<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00008W4nLLSAZOkta Classic EngineSingle Sign-OnAnswered2024-03-25T16:04:46.000Z2020-05-22T13:50:21.000Z2020-06-16T09:09:35.000Z

u90ac (u90ac) asked a question.

May 22, 2020 at 1:50 PM
OKTA Integration with NetScaler SaaS solution via 3rd party AD Authentication

Hi,

 

We are dealing with a scenario where we have to integrate OKTA with an on-prem Citrix NetScaler that provides SaaS (currently authenticating to the back-end AD with LDAP/RADIUS) for an SSO experience to external users.

 

The issue at hand is the “external user” technical team have requested for OKTA to authenticate said users against their internal back-end AD (which is not in trust or any other relationship with the one used by the NetScaler above); then forward said users to the NetScaler to grab their SaaS of choice in an SSO manner.

 

Does OKTA support such configuration? If yes what would that look like and which components in OKTA would we need to utilise to make this happen? If no what would be the best way to utilise an OKTA/NetScaler integration for best user experience?

 

P.S: I have read that OKTA integrates via SAML with NetScaler as an IdP for an SSO experience, but I am confused as to whether it is offloading the authentication to the NetScaler connected AD or that part is happening in the OKTA side of things

 

Looking forward to your reply.

Best regards,

Kosta

  • 2 answers
  • 700 views

  • adrian.militaru1.5706995266900708E12 (Vendor Management)

    Thank you for reaching out to Okta Support, my name is Adrian with Tier2 team.

     

    Normally for this configuration, we suggest using SAML connection between Okta and NetScaler for this matter.

    Because in that case you can use delegate auth from Okta and allow all the AD users to login into Okta (SP initiate with NetScaler as well) with AD credentials.

    https://help.okta.com/en/prod/Content/Topics/Security/Security_Authentication.htm?cshid=Security_Authentication_AD

     

    We recommend using the SAML auth for this matter because the LDAP interface is more restricted for this matter. (only read-only etc)

     

    Also, if you are facing some problem regarding the configuration Okta->NetScaler, please do not hesitate and open an Okta support ticket for this matter to help you troubleshoot the problem/flow.

    Expand Post

  • u90ac (u90ac)

    Hi Adrian, thank you for your reply.

     

    If I understand your response correct; OKTA is connected using SAML with the NetScaler and performs delegated Auth to the AD running on the NetScaler side of things (let's call this Business A).

     

    I fail to understand how users on Business B can utilize their local AD to authenticate into OKTA and get SSO access to the NetScaler Apps since: Business A AD ≠ Business B AD and they are not in trust relationship.

     

    (What am I missing?)

     

    Best regards,

    Kosta

     

    Expand Post
This question is closed.
Loading
OKTA Integration with NetScaler SaaS solution via 3rd party AD Authentication