SAML through Netscaler to Citrix Storefront - anyone? Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
John HowieJohn Howie 

SAML through Netscaler to Citrix Storefront - anyone?

Hi All, we've been fighting with this setup for a while now and coming up empty handed so far.  We have netscaler v11 (supports saml) connected to Okta.  Then we have storefront 3.01 with xenapp 7.6.  After version 7.x of xenapp citrix removed the ability to do saml auth all the way into storefront.  There are guides out there to configure this but they generally require xenapp 6.5 which is out of support.  I know this is more of a citrix question but I post it here just in case anyone has managed the type of setup we're going to attempt.  SAML into the Netscaler, then non pass through auth (user is prompted for local AD domain credentials) to authenticate to storefront and xenapp.  If you have this working another way let me know.  We were going to try the radius route with SWA but can't due to some requirements in AD and with our project team.
Bill BlaneyBill Blaney
We are in the same boat here and we were curious if you found a solution to this problem.  Any luck?
Jon WalshJon Walsh
Got exactly the same requirement - need to configure OKTA for SAML through Netscaler to Citrix Storefront for our Xenapp environment.
John HowieJohn Howie
Hi Everyone, original poster here.  So here's what I've learned through much trial and error.  For complete pass-through with SAML you simply cannot do this in xenapp 7.6.  You can hack it with some http rewrites at the netscaler to do saml at the netscaler and then manual auth to xenapp but that's not too great.  In the middle of this I emailed a person at Citrix who wrote the sold SAML article referencing XA 6.5 and SF 2.6.  He remembered my email and sent over this link.  Looks like XA 7.8 is going to maybe bring SAML back!

After talking to Okta you can do a swa app and use radius to enforce multifactor, we just wanted to avoid SWA as much as we could.
Ruff IntoRuff Into
Hey John,

Did the radius multifactor work with Native Receiver app? or just for the Receiver Web? We've been getting a an addtional passcode field on the native receivers. Thanks for any info. 

Hugh KelleyHugh Kelley
I'd also like to hear about the Native Receiver vs Web.   How have people integrated Okta MFA (RADIUS)  with native receivers?   How are you handling the Okta AccessChallenge message that asks the user to select a mode?
Gerson AlvarezGerson Alvarez
Now that XenApp and XenDestop 7.11 are out, anyone know if this feature has been re-instated?

Taylor MacMillanTaylor MacMillan
I too would like to know if this has been implemented.
Jason RogersJason Rogers
HI everyone, we have it working and have implemented it with a customer as well. However you need to upgrade. 7.8 at the very least but 7.9 onwards is an easier implementation though you may not like the way it's configured. You need to use the new federated Authenication Service (FAS), which uses the only available supported method to authenticate with AD using SAML from Citrix authentication. Also, this is only for Reciever for Web, native client not supported yet. And we're seeing some issues with opening ICA files from OKTA Mobile on the latest version of Citrix XenDesktop/App and SF. Web site access is fine and passes completely through. FAS relies on Smart Card authentication through certificates so you'll need to secure this side of your infrastructure down heavily. Our set up is Netyscaler gateway > StoreFront 3.x > XenDesktop/App 7.12 > FAS > MS Certificate Services. There is allot of documentation on this now and it's growing everyday. Note, they won't be bringing back the old auth methods available in 6.x and prior so FAS is the only way if you want to use SAML with Citrix. I'm hopint they'll develop the functionality for native client.... it is possible as it works with other locally installed clients, e.g. BOMGAR.
Wesley NielsWesley Niels
Hi Jason and all other techies,

We currently encounter a "Cannot Complete your Request" error when succesfully logged in through Okta on the Netscaler to the StoreFront.

In the StoreFront we see the following eventlog error:

CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedPasswordComplexity.

The credentials supplied were;
user: username
domain: xxxx

Our setup is Netscaler 11.1, StoreFront 3.8 and XenDesktop 7.12.

Jason RogersJason Rogers
Hi Wesley,

Are you using FAS? Is this your first attempt at SAML or are you using SWA? Note that if using SAML there is not other way currently to authenticate correctly to Storefront and access aplications without FAS (Federated Authentication Service). The error reminds me of when I first attempted to set up SAML with Citrix so it may be that you either don't have FAS or you have missed a step in the permissions side of the configuration on the Certificate Authority. There has been a recent development in colloboration between OKTA and Citrix which I hope will iron out the bugs and hopefully produce a full set of guidelines. Also, Weve found one issue when using OKTA Mobile where the reciever app will simply not open ICA files, either using SAML or SWA, Native browsers work but OKTA have confirmed the OKTA Mobile app will not process ICA files currently. :(
Jason RogersJason Rogers
Oh, and an update on the mention of collabotation with Citrix and OKTA... I've heard they are working on hybrid connections so that the native citrix app will hopefully work off SAML as well and not just the citrix web app... My hope it that this will progress to deep links passing through from Okta to Citrix apps directly. :)
Lee MilamLee Milam
It is possible using Okta to SAML into any version of Citrix. The solution would use both a SAML OAN and a SWA POST OAN. On the NetScaler you would bind both the SAML policy to Okta and then also bind a LDAP policy to NetScaler. The flow would be that when users try to login they are first rediredcted to Okta for the SAML auth, then when that is complete the LDAP login would be presented. Create and bind a response policy that redirects the LDAP login to the Okta POST OAN that will use the existing Okta session and sign the user in. The key is when creating the SAML auth on NetScaler there is a option to enable a second factor, this will use the LDAP policy bound to the VIP. The Response policy will call the Okat POST so that the users are not promped and get a SSO experience, and U/P is provided to Storefront.
Jason RogersJason Rogers
That's an interesting method Lee, and would likely help those who are stuck on 7.6 versions. I’d still recommend upgrading to at least 7.9 (tested also on 7.10 and 7.12 successfully), as then you only need the one authentication source being SAML to OKTA. There is another method for SAML direct to store front now but it’s only for internal and I’ve not tested it to see if it works with the external method in place as well. Carl Stalhood has some great articles on this on the Citrix user group pages.
Matthew MartinkoMatthew Martinko
I've got SAML working on the Netscaler, it's passing the user through to the StoreFront correctly. The user's provisioned apps are displayed properly. At this point when a user clicks on a published app the windows login screen of our app server pops up. It eventually times out and fails to launch. It's as if the DC or VDA server isn't recognizing the authenticated user. IF I provide the credentials manually the app launches. Has anyone else experienced this?

SAML on Netscaler>StoreFront>Delivery Controller>VDA Servers
Jason RogersJason Rogers
I've seen this (AD Agent sept 22), I'me trying to recall the issue but I do know I found out why from the windows logs. The issue was on the Authentication to the VDA's... possibliy an issue with the permissions configured on the FAS Servers. what version are you using for XenApp/Desktop and are there any errors on the windows logs of the VDA's or FAS servers?
Matthew MartinkoMatthew Martinko
I spoke with Citrix support and we had to enable a Group Policy setting on the client PC to enable 'Allow pass-through authentication for all ICA connections' to get this working. This isn't a suitable solution as we are not controlling all of the devces that access our Citrix portal. Some are personal PCs. Macs, iPads, etc. It seems as though the storefront doesn't retain the saml token from the Netscaler and can't pass it to the VDA server. They get around this by using pass through authentication. The SAML authentication is pointless in our set up. Maybe I'm missing something here. Can this be accomplished some other way? I would like the Citrix Portal / Netscaler secured by Okta so I can easily implement MFA.
Matthew MartinkoMatthew Martinko
I was able to resolve the issue by installing FAS. I was under the impression that this wasn't needed in the later releases. I followed this article, it looks worse than it is.
SSO is functioning porperly now all the way down to the VDA servers. Thanks!