Okta

How to Configure SAML 2.0 for Citrix Gateway (formerly NetScaler Gateway)


Read this before you enable SAML

Enabling SAML will affect all users who use this application, which means that users will not be able to sign-in through their regular log-in page. They will only be able to access the app through the Okta service.

Backup URL

NetScaler Gateway does not provide a backup log-in URL where users can sign-in using their normal username and password.

Contents


Supported Features

The Okta/Netscaler Gateway SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.


Variables

You will need to copy some of the following variables to use during your Citrix Gateway SAML integration configuration:


Configuration Steps

Select the appropriate configuration instructions:

Configuration steps for Netscaler versions 11.1 and newer

  1. Login to the Citrix NetScaler admin interface as an administrator.

  2. Navigate to Traffic Management > SSL > Certificates > CA Certificates.

  3. Click Install:

    netscaler_new_a.png

  4. Certificate-Key Pair Name: Enter okta.cert.

  5. Save the x.509 Certificate as described in Variables, then select Choose File > Local to locate the okta.cert file.

  6. Click Install:

    netscaler_new_b.png

  7. Navigate to NetScaler Gateway > Policies > Authentication > SAML.

  8. In the main body of the SAML configuration page, select Servers, then click Add:

    netscaler_new_c.png

  9. A Create Authentication SAML Server form opens.

  10. Enter the following:

    • Name: Enter any name to define the server settings. We used okta in our example.

    • Redirect URL: Copy and paste this value from the Variables section above.

    • Single Logout URL: Copy and paste this value from the Variables section above.

    • SAML Binding: Select POST.

    • IDP Certificate Name: select okta.cert certificate from the dropdown list.

    • User Field: Enter NameID.

    • Signing Certificate Name: Select the name of the certificate bound to your Citrix Gateway VIP.

    • Issuer Name: Copy and paste this value from the Variables section above.

    • netscaler_newa.png

    • Signature Algorithm: Select RSA-SHA256.

    • Digest Algorithm: Select SHA256.

    • netscaler_newb.png

    • Click Create.

  11. Select Policies.

  12. Click Add to add new policy.

  13. netscaler_new_g.png

  14. A Create Authentication SAML Policy form opens.

  15. Enter the following:

    • Name: Name your policy.

    • Server: Use the dropdown menu to select the Server Entry you just created. It may be added by default if it is the only one that exists.

    • Expression: Enter ns_true.

      This enables this policy to always be active when bound to a VIP. A more restrictive expression can be created to allow for more control of when this SAML policy is used and should be based on the customers need.

    • Click Create.

    netscaler_new_h.png

  16. You now need to add this SAML authentication policy as the primary authentication policy:

    1. Navigate to NetScaler Gateway > Virtual Servers.

    2. Select a required one:

    3. netscaler_new_i.png

    4. In the Properties of your NetScaler VIP, edit the Basic Authentication settings:

    5. netscaler_new_j.png

    6. Unbind any authentication policies:

    7. netscaler_new_k.png

    8. Click the + (plus) button:

    9. netscaler_new_l.png

    10. Choose Policy: Select SAML.

    11. Choose Type: Select Primary.

    12. Click Continue:

    13. netscaler_new_m.png

    14. Under Policy Binding select the policy that we created in the steps 12-14 above.

    15. Click Bind.

    16. netscaler_new_n.png

    17. As result the only SAML policy will appear under the Basic Authentication section:

    18. netscaler_new_o.png

    19. Scroll down to the bottom of the page.

    20. Click DONE.

  17. Done!


Configuration steps for Netscaler versions 11 and older

  1. Login to the Citrix NetScaler admin interface as an administrator.

  2. Navigate to NetScaler Gateway > Policies > Authentication SAML.

  3. In the main body of the SAML configuration page, select Servers, then click Add:

    netscaler2.png

  4. A Create Authentication SAML Server form opens.

  5. Enter the following:

    netscaler3.png

  6. Back in the SAML section, select the Policies tab, then click Add:

    netscaler7.png

  7. A Create Authentication SAML Policy form opens.

  8. Enter the following information:

    • Name: Name your policy.

    • Server: Use the dropdown menu to select the Server Entry you just created. It may be added by default if it is the only one that exists.

    • Expression: Enter ns_true.

      This enables this policy to always be active when bound to a VIP. A more restrictive expression can be created to allow for more control of when this SAML policy is used and should be based on the customers need.

    • Click OK.

    netscaler8.png

  9. You now need to add this SAML authentication policy as the primary authentication policy:

    • In the Properties of your NetScaler VIP, edit the Authentication settings.

    • Remove any other policies and add SAML as the Primary policy as shown below.

    • Save your chances.

    netscaler9.png

  10. Done!



Notes

SP-initiated SSO

Open your portal login URL.