Configure Citrix Gateway to interoperate with Okta via RADIUS

The Citrix Gateway integrates with Okta via RADIUS or SAML 2.0. Using the Okta RADIUS Agent allows for authentication, including support for MFA to happen directly at the Citrix Gateway login page. For authentication, the agent translates RADIUS authentication requests from Citrix Gateway into Okta API calls that provide for user authentication.

This guide details how to configure Citrix Gateway to use the Okta RADIUS Server Agent.

This is an Early Access feature. To enable it, contact Okta Support.

Note

Note

To integrate using SAML 2.0:

  1. In Okta, navigate to Applications > Applications> Add Application, search for Citrix Gateway SAML ,
  2. Click Add Application and add the Citrix Gateway SAML app in.

For information on how to configure the Citrix Gateway for SAML 2.0 see Configure SAML 2.0 for Citrix NetScaler Gateway.

Topics

Before you begin

Before installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud TCP/443
HTTP
Configuration and authentication traffic
Client Gateway Okta RADIUS Agent UDP/1812 RADIUS (Default, may be changed in RADIUS app install and configuration) RADIUS traffic between the gateway (client) and the RADIUS Agent (server)

See Citrix Gateway supported versions, clients, features and factors for a complete list of supported version, factor and related information.

Typical workflow

Task

Description

Download the RADIUS agent
Install the Okta RADIUS Agent.
  • Install either the Windows or Linux RADIUS agents as appropriate for your environment.
Configure application
Configure gateway
  • Using the Citrix Gateway configuration tool, configure the Citrix Gateway.
Configure optional settings

Additional considerations

  • Citrix Gateway does not support a user’s first time Okta setup. All users using Okta MFA at Citrix gateway must first login to their Okta portal and configure MFA. It is possible via Rewrite policies or CCS style sheet customizations to add links to the Gateway login page to direct first time users to their Okta login portal for initial registration.
  • Citrix Gateway also does not currently have a solution for self-service password reset. Using Rewrite policies or page customizations, a link can be added to the Gateway login page to direct a user that is unable to login, to their Okta tenant password reset page.

Related topics