Configure Citrix Netscaler gateway
Configure Citrix Netscaler to use the Okta RADIUS Server agent.
You can integrate Citrix Gateway with Okta using RADIUS or SAML 2.0. Using the Okta RADIUS Agent allows for authentication (including multifactor authentication (MFA) support) to occur at the Citrix Gateway login page. For authentication, the agent translates RADIUS authentication requests from the Citrix Gateway into Okta API calls that provide for user authentication.
To integrate using SAML 2.0:
- In the Admin Console, go to .
- Click Browse App Catalog.
- Search for Citrix Gateway and select the matching app that supports SAML and SWA.
- Click Add Integration.
Before you begin
See Citrix Gateway supported versions, clients, features, and factors.
Meet the following network connectivity requirements before you install the Okta RADIUS agent:
Source | Destination | Port/Protocol | Description |
---|---|---|---|
Okta RADIUS Agent | Okta Identity Cloud | TCP/443 HTTP |
Configuration and authentication traffic. |
Client Gateway | Okta RADIUS Agent | UDP/1812 RADIUS (Default, you can change this when you install and configure the RADIUS app) | RADIUS traffic between the gateway (client) and the RADIUS agent (server). |
Limitations
Enroll only a single Okta Verify device. Adding more Okta Verify devices can cause undefined or unexpected behavior.
If you've migrated a RADIUS-configured org from Classic Engine and you configure the Okta Verify authenticator with the number challenge, the challenge may be presented to RADIUS users even though it's not supported. To prevent this, enable the Early Access feature Disable number matching challenge for RADIUS. See Enable self-service features.
Typical workflow
Task |
Description |
---|---|
Download the RADIUS agent | In the Admin Console, go to . Download the appropriate Okta RADIUS Agent for your environment. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices. |
Install the Okta RADIUS Agent. | Install Okta RADIUS server agent on Windows |
Configure application | In your Okta org, configure the Citrix Gateway application. |
Configure gateway | Use the Citrix Gateway configuration tool to Configure Citrix Gateway. |
Configure optional settings | Configure optional settings (for example, vendor-specific attributes). |
Other considerations
- Citrix Gateway doesn't support first time Okta set up for users. All users using Okta MFA at Citrix gateway must first sign in to their Okta portal and configure MFA. You can use rewrite policies or CCS-style sheet customizations to add links to the Citrix Gateway login page to direct first time users to their Okta login portal for initial registration.
- Citrix Gateway doesn't feature a self-service password reset. You can use rewrite policies or page customizations to add a link to the Gateway login page that directs a user to their Okta tenant password reset page.