Configure Citrix Netscaler gateway

Configure Citrix Netscaler to use the Okta RADIUS Server agent.

You can integrate Citrix Gateway with Okta using RADIUS or SAML 2.0. Using the Okta RADIUS Agent allows for authentication (including multifactor authentication (MFA) support) to occur at the Citrix Gateway login page. For authentication, the agent translates RADIUS authentication requests from the Citrix Gateway into Okta API calls that provide for user authentication.

To integrate using SAML 2.0:

  1. In the Admin Console, go to ApplicationsApplications.
  2. Click Browse App Catalog.
  3. Search for Citrix Gateway and select the matching app that supports SAML and SWA.
  4. Click Add Integration.

See Configure SAML 2.0 for Citrix NetScaler Gateway.

Before you begin

See Citrix Gateway supported versions, clients, features, and factors.

Meet the following network connectivity requirements before you install the Okta RADIUS agent:

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud TCP/443

HTTP

Configuration and authentication traffic.
Client Gateway Okta RADIUS Agent UDP/1812 RADIUS (Default, you can change this when you install and configure the RADIUS app) RADIUS traffic between the gateway (client) and the RADIUS agent (server).

Limitations

Enroll only a single Okta Verify device. Adding more Okta Verify devices can cause undefined or unexpected behavior.

If you've migrated a RADIUS-configured org from Classic Engine and you configure the Okta Verify authenticator with the number challenge, the challenge may be presented to RADIUS users even though it's not supported. To prevent this, enable the Early Access feature Disable number matching challenge for RADIUS. See Enable self-service features.

Typical workflow

Task

Description

Download the RADIUS agent In the Admin Console, go to SettingsDownloads. Download the appropriate Okta RADIUS Agent for your environment.

For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

Install the Okta RADIUS Agent. Install Okta RADIUS server agent on Windows

Install Okta RADIUS server agent on Linux

Configure application In your Okta org, configure the Citrix Gateway application.
Configure gateway Use the Citrix Gateway configuration tool to Configure Citrix Gateway.
Configure optional settings Configure optional settings (for example, vendor-specific attributes).

Other considerations

  • Citrix Gateway doesn't support first time Okta set up for users. All users using Okta MFA at Citrix gateway must first sign in to their Okta portal and configure MFA. You can use rewrite policies or CCS-style sheet customizations to add links to the Citrix Gateway login page to direct first time users to their Okta login portal for initial registration.
  • Citrix Gateway doesn't feature a self-service password reset. You can use rewrite policies or page customizations to add a link to the Gateway login page that directs a user to their Okta tenant password reset page.

Related topics