OKTA SAML integration as an identity provider to Citrix Cloud step by step guide

Citrix now has native Okta OIDC web application integration on Citrix cloud. https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/okta-identity.html and also has the possibility to use SAML integration with Citrix cloud.

Okta SAML integration is a common deployment because customers don’t need to grant Citrix cloud a full read-only API key to the entire organization or to create custom attributes in the okta global user profile. Both of these Okta limitations solved with SAML integration.

For an optimal end-user experience, I would recommend that you deploy a Citrix cloud FAS server to provide single sign-on VDA’s and it will prevent a second logon prompt when opening an app or desktop from the Citrix Virtual Apps and Desktops service. For more information, see Connect Citrix Federated Authentication Service to Citrix Cloud.

Prerequisites/Requirements:

  • SAML IdP for Citrix Workspace requires an Active Directory integration to both Citrix Cloud and OKTA
  • To sync our Active Directory with Okta we will need to install the Okta AD Agent, and then import AD users and groups into Okta (https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-main.htm). In this guide we are assuming that your Active Directory is synced with your OKTA account.
  • For this integration to work, the SAML identity provider must pass Citrix Cloud certain Active Directory attributes of the user in the SAML assertion. Specifically,
    • SecurityIDentifier (SID)
    • objectGUID (OID)
    • userPrincipalName (UPN)
    • Mail (Email)
  • Create custom attributes in Okta cip_sid, cip_upn, cip_oid,cip_email to map these attributes and include those into the SAML assertion.

Configuration:

  1. Login to OKTA admin portal and Edit profile for OKTA user(default)

2.Select add Attribute

3.Addd these custom fields, (Attribute length greater than 1 and attribute required):

  • cip_sid
  • cip_upn
  • cip_oid
  • cip_email

4. this is the result of the 4 attributes:

5. Map Active Directory Attributes to the Custom Attributes. Select the Active Directory you are using under Users->Directories

6. Select Add Attribute and map the Active Directory attributes to the custom attributes you have created.

  • Appuser.objectSid -> cip_sid
  • Appuser.externalID – > cip_oid
  • Appuser.username -> cip_upn
  • Appuser.email -> cip_email

To ensure that OKTA can see those values you can always test a user in preview

7. Login into https://cloud.citrix.com as admin, click Hamburger icon on top left corner &
click Identity and Access Management

8. Click SAML 2.0 and click Connect

9. You will then be displayed with the Configuration for SAML, We need to leave this page open as we will need it later in the configuration

10. Coming back to OKTA -> Applications -> Add application

11. Click create new app

12. Select Web SAML 2.0

13. Set a Display Name, optional logo, and click next

14. Select Configuration, on this page we will input config from SP side (Citrix Cloud)

15. Back on Citrix Cloud SAML config we will download the SAML metadata file. Also we will need to open.

16. Copy the required URL into OKTA configuration

Note: In case of external citrix cloud the URL will be https://saml.cloud.com/saml/acs and https://saml.cloud.com instead https://saml-internal.cloud.com domain.

Name ID format will be unspecified

Application username will be OKTA username

Response signed and assertion signed

After all the fields are complete click next

17. Attributes Statements

Note, the appuser.xxxx is defined during the integration with AD

In some cases we found that we have to use user.cip_upn …. Instead appuser.cip_upn, please verify the definition of your application in the OKTA integration as the image above.

18. Click next to finish the Okta SAML application.

19. Now we will see the Okta application created, we click in Setup instructions:

20. We will configure the identity provider URL’s from Okta to Citrix Cloud and download X.509 certificate that we will import in Citrix cloud in the next step:

21. We will now use the certificated downloaded from OKTA- We need to rename the file extension from .cert to crt to be able to upload to Citrix cloud

22. We can leave the rest of the fields in as they are and save the configuration in Citrix cloud. The configuration should look like this.

23. We need to make sure that we assign users in OKTA to this SAML application that we have created.

24. In the next steps we will include the attributes in the app. We edit the profile and map like in the image below.

25. We can always test the preview option with any user to verify we are able to pass the values

26. After all this configuration is done we will need to switch the authentication configuration in Workspace configuration. Once we change this setting it takes up to 10 minutes to refresh in Citrix cloud to start testing end user experience

TROUBLESHOOTING

SAML decoder Chrome web extension is a very useful tool to verify SAML workflow :

https://chrome.google.com/webstore/detail/saml-message-decoder/mpabchoaimgbdbbjjieoaeiibojelbhm

We need to verify in the SAML response that we are passing the correct attributes from AD

FAQ

  • What is the dependency on active directory?
    • This feature only supports users who are backed by a local active directory.
  • What service I need to purchase to use SAML IdP?
    • This integration is available at no additional cost with any Workspace service.
  • Why do I need a cloud connector?          
    • This is needed for resource assignment.
  • Can I connect one SAML IdP account to multiple Citrix Cloud accounts?
    • Yes

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.