Our thoughts on Citrix’s workspace and identity strategy

Identity management is a key part of the modern workspace. Now that Citrix has it, where do their offerings fit in the market?

Last week I shared initial impressions of Citrix Synergy 2018; today I’m taking a closer look at the Citrix workspace and identity strategy.

How did we get here?

While “workspace” may seem like the buzz of the day, really, it’s nothing too new. We’ve been talking for years about how the enterprise EUC experience—once bound together by the Windows desktop—has gradually expanded to include modern web apps, SaaS, file sync, mobile apps, and new devices. To deal with this new world, we have tools like EMM, EFSS, and identity federation. “Workspace” is simply the idea that all of these experiences (and the tools to manage them) should work together in a cohesive way.

Citrix has been working on this for a long time. To me, this goes back to the ShareFile acquisition, CloudGateway 2, the Zenprise acquisition, and the various ways all these products came together. (Incidentally, Citrix was selling “Workspace Suite” bundles at least by 2014.) A friend noted that this goes back earlier, to NFuse and Citrix’s acquisition of Sequoia in 2001. (This lead me down a hole reading old articles about MetaFrame Secure Access Manager, Malibu, and Citrix’s “Access” strategy. But I digress...)

By 2015/2016, it was becoming clear that a key part of delivering workspace is identity management. A few things were happening: SaaS apps were getting very real; cloud-based identity offerings like Okta were getting a lot of attention; SAML was growing rapidly (according to Okta, the number of apps with SAML support increased 600% from 2013 to 2015); and conditional access was starting to trend.

Subsequently, it was becoming clear that identity and SaaS app management—at least in their most modern forms—were a bit of a hole in Citrix’s offerings. In contrast, VMware announced Identity Manager (which was based on some earlier products) in 2015; and Microsoft was starting a big Azure AD push. Citrix had some identity capabilities in NetScaler, but they didn’t compare, nor were they emphasized.

So I was very pleased when Citrix put a lot of emphasis on SaaS apps and SSO in their Workspace Experience demo at Synergy 2017. The big question was how they were going to deliver on this. Citrix said they would build some of their own IDaaS capabilities, as well as enabled integrations with other providers, such as Azure AD or Okta. I was eager to see the final products, and considering the security push at Synergy 2017, we also wondered what other products they would reveal.

What did Citrix deliver?

We finally got to see everything at Synergy 2018. In case you need the review:

  • NetScaler Gateway Service (which was actually revealed in April) is Citrix’s cloud-based identity provider; it supports SAML; has templates for common SaaS apps (plus you can add apps manually); it has several MFA options; it can support on-premises web apps via NetScaler Connecter; and it supports XenApp and XenDesktop.
  • NetScaler Unified Gateway also got some new features, including the same SAML templates; and support for OpenID Connect.
  • The new Citrix Workspace App is the latest version of the “bring everything together” concept; it now includes an embedded browser.
  • Citrix Access Control is the new cloud offering for SaaS app security; it includes identity capabilities from the NetScaler Gateway Service; uses the Workspace App as a client (with the embedded browser or the remote browser service); does URL filtering; and incorporates Citrix Analytics. (Really, all of these products will use Citrix Analytics in some way or another.)


So, what do we think? As I mentioned, this is the latest step in the long evolution of workspace (and portal and “access”) efforts.

It’s telling that the Citrix Workspace App got a lot of attention at Synergy 2018. Looking back, this is a common trend in Citrix’s succession of efforts, but either way, it makes for good, compelling demos. By the way, don’t listen to the folks grumbling about how it has the same name as VMware Workspace One—my position is that “workspace” is now solidly an industry term.

An important thing to remember is that you don’t have to access everything from the Workspace App. The whole point of the workspace concept is that there are a lot of different ways to deliver apps and data to users. For example, the SAML federation capabilities in NetScaler Gateway Service and Unified Gateway will allow users to login directly SaaS app web pages, instead of just going via the Workspace App. (In the identity space, this is known as a service provider (SP) initiated login, versus an identity provider (IdP) initiated login.)

One smaller note—Citrix does need to ensure that other EFSS apps get first-class integration to the same degree as Sharefile (we’ve said this before), but I was assured that this is on the road map.

I think having an embedded browser in the Workspace App is genuinely interesting—using it as a way to apply security policies to SaaS apps on un-managed desktops is an obvious and useful approach. I’ve liked this idea ever since I first saw it in Moka5 Project SkyNet and Good Technology’s Windows and Mac apps, and of course this is what MAM products have been doing on mobile for years. (I also like this as a use case for remote browsers, too.)

In general, SaaS apps are emerging as a top area for EUC to get a handle on; besides identity and conditional access, also witness the proliferation of cloud access security brokers (CASBs). Citrix Access Control addresses this exact issue, but has a fairly different approach from most CASBs, so it will be interesting to see how the industry takes note.

Moving on to the IDaaS components, many customers likely already have or are considering products like Okta or Ping, or they’re getting Azure AD with their Office 365 migrations. So where does Citrix fit in this picture?

For one thing, all this identity work is effort they had to put in no matter what—Citrix Cloud and the Workspace App needs its own identity services to do things like make SaaS apps first class citizens, or to work with other MFA solutions (and many of these services existed in Citrix Cloud already). By offering NetScaler Gateway Service for as an IDaaS, Citrix isn’t entering a new category from scratch—it’s just another step on top of what they were already doing.

Certainly, Citrix’s IDaaS capabilities will be competing against other IDaaS vendors in some situations, and Citrix can tout their portfolio integration as an advantage. The competition is certainly a long ways ahead with things like automatic user provisioning and more complex SaaS app integrations, but in a Synergy breakout session, Citrix’s Chris Fleck and Steve Wilson emphasized that this was just the beginning of their identity road map. Plus, for conditional access, you’ll want your IDaaS to be as close as possible to your endpoint management and other workspace tools, so there’s another argument for Citrix customers to also use their IDaaS.

But what about Citrix in conjunction with other IDaaS products? Indications are that we’ll hear more about this down the road, and as I wrote a few weeks ago, hopefully Citrix validates use cases and offer plenty of guidance on how to do this. Assuming that NetScaler Gateway Service acts like other standard identity providers, there will be a lot of different ways to use it in combination with other IdPs serving various roles.

It’s telling that the biggest theme of Synergy was arguably the Citrix Workspace App, SaaS apps, and web apps—it’s a sign of the times for cloud offerings and the state of EUC in 2018.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

New idea bankruptcy!
Microsoft azure ad and Okta own identity. Sky high and CASB vendors own the CASB market. Vmware and Citrix are never going to make any big impact in these existing well defined markets. The battle is all about which “client workspace” will aggregate all the apps. The tweets about “innovation” are silly.