One of the most important new products that Citrix has recently delivered is OpenCloud Access. Launched in October, it brings to XenDesktop 5 a simple, one-stop solution for management of user identities and access to Enterprise apps and desktops, with zero-day provisioning of user accounts for Windows desktops, apps, Enterprise web apps and all cloud-provided applications and resources. It is key to enabling users to access their enterprise resources any time, from anywhere, and any device.

Gabe Knuth correctly identified the similarity between OpenCloud Access and VMware’s Project Horizon, with a couple of key differences.

  • Whereas Project Horizon is an aspirational goal on the part of VMware, OpenCloud Access is already shipping.
  • OpenCloud Access is a powerful addition to any cloud – from vCloud to Amazon Web Services.

With the launch of XenDesktop 5 Citrix end-users will be presented with a fully integrated Receiver and self-service Enterprise Dazzle app store. A single authentication is all that is required to enable a user to simply pick any app, have it immediately provisioned to their virtual desktop using the appropriate delivery technology, and then immediately use it. This applies seamlessly across Windows desktop apps, apps used by administrators to manage infrastructure, enterprise web apps and externally provided SaaS offerings. (I should point out that external IaaS clouds simply count as SaaS “apps” in this context. A single identity is all that is required to gain access to multiple services, whether working from the office, home or the road, and regardless of the type of device being used (e.g., PC, Mac, iPad, smartphone).

OpenCloud Access does all of the hard work to make this possible, including provisioning of user access to web/SaaS apps, de-provisioning on use termination, and the federation of ID management between different ID systems, including AD and external directories. A single authoritative ID management system that offers a simple management interface is just one benefit. You get the peace of mind that employee access to apps follows policy and role permissions, reducing complexity for IT staff.

While you might be thinking that this sounds just like SSO (which is already available in password manager for Windows). While OC Access certainly facilitates SSO, it does much much more. It builds a SAML-based Identity Management Fabric, permitting the federation of enterprise IAM systems and apps with those of 3rd party providers. It offers pre-built connectors for a wide range of legacy apps, to facilitate seamless SSO, and it has support for OpenID. OpenID may seem unimportant, but in a world where enterprise employees need access to apps from any device (for example, a device running Chrome OS, on which only a Google ID has been used to boot the system) the need to support IAM from non-traditional identity providers becomes crucial.

As a network-based service (technically, a component of NetScaler) as opposed to a component of any app or app server, OC Access can guarantee comprehensive control – all app accesses pass through it and therefore it can apply a unified SAML-based IAM across all apps. This is also profoundly useful when the enterprise extends its datacenter into the cloud. OpenCloud Access, sitting on the path from the enterprise user to the cloud-resident apps/infrastructure, can extend the enterprise IAM capabilities outside the DMZ and into third party infrastructures. This solves the problem of how an enterprise IT admin can (say) log onto specific windows instances in the cloud, with RBAC, even though the enterprise does not replicate its AD in the cloud.

But there’s a potential snag: What if the employee is accessing a cloud-based app, from their home? How can we ensure that the user’s traffic goes through the OpenCloud Access system, and not directly to the cloud? Well, that’s actually pretty easy. NetScaler also contains an authoritative DNS, so it is easy to give the user a particular URL to access their resource. For example, I might go to from anywhere on the planet, and the request would easily be resolved to the OpenCloud Access system used by Citrix. In a nutshell
• The request to access any application or desktop is redirected to or transparently intercepted by OpenCloud Access based on its position in the network
• The user’s identity is validated and privileges are established using records of preference (typically located in an enterprise directory)
• The corresponding AppConnector signs the user in to the requested application without the user ever seeing the associated logon screen
• For applications using SAML or other federated authentication technologies, all that is required is to configure them to point to OpenCloud Access as the authoritative source for identity information
• Once the logon process is complete, OpenCloud Access allows direct communication between user and application.

OpenCloud Access is in my view one of the most important Citrix portfolio additions because it permits the user to be unaware of contextual, device / OS or other bindings. The user is truly free to use any device, with an consistent, seamless access user experience.