Citrix NetScaler Gateway SAML Configuration Guide Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000xafdsa0&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fcitrix-netscaler-gateway-saml-configuration-guide
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Citrix NetScaler Gateway SAML Configuration Guide
Published: Jan 12, 2017   -   Updated: Jun 22, 2018

Contents


Overview

Citrix NetScaler Gateway integrates with Okta both directly using SAML or oAuth, and indirectly using RADIUS. Using Okta SAML for authentication, including support for MFA, provides a highly secure authentication process. It allows for a single re-directed login to happen at the NetScaler Gateway login page as well as supporting SSO directly from the Okta tenant portal page. This guide explains how to configure Citrix NetScaler Gateway to use Okta SAML authentication.

It is important to know that for full SSO into a Citrix XenApp/XenDesktop environment requires the configuration of Citrix Federated Authentication Service (FAS).

This guide has been verified with the following NetScaler Gateway versions:

  • Version 10.5.x

  • Version 11.0.x

  • Version 11.1.x

The following versions of Citrix support SAML authentication:

  • Citrix XenApp 6.5 (using KCD)

  • Citrix XenApp/XenDesktop 7.9+

The following Citrix clients have been validated:

  • Citrix Web Receiver


Supported Okta Features

Authentication with Okta Credentials via RADIUSYes 
Authentication with Okta Credentials via SAMLYes 
Multi-factor authentication via RADIUSYes 
Multi-factor authentication via SAMLYes  
Group memberships/Attributes via RADIUSYes **

** NetScaler will pass the username and password to storefront for AD group permissions


Configuring Okta

Process Overview

  • Create and configure an Okta application

  • Assign the application to the users who will login via SAML

Procedure

  1. Login as a super admin to your Okta tenant.

  2. Navigate to the Applications section, click Add Application and search for Citrix.

  3. Find the application labeled – Citrix NetScaler Gateway. It should indicate that it supports SAML and is Okta verified.

  4. Configure your Okta application using this template as follows:

    • General Settings

      • Provide it a label that is clear to your users.

      • Login URL = HTTPS FQDN of your NetScaler gateway portal site.

      • Click Next.

    • Sign-On Options

      • Under Sign On Methods select SAML 2.0.

      • Click View Setup Instructions. This information will be used to configure the SAML policies on the NetScaler. Copy this information for later use and download the x.509 Certificate. Close the View Setup Instructions screen to return to the setup.

      • Click Next.

    • Assign to People

      • You can assign this to individual users in this screen, but it is recommended that you do not assign to anyone yet and just click Next.

      • At this final screen click Done.

      • You can now click on the Groups section and add groups of users to access this.

Okta is now configured.


Configuring Citrix NetScaler

Process Overview

Procedures

Note: Beginning with Netscaler version 11.1, it is necessary to install your certificate under CA Certificates instead of Server Certificates. You can still upload your Okta certificate under CA Certificates in Netscaler. There is no need to get a new certificate from Okta.

User-added image

  1. Log into the Citrix NetScaler admin interface with admin rights.

  2. Navigate to the Configuration tab

  3. From the Configuration page, select Traffic Management > SSL > Certificates.

    Important: If you are using Netscaler 11.1, select Traffic Management > SSL > CA Certificates.

    • Click Install:

      User-added image

    • Certificate-Key Pair Name*: Enter an easy to identify name.

    • Certificate File Name*: Click the down arrow next to the Browse button and select local. Then search for and select the x.509 certificate you downloaded from Okta earlier.

    • Key File Name: Leave this field empty, and leave the rest of the default values.

    • Click Install.

  4. From the Configuration page, select NetScaler Gateway > Policies > Authentication > SAML.

  5. Select the Servers tab, then click Add:

    User-added image

  6. In the Create Authentication SAML Server form, complete the following sections. This is where you will use the information you copied from the View Setup Instructions page from Okta.

    User-added image

    • Name: Give the server an easy to understand name.

    • IDP certificate Name: Select the one you imported earlier.

    • Redirect URL*: Enter the value from the View Setup Instructions page from Okta.

    • Single Logout URL: Enter the value from the View Setup Instructions page from Okta.

    • User Field: This should be Name ID unless another identifier is being used. You can verify this by checking a SAML assertion from an Okta SAML test login and look for the login URL name used and you will find where it specifies the nameid-format.

    • Signing Certificate Name: Enter the certificate for your Gateway VIP.
    • Issuer Name: Enter your Gateway VIP URL.

    • Scroll down to the Signature Algorithm section:

      User-added image

    • Make sure the settings are as shown above.

      • Signature Algorithm: RSA-SHA256

      • Digest Method: SHA256

      • SAML Binding: POST

  7. Click OK to save the server definition.

  8. Back in the SAML section, select the Policies tab, then click Add:

    User-added image

  9. Enter the following in the Create Authentication SAML Policy form:

    User-added image

    • Name: Give the policy an easy to understand name.

    • Server*: Use the drop down menu to select the Server Entry you just created. Note that it may be added by default if it is the only one.

    • Expression*: Enter ns_true as the value. This enables this policy to always be active when bound to a VIP. A more restrictive expression can be created to allow for more control over when this SAML policy is used and should be based on the customers need.

    • Click OK to save the policy.

  10. In the left hand tree, select Virtual Servers under NetScaler Gateway section:

    User-added image

  11. Locate the virtual server you wish to bind Okta SAML to.

    • Click Edit.

    • Scroll down to the Authentication section and unbind any existing policies and close the Authentication sub-window.

  12. Back in the Virtual Server configuration screen, in the Authentication section, select the + (plus) icon on the right hand side of the section title:

    User-added image

  13. In the Choose Policy* option select SAML. In the Choose Type* option select Primary. Click Continue.

    User-added image

  14. In the Policy Binding section, click the > icon to select the SAML policy you created above. Click the radial button to the left of the policy and click OK (or Select).

  15. Set the Priority to 100 and click Bind.

    User-added image

  16. Back at the Virtual Server configuration screen scroll to the end and click on Done.

    User-added image

This completes the configuration and you can now test logins.


End User Experience

Your end users' experience will depend on whether you have your users go to your NetScaler Gateway Login page or login via the Okta user portal.

When a user goes to the NetScaler Gateway login page, they are auto-redirected to the Okta login page. After they login, they are then redirected back to the NetScaler Gateway portal and then logged into Storefront and presented with their apps. They will only have access to Citrix apps via Storefront.

When a user logs into their Okta user portal, they will see their icon for their NetScaler Gateway site and when the click on it, a new web page will open and SSO them into Storefront for access to their Citrix apps.

It is important to remember that SAML SSO only works via the users’ web browser and is not currently supported via the native or mobile Citrix clients.

The video below depicts the experience your end users can expect:


Additional Considerations

NetScaler Gateway also does not currently have a solution for self-service password reset. Using Okta for SAML SSO provides a page that will provide users the ability to reset or unlock their account.


Additional Resources