<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7V7WSAVOkta Classic EngineOkta Integration NetworkAnswered2024-12-12T09:00:20.000Z2016-02-12T18:33:00.000Z2019-10-22T17:14:52.000Z

j5v7c (j5v7c) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
SAML through Netscaler to Citrix Storefront - anyone?
Hi All, we've been fighting with this setup for a while now and coming up empty handed so far.  We have netscaler v11 (supports saml) connected to Okta.  Then we have storefront 3.01 with xenapp 7.6.  After version 7.x of xenapp citrix removed the ability to do saml auth all the way into storefront.  There are guides out there to configure this but they generally require xenapp 6.5 which is out of support.  I know this is more of a citrix question but I post it here just in case anyone has managed the type of setup we're going to attempt.  SAML into the Netscaler, then non pass through auth (user is prompted for local AD domain credentials) to authenticate to storefront and xenapp.  If you have this working another way let me know.  We were going to try the radius route with SWA but can't due to some requirements in AD and with our project team.
  • 28 answers
  • 5.83K views
2rkie likes this.

  • j5v7c (j5v7c)

    We are in the same boat here and we were curious if you found a solution to this problem.  Any luck?

  • zksta (zksta)

    Got exactly the same requirement - need to configure OKTA for SAML through Netscaler to Citrix Storefront for our Xenapp environment.

  • j5v7c (j5v7c)

    Hi Everyone, original poster here.  So here's what I've learned through much trial and error.  For complete pass-through with SAML you simply cannot do this in xenapp 7.6.  You can hack it with some http rewrites at the netscaler to do saml at the netscaler and then manual auth to xenapp but that's not too great.  In the middle of this I emailed a person at Citrix who wrote the sold SAML article referencing XA 6.5 and SF 2.6.  He remembered my email and sent over this link.  Looks like XA 7.8 is going to maybe bring SAML back!  

     

    https://www.citrix.com/blogs/2016/03/03/saml-authentication-technology-preview-for-xenapp-and-xendesktop

     

    After talking to Okta you can do a swa app and use radius to enforce multifactor, we just wanted to avoid SWA as much as we could.
    Expand Post

  • RuffI.62455 (Customer)

    Hey John,

     

    Did the radius multifactor work with Native Receiver app? or just for the Receiver Web? We've been getting a an addtional passcode field on the native receivers. Thanks for any info. 

     

     

    Expand Post

  • Hugh Kelley (Customer)

    I'd also like to hear about the Native Receiver vs Web.   How have people integrated Okta MFA (RADIUS)  with native receivers?   How are you handling the Okta AccessChallenge message that asks the user to select a mode?

  • azfzu (azfzu)

    Now that XenApp and XenDestop 7.11 are out, anyone know if this feature has been re-instated?

     

    Thanks.

  • r4x8p (r4x8p)

    I too would like to know if this has been implemented.

  • JasonR.92494 (Customer)

    HI everyone, we have it working and have implemented it with a customer as well. However you need to upgrade. 7.8 at the very least but 7.9 onwards is an easier implementation though you may not like the way it's configured. You need to use the new federated Authenication Service (FAS), which uses the only available supported method to authenticate with AD using SAML from Citrix authentication. Also, this is only for Reciever for Web, native client not supported yet. And we're seeing some issues with opening ICA files from OKTA Mobile on the latest version of Citrix XenDesktop/App and SF. Web site access is fine and passes completely through. FAS relies on Smart Card authentication through certificates so you'll need to secure this side of your infrastructure down heavily. Our set up is Netyscaler gateway > StoreFront 3.x > XenDesktop/App 7.12 > FAS > MS Certificate Services. There is allot of documentation on this now and it's growing everyday. Note, they won't be bringing back the old auth methods available in 6.x and prior so FAS is the only way if you want to use SAML with Citrix. I'm hopint they'll develop the functionality for native client.... it is possible as it works with other locally installed clients, e.g. BOMGAR.
    Expand Post

  • 6yp7t (6yp7t)

    Hi Jason and all other techies,

     

    We currently encounter a "Cannot Complete your Request" error when succesfully logged in through Okta on the Netscaler to the StoreFront.

     

    In the StoreFront we see the following eventlog error:

     

    CitrixAGBasic single sign-on failed because the credentials failed verification with reason: FailedPasswordComplexity.

     

    The credentials supplied were;

    user: username

    domain: xxxx

     

    Our setup is Netscaler 11.1, StoreFront 3.8 and XenDesktop 7.12.

     

    Gr.

    Wesley

    Expand Post

  • JasonR.92494 (Customer)

    Hi Wesley,

     

    Are you using FAS? Is this your first attempt at SAML or are you using SWA? Note that if using SAML there is not other way currently to authenticate correctly to Storefront and access aplications without FAS (Federated Authentication Service). The error reminds me of when I first attempted to set up SAML with Citrix so it may be that you either don't have FAS or you have missed a step in the permissions side of the configuration on the Certificate Authority. There has been a recent development in colloboration between OKTA and Citrix which I hope will iron out the bugs and hopefully produce a full set of guidelines. Also, Weve found one issue when using OKTA Mobile where the reciever app will simply not open ICA files, either using SAML or SWA, Native browsers work but OKTA have confirmed the OKTA Mobile app will not process ICA files currently. 😞
    Expand Post
10 of 28
This question is closed.
Loading
SAML through Netscaler to Citrix Storefront - anyone?