Citrix NetScaler Gateway integrates with Okta both directly using SAML or oAuth, and indirectly using RADIUS. Using Okta SAML for authentication, including support for MFA, provides a highly secure authentication process. It allows for a single re-directed login to happen at the NetScaler Gateway login page as well as supporting SSO directly from the Okta tenant portal page. This guide explains how to configure Citrix NetScaler Gateway to use Okta SAML authentication.
It is important to know that for full SSO into a Citrix XenApp/XenDesktop environment requires the configuration of Citrix Federated Authentication Service (FAS).
This guide has been verified with the following NetScaler Gateway versions:
The following versions of Citrix support SAML authentication:
Citrix XenApp 6.5 (using KCD)
Citrix XenApp/XenDesktop 7.9+
The following Citrix clients have been validated:
Citrix Web Receiver
Supported Okta Features
Authentication with Okta Credentials via RADIUS
Authentication with Okta Credentials via SAML
Multi-factor authentication via RADIUS
Multi-factor authentication via SAML
Group memberships/Attributes via RADIUS
** NetScaler will pass the username and password to storefront for AD group permissions
Create and configure an Okta application
Assign the application to the users who will login via SAML
Login as a super admin to your Okta tenant.
Navigate to the Applications section, click Add Application and search for Citrix.
Find the application labeled – Citrix NetScaler Gateway. It should indicate that it supports SAML and is Okta verified.
Configure your Okta application using this template as follows:
Provide it a label that is clear to your users.
Login URL = HTTPS FQDN of your NetScaler gateway portal site.
Under Sign On Methods select SAML 2.0.
Click View Setup Instructions. This information will be used to configure the SAML policies on the NetScaler. Copy this information for later use and download the x.509 Certificate. Close the View Setup Instructions screen to return to the setup.
Assign to People
You can assign this to individual users in this screen, but it is recommended that you do not assign to anyone yet and just click Next.
At this final screen click Done.
You can now click on the Groups section and add groups of users to access this.
Bind the SAML policy as the only primary policy to the gateway VIP.
Note: Beginning with Netscaler version 11.1, it is necessary to install your certificate under CA Certificates instead of Server Certificates. You can still upload your Okta certificate under CA Certificates in Netscaler. There is no need to get a new certificate from Okta.
Log into the Citrix NetScaler admin interface with admin rights.
Navigate to the Configuration tab
From the Configuration page, select Traffic Management > SSL > Certificates.
Important: If you are using Netscaler 11.1, select Traffic Management > SSL > CA Certificates.
Certificate-Key Pair Name*: Enter an easy to identify name.
Certificate File Name*: Click the down arrow next to the Browse button and select local. Then search for and select the x.509 certificate you downloaded from Okta earlier.
Key File Name: Leave this field empty, and leave the rest of the default values.
From the Configuration page, select NetScaler Gateway > Policies > Authentication > SAML.
Select the Servers tab, then click Add:
In the Create Authentication SAML Server form, complete the following sections. This is where you will use the information you copied from the View Setup Instructions page from Okta.
Name: Give the server an easy to understand name.
IDP certificate Name: Select the one you imported earlier.
Redirect URL*: Enter the value from the View Setup Instructions page from Okta.
Single Logout URL: Enter the value from the View Setup Instructions page from Okta.
User Field: This should be Name ID unless another identifier is being used. You can verify this by checking a SAML assertion from an Okta SAML test login and look for the login URL name used and you will find where it specifies the nameid-format.
Signing Certificate Name: Enter the certificate for your Gateway VIP.
Issuer Name: Enter your Gateway VIP URL.
Scroll down to the Signature Algorithm section:
Make sure the settings are as shown above.
Signature Algorithm: RSA-SHA256
Digest Method: SHA256
SAML Binding: POST
Click OK to save the server definition.
Back in the SAML section, select the Policies tab, then click Add:
Enter the following in the Create Authentication SAML Policy form:
Name: Give the policy an easy to understand name.
Server*: Use the drop down menu to select the Server Entry you just created. Note that it may be added by default if it is the only one.
Expression*: Enter ns_true as the value. This enables this policy to always be active when bound to a VIP. A more restrictive expression can be created to allow for more control over when this SAML policy is used and should be based on the customers need.
Click OK to save the policy.
In the left hand tree, select Virtual Servers under NetScaler Gateway section:
Locate the virtual server you wish to bind Okta SAML to.
Scroll down to the Authentication section and unbind any existing policies and close the Authentication sub-window.
Back in the Virtual Server configuration screen, in the Authentication section, select the + (plus) icon on the right hand side of the section title:
In the Choose Policy* option select SAML. In the Choose Type* option select Primary. Click Continue.
In the Policy Binding section, click the > icon to select the SAML policy you created above. Click the radial button to the left of the policy and click OK (or Select).
Set the Priority to 100 and click Bind.
Back at the Virtual Server configuration screen scroll to the end and click on Done.
This completes the configuration and you can now test logins.
End User Experience
Your end users' experience will depend on whether you have your users go to your NetScaler Gateway Login page or login via the Okta user portal.
When a user goes to the NetScaler Gateway login page, they are auto-redirected to the Okta login page. After they login, they are then redirected back to the NetScaler Gateway portal and then logged into Storefront and presented with their apps. They will only have access to Citrix apps via Storefront.
When a user logs into their Okta user portal, they will see their icon for their NetScaler Gateway site and when the click on it, a new web page will open and SSO them into Storefront for access to their Citrix apps.
It is important to remember that SAML SSO only works via the users’ web browser and is not currently supported via the native or mobile Citrix clients.
The video below depicts the experience your end users can expect:
NetScaler Gateway also does not currently have a solution for self-service password reset. Using Okta for SAML SSO provides a page that will provide users the ability to reset or unlock their account.