Connect Okta as an identity provider to Citrix Cloud

Citrix Cloud supports using Okta as an identity provider to authenticate subscribers signing in to their workspaces. By connecting your Okta organization to Citrix Cloud, you can provide a common sign-in experience for your subscribers to access resources in Citrix Workspace.

后启用Okta authentication in Workspace Configuration, subscribers have a different sign-in experience. Selecting Okta authentication provides federated sign-in, not single sign-on. Subscribers sign in to workspaces from an Okta sign-in page, but they may have to authenticate a second time when opening an app or desktop from Citrix DaaS (formerly Citrix Virtual Apps and Desktops service). To enable single sign-on and prevent a second logon prompt, you need to use the Citrix Federated Authentication Service with Citrix Cloud. For more information, seeConnect Citrix Federated Authentication Service to Citrix Cloud.

Prerequisites

Cloud Connectors

You need at least two (2) servers in your Active Directory domain on which to install the Citrix Cloud Connector software. Cloud Connectors are required for enabling communication between Citrix Cloud and yourresource location. At least two Cloud Connectors are required to ensure a highly available connection with Citrix Cloud. These servers must meet the following requirements:

• Meets the requirements described inCloud Connector Technical Details.
• Does not have any other Citrix components installed, is not an Active Directory domain controller, and is not a machine critical to your resource location infrastructure.
• Joined to your Active Directory (AD) domain. If your workspace resources and users reside in multiple domains, you must install at least two Cloud Connectors in each domain. For more information, seeDeployment scenarios for Cloud Connectors in Active Directory.
• Connected to a network that can contact the resources that users access through Citrix Workspace.
• Connected to the Internet. For more information, seeSystem and Connectivity Requirements.

For more information about installing Cloud Connectors, seeCloud Connector Installation.

Okta domain

When connecting Okta to Citrix Cloud, you must supply the Okta domain for your organization. Citrix supports the following Okta domains:

• okta.com
• okta-eu.com
• oktapreview.com

You can also use Okta custom domains with Citrix Cloud. Review the important considerations for using custom domains inCustomize the Okta URL domainon the Okta web site.

关于定位的更多信息定制的domain for your organization, seeFinding Your Okta Domainon the Okta web site.

Okta OIDC web application

To use Okta as an identity provider, you must first create an Okta OIDC web application with client credentials you can use with Citrix Cloud. After you create and configure the application, note the Client ID and Client Secret. You supply these values to Citrix Cloud when you connect your Okta organization.

To create and configure this application, see the following sections in this article:

• Create an Okta OIDC web app integration
• Configure the Okta OIDC web application

Workspace URL

When creating the Okta application, you must supply your Workspace URL from Citrix Cloud. To locate the Workspace URL, selectWorkspace Configurationfrom the Citrix Cloud menu. The Workspace URL is shown on theAccesstab.

Important:

If youmodify the workspace URLlater on, you must update the Okta application configuration with the new URL. Otherwise, your subscribers might experience issues with logging off from their workspace.

Okta API token

Using Okta as an identity provider with Citrix Cloud requires an API token for your Okta organization. Create this token using a Read-Only Administrator account in your Okta organization. This token must be able to read the users and groups in your Okta organization.

To create the API token, seeCreate an Okta API tokenin this article. For more information about API tokens, seeCreate an API Tokenon the Okta website.

Important:

When you create the API token, make a note of the token value (for example, copy the value temporarily to a plain text document). Okta displays this value only once, so you might create the token just before you perform the steps inConnect Citrix Cloud to your Okta organization.

Sync accounts with the Okta AD agent

To use Okta as an identity provider, you must first integrate your on-premises AD with Okta. To do this, you install the Okta AD agent in your domain and add your AD to your Okta organization. For guidance for deploying the Okta AD agent, seeGet started with Active Directory integrationon the Okta web site.

Afterward, you import your AD users and groups to Okta. When importing, include the following values associated with your AD accounts:

• Email
• SID
• UPN
• OID

Note:

If you are using Citrix Gateway service with Workspace, you don’t need to synchronize your AD accounts with your Okta organization.

To synchronize your AD users and groups with your Okta organization:

1. Install and configure the Okta AD agent. For complete instructions, refer to the following articles on the Okta website:
   • Install the Okta Active Directory agent
   • Configure Active Directory import and account settings
   • Configure Active Directory provisioning settings
2. Add your AD users and groups to Okta by performing a manual import or an automated import. For more information about Okta import methods and instructions, refer toManage Active Directory users and groupson the Okta website.

Create an Okta OIDC web app integration

1. From the Okta management console, underApplications, selectApplications.
2. SelectCreate App Integration.
3. InSign in method, selectOIDC - OpenID Connect.
4. InApplication type, selectWeb Application. SelectNext.
5. InApp Integration Name, enter a friendly name for the app integration.
6. InGrant type, selectAuthorization Code(selected by default).
7. InSign-in redirect URIs, enterhttps://accounts.cloud.com/core/login-okta.
8. InSign-out redirect URIs, enter your Workspace URL from Citrix Cloud.
9. UnderAssignments, inControlled access, select whether to assign the app integration to everyone in your organization, only groups that you specify, or to assign access later.
10. SelectSave. After you save the app integration, the console displays the application configuration page.
11. In theClient Credentialssection, copy theClient IDandClient Secretvalues. You use these values when youconnect Citrix Cloud to your Okta organization.

Configure the Okta OIDC web application

In this step, you configure your Okta OIDC web application with the settings required for Citrix Cloud. Citrix Cloud requires these settings to authenticate your subscribers through Okta when they sign in to their workspaces.

1. (Optional) Update client permissions for the implicit grant type. You might choose to perform this step if you prefer to allow the least amount of privilege for this grant type.
   1. From the Okta application configuration page, on theGeneraltab, scroll to theGeneral Settingssection and selectEdit.
   2. In theApplicationsection, inGrant type, underClient acting on behalf of a user, clear theAllow Access Token with implicit grant typesetting.
   3. SelectSave.
2. Add application attributes. These attributes are case-sensitive.
   1. From the Okta console menu, selectDirectory > Profile Editor.
   2. Select the OktaUser (default)profile. Okta displays theUserprofile page.
   3. UnderAttributes, selectAdd attribute.
   4. Enter the following information:
      • Display Name: cip_email
      • Variable Name: cip_email
      • Description: AD User Email
      • Attribute Length: SelectGreater thanand then enter1.
      • Attribute Required: Yes
   5. SelectSave and Add Another.
   6. Enter the following information:
      • Display Name: cip_sid
      • Variable Name: cip_sid
      • Description: AD User Security Identifier
      • Attribute Length: SelectGreater thanand then enter1.
      • Attribute Required: Yes
   7. SelectSave and Add Another.
   8. Enter the following information:
      • Display Name: cip_upn
      • Variable Name: cip_upn
      • Description: AD User Principal Name
      • Attribute Length: SelectGreater thanand then enter1.
      • Attribute Required: Yes
   9. SelectSave and Add Another.
   10. Enter the following information:
       • Display Name: cip_oid
       • Variable Name: cip_oid
       • Description: AD User GUID
       • Attribute Length: SelectGreater thanand then enter1.
       • Attribute Required: Yes
   11. SelectSave.
3. Edit attribute mappings for the application:
   1. From the Okta console, selectDirectory > Profile Editor.
   2. Locate theactive_directoryprofile for your AD. This profile might be labelled using the formatmyDomain User, wheremyDomainis the name of your integrated AD domain.
   3. SelectMappings. The User Profile Mappings page for your AD domain appears and the tab for mapping your AD to Okta User is selected.
   4. In theOkta User User Profilecolumn, locate the attributes you created in Step 2 and map as follows:
      • Forcip_email, selectemailfrom the User Profile column for your domain. When selected, the mapping appears asappuser.email.
      • Forcip_sid, selectobjectSidfrom the User Profile column for your domain. When selected, the mapping appears asappuser.objectSid.
      • Forcip_upn, selectuserNamefrom the User Profile column for your domain. When selected, the mapping appears asappuser.userName.
      • Forcip_oid, selectexternalIdfrom the User Profile column for your domain. When selected, the mapping appears asappuser.externalId.
   5. SelectSave Mappings.
   6. SelectApply updates now. Okta starts a job to apply the mappings.
   7. Sync Okta with your AD.
      1. From the Okta console, selectDirectory > Directory Integrations.
      2. Select your integrated AD.
      3. Select theProvisioningtab.
      4. UnderSettings, selectTo Okta.
      5. Scroll to theOkta Attribute Mappingssection and then selectForce Sync.

Create an Okta API token

1. Sign in to the Okta console using a Read-Only Administrator account.
2. From the Okta console menu, selectSecurity > API.
3. Select theTokenstab and then selectCreate Token.
4. Enter a name for the token.
5. SelectCreate Token.
6. Copy the token value. You supply this value when you connect your Okta organization to Citrix Cloud.

Connect Citrix Cloud to your Okta organization

1. Sign in to Citrix Cloud athttps://citrix.cloud.com.
2. From the Citrix Cloud menu, selectIdentity and Access Management.
3. LocateOktaand selectConnectfrom the ellipsis menu.
4. InOkta URL, enter your Okta domain.
5. InOkta API Token, enter the API token for your Okta organization.
6. InClient IDandClient Secret, enter the client ID and secret from the OIDC web app integration you created earlier. To copy these values from the Okta console, selectApplicationsand locate your Okta application. UnderClient Credentials, use theCopy to Clipboardbutton for each value.
7. ClickTest and Finish. Citrix Cloud verifies your Okta details and tests the connection.

After the connection is verified successfully, you can enable Okta authentication for workspace subscribers.

Enable Okta authentication for workspaces

1. From the Citrix Cloud menu, selectWorkspace Configuration > Authentication.
2. SelectOkta.
3. When prompted, selectI understand the impact on the subscriber experience.
4. SelectSave.

After switching to Okta authentication, Citrix Cloud temporarily disables workspaces for a few minutes. When workspaces are re-enabled, your subscribers can sign in using Okta.

More information

• Citrix Tech Zone:
  • Tech Insight: Authentication - Okta
  • Tech Brief: Workspace Identity
  • Tech Brief: Workspace SSO