We need to enable FAS on our storefront store Trustrequestssenttothexmlservice must be set to true We also have to fully delegate credential validation to Netscaler gateway On our Storefront server we need to edit authentication methods and add the netbios domain name Setup is complete if we now click on user rules we can set which Storefront servers and VDA’s and users who can use FAS and this rule Step 1 Certificate templates deployed to our CA We now need to deploy certificate templates to our internal PKI GPO is being applied as FAS server is specified This GPO must be linked to Storefront servers and VDA’s i just link at top Citrix OU level Once Citrix FAS is installed we need to copy the Citrix FAS admx and adml to our central store in the sysvolĪ new GPO needs to be created which enables Citrix FAS and sets the FAS server. So to fix this We need to install Citrix FAS which is found on the Xendesktop media In the current setup we would get prompted for credentials when launching all apps and desktops as SAML assertion tokens are not supported for logins to VDA’s only kerberos username and password and logons using certificates are supported. On my session profile i have the SSO domain removed On the Netscaler gateway virtual server i have removed all basic authentication policies and i am using a authentication policy called auth_prof_saml_okta which is linked to the AAA Vserver I am using the import metadata option and using the identity metadata url i copied from OKTA earlier I have a authentication policy called auth_pol_saml_okta with the expression _valid which uses the action auth_server_saml_okta I have the Netscaler gateway certificate binded I have create a non routable AAA virtual server called AAA_VSRV_OKTA That is all for the OKTA configuration now onto the Netscaler configuration Under signon options under SAML 2.0 I take a copy of the SAML Identity provider metadata URL as we will use this for dynamic configuration on the Netscaler later Under the Citrix Netscaler application under sign on options I create a MFA sign on policy with a priority that requires MFA I enable MFA from Security / Multi factor i am using OKTA verify with push notification as my MFA I assign the my AD users to the added application We now need to search for the Netscaler SAML application within okta applications I do a import now to do a full sync and confirm user assignments You will get a choice of which OU’s you want to sync users and groups from and what attributes to sync from the on prem AD We have to download and install and configure the OKTA AD agentĬlick on Directory / Directory integrations / Add Active directoryĭownload the OKTA AD Agent and copy it to a domain joined machine in internal network and complete setup as per instructions We now need to sync our on prem active directory information to okta so we can authenticate using AD creds and assign AD users to applications. Once done login to your okta tenancy using okta domain name and provided credentials in email i switch to the Classic UI as am used to it In this blog i will show you how to setup MFA on the Netscaler using SAML authentication with OKTA as the IDP and the Netscaler as the ServiceProviderįirst of all we have to setup an OKTA tenancy i am using the developer account at its pretty straight forward to signup and you will get an email asking to activate the account with your credentials and okta domain
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |