
  4. The ICA file is retrieved and passed to the Workspace ONE portal or app.
  5. The ICA file is passed to the Citrix Receiver.
  6. Citrix Receiver communicates with Netscaler.
  7. NetScaler communicates with the Citrix STA server with the STA ticket and gets the Citrix session server information.
  8. NetScaler communicates with the Citrix Session Host server and creates a session for application launch.
    Note: In version 7.x, the Citrix Session Host server is the Citrix VDA server. In version 6.5, it is the Citrix Worker server.

Using StoreFront REST API or Web Interface SDK for Launch

The Integration Broker can use the Citrix Web Interface SDK and the Citrix StoreFront REST API to communicate with your Citrix deployment to launch applications or desktops. When the StoreFront REST API is used, the Integration Broker acts like a REST client. The Web Interface SDK and the StoreFront REST API are used to authenticate with and generate the ICA file from the Citrix deployment.

You can specify which option to use by selecting the Use StoreFront or Use Web Interface SDK option in the Citrix configuration page in the VMware Identity Manager console.

An Integration Broker instance can use both the Web Interface SDK and the StoreFront REST API. If you want to communicate with one Citrix farm using the Web Interface SDK and another Citrix farm using the StoreFront REST API, make the appropriate selections for each.

To use the StoreFront REST API option, which is available in VMware Identity Manager 2.9.1 and later, ensure the following requirements are met.

  • Use StoreFront API 2.6 or later.
  • Install Integration Broker 2.9.1 or later.
  • Ensure that StoreFront is supported by the XenApp or XenDesktop version you are using.
  • Ensure that the Integration Broker can communicate with the StoreFront server.

    When you enable the StoreFront REST API, the Integration Broker communicates with the StoreFront server to generate the ICA file.

  • In the StoreFront server, when you configure authentication for a store, trusted domains can be configured for the "User name and password" authentication method. If you configure trusted domains, ensure that you add domain names in the fully qualified domain name format to the "Trusted domains" list. If you use NetBIOS names for StoreFront, add the fully qualified domain name in addition to the NetBIOS name. VMware Identity Manager requires the fully qualified domain name. If only the NeTBIOS name is added, Citrix application and desktop launch from Workspace ONE will fail.

    configuring trusted domain iin Citrix

Note: To use the StoreFront REST API, you do not need to download or copy any additional files to your installation.

Supported Authentication Methods on Citrix Server

VMware Identity Manager only supports user name and password authentication on the XenApp server or NetScaler server. It does not support other authentication methods such as the following:
  • Smart Card
  • HTML 5
  • 2 Factor Authentication
  • SAML Authentication (Citrix FAS)