Citrix Gateway Radius Configuration Guide
The Citrix Gateway now integrates with Okta via RADIUS or SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0. Using the Okta RADIUS AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. allows for authentication, including support for MFA to happen directly at the Citrix Gateway login page. For authentication, the agent translates RADIUS authentication requests from Citrix Gateway into Okta API calls that provide for user authentication. This guide explains how to configure Citrix Gateway to use the Okta RADIUS Agent.
This guide details how to configure Citrix Gateway to use the Okta RADIUS Server Agent.
If you want to integrate with Okta via SAML 2.0, add the Citrix Gateway SAML appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. in Okta by navigating to the Applications tab, select Applications > Add Application, search for Citrix Gateway, then click Add.
This guide has been verified with the following Citrix Gateway versions:
- Version 10.5.x
- Version 11.x
- Version 12.x
- Version 13.0.x
The following Citrix clients have been validated:
- Citrix Web Receiver
- Citrix Windows \ Mac Receiver
- Citrix iOS \ Android Receiver
Supported Okta Features
The following Okta features are supported:
- AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. with Okta Credentials via RADIUS
- Authentication with Okta Credentials via SAML
- Multi-factor authentication via RADIUS
- Multi-factor authentication via SAML
- Group memberships/Attributes via RADIUS – passes the username and password to storefront for AD group permissions
Configuring the Citrix Gateway to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.
- Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
- Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
- For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.
After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity
|Okta RADIUS Agent||Okta Identity Cloud||tcp/443
|Configuration and authentication traffic|
|Citrix Gateway||Okta RADIUS Agent||udp/1812 RADIUS (actual port number defined in next step)||RADIUS traffic between the firewall (clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ) and the RADIUS Agent (server)|
In this step, add the Citrix Gateway app from the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. and apply settings specific to your deployment. In this section we will configure the following:
- Authentication configuration
Secret KeyAn Okta-generated string of characters that allows end users to set up (enroll) their mobile device in to Okta Verify. End users enter the Secret Key in the Okta Verify app during the set up process as an alternative to scanning a QR code.
Application Username Format
Note: The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations. For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.
There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.
- In Okta, navigate to Applications > Applications> Add Application, search for Citrix Gateway, and then click Add Application
- Enter a unique name.
Provide the following Sign On values:
- Authentication: Retaining this default button allows Okta to perform primary authentication.
UDP Port: Required. Each RADIUS app has a unique number. Enter it here.
Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Citrix Gateway app.
Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.
- After completing the setup, assign the app to the users/groups that require access.
For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.
- If there is not currently a Gateway VIP configured, see Integrate on the Citrix site.
- Create a RADIUS authentication policy.
- Bind the RADIUS policy as the only primary policy to the gateway VIP.
- Log into the Citrix Gateway adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. interface with admin rights.
- Navigate to the Configuration tab
- From the Configuration page, select + Citrix Gateway + Policies + Authentication + RADIUS.
- In the main body configuration for RADIUS select the Servers tab.
- Click the Add button, as shown below.
- In the form that opens, complete all sections, selecting either Server Name or Server IP to use to define the server running the Okta RADIUS agent. The port number and secret key can be verified in the Okta RADIUS agent admin tool.
- Click on the Details (or More) drop down and verify Password Encoding is set to pap.
- The available group settings and attributes can be used for Citrix permissions if needed.
- Click OK to save the Server definition.
- Back in the RADIUS section, click on the Policies tab.
- Click on the Add button, as shown below.
- Give the policy a name. For the Server* drop down, select the Server Entry you just created.
- In the Expression window, enter ns_true for the value. This setting sets this policy to be active whenever it is bound to a VIP. You can create a more restrictive expression to allow for more control over when this RADIUS policy is used, as required by customer need.
- Click OK to save the policy.
- In the left hand tree, select Virtual Servers under the Citrix Gateway section.
- Locate the virtual server onto which you want to bind Okta RADIUS onto.
- Select the Edit button, as shown below.
- Scroll to the Authentication section and unbind any existing policies and close the Authentication sub-window.
- Back in the Virtual Server configuration screen, in the Authentication section, select the + (plus) on the right hand side of the section title, as shown below.
- In the Choose Policy option select RADIUS. In the Choose Type option select Primary, and then, click Continue, as shown below.
- In the Policy Binding section, click the > to select the RADIUS policy that you created in section 7, above. Click the radial button to the left of the policy and click OK (or Select).
- Set the Priority to 10 and click Bind, as shown below.
- Finally, in the Virtual Server configuration screen scroll to the end, and click Done, as shown below.
This completes the configuration, You can begin sign-in testing.
Your end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins.' experience should continue to be similar to before, except they will be prompted for an additional validation factor after the login with their AD credentials.
If they only have one MFA option setup, regardless of how many they have available to use they will only see that one active MFA after they login. Citrix Gateway does not allow for the setup of MFA methods.
If they have multiple MFA options currently setup, they will first be prompted with a request to select their authentication method. They should only enter the number corresponding to their preferred choice. They will then be prompted with that authentication choice to complete.
End User Experience: Single-choice MFA Authentication
- Navigate to your VPN URL.
- Enter the Okta username and password.
- Click Logon.
- Answer the Okta MFA challenge.
End User Experience – Multi-choice MFA Authentication
- Navigate to your VPN URL.
- Enter Okta username and password.
- Click Logon.
- Respond to the MFA Choice screen.
- Answer the chosen MFA challenge.
End User Experience – MFA Methods Validated and Supported
- Okta Verify Mobile App – Tested and validated.
- Google Authenticator mobile app – Tested and validated.
- SMS messaging – Tested and validated.
- Security Question – Tested and validated.
- Yubikey – Not yet tested.
See MFA for more information on multifactor authentication.
Citrix Gateway does not support a user’s first time Okta setup. All users using Okta MFA at Citrix gateway must first login to their Okta portal and configure their MFA. It is possible via Rewrite policies or CCS style sheet customizations to add links to the Gateway login page to direct first time users to their Okta login portal for initial registration.
Citrix Gateway also does not currently have a solution for self-service password reset. Using Rewrite policies or page customizations, a link can be added to the Gateway login page to direct a user that is unable to login, to their Okta tenant password reset page.