Citrix Endpoint Management

Authentication with Okta through Citrix Cloud

Citrix Endpoint Management supports authentication with Okta credentials through Citrix Cloud. This authentication method is available only to users enrolling in MDM through the Citrix Secure Hub.

Devices enrolling in MAM can’t authenticate using Okta credentials through Citrix Cloud. To use Citrix Secure Hub with MDM+MAM, configure Citrix Endpoint Management to use NetScaler Gateway for MAM enrollment. For more information, see NetScaler Gateway and Citrix Endpoint Management.

Citrix Endpoint Management uses the Citrix Cloud service, Citrix identity, to federate with Okta. Citrix recommends that you use the Citrix identity provider instead of a direct connection to Okta.

Citrix Endpoint Management supports authentication with Okta for the following platforms:

  • iOS and macOS devices not enrolled in the Apple Business Manager or Apple School Manager
  • iOS and macOS devices enrolled in the Apple Business Manager
  • Android Enterprise devices (preview), for BYOD and fully managed modes

Authentication with Okta through Citrix Cloud has these limitations:

  • Isn’t available for Citrix Endpoint Management local accounts.
  • Doesn’t support authentication through Okta for enrollment invitations. If you send users an enrollment invitation that has an enrollment URL, users authenticate through LDAP instead of Okta.

Prerequisites

  • Okta user credentials
  • User groups in the Active Directory must match the user groups at Okta.
  • User names and email addresses in the active directory must match the user names and email addresses at Okta.
  • Citrix Cloud account with Citrix Cloud Connector installed for directory service synchronization.
  • NetScaler Gateway. Citrix recommends that you enable certificate-based authentication for a full single sign-on experience. If you use LDAP authentication on the NetScaler Gateway for MAM registration, end users experience a dual authentication prompt during enrollment. For more information, see Client certificate or certificate plus domain authentication.
  • In the enrollment profile for Android Enterprise, set Allow users to decline device management to Off. If users decline device management, they can’t enroll using an identity provider to authenticate. For more information, see Enrollment security.

Configure Citrix Cloud to use Okta as your identity provider

To configure Okta in Citrix Cloud, see Connect Okta as an identity provider to Citrix Cloud.

Configure Citrix identity as the IdP type for Citrix Endpoint Management

This configuration applies only to users enrolling through Citrix Secure Hub. After you configure Azure Active Directory in Citrix Cloud, configure Citrix Endpoint Management as follows:

  1. In the Citrix Endpoint Management console, go to Settings > Identity Provider (IDP) and then click Add.

  2. On the Identity Provider (IDP) page, configure the following:

    IdP configuration screen

    • IDP Name: Type a unique name to identify the IdP connection that you are creating.
    • IDP Type: Choose Citrix Identity Provider.
    • Authentication Domain: Choose the Citrix Cloud domain. If you aren’t sure which one to choose, your domain appears on the Citrix Cloud Identity and Access Management > Authentication page.
  3. Click Next. In the IDP Claims Usage page, configure the following:

    IdP configuration screen

    • User Identifier type: This field is set to userPrincipalName. Make sure that you configure all users with the same identifier in your on-premises Active Directory and at Okta. Citrix Endpoint Management uses this identifier to map users on the identity provider with on-premises Active Directory users.
    • User Identifier string: This field is automatically filled.

After this configuration, Citrix Secure Hub users who are domain-joined can use Citrix Secure Hub to sign in with their Okta credentials. Citrix Secure Hub uses client certificate authentication for MAM devices.

Citrix Secure Hub authentication flow

Citrix Endpoint Management uses the following flow to authenticate users with Okta as an IdP on devices enrolled through Citrix Secure Hub:

  1. A user starts Citrix Secure Hub.
  2. Citrix Secure Hub passes the authentication request to Citrix identity, which passes the request to Okta.
  3. The user types their user name and password.
  4. Okta validates the user and sends a code to Citrix identity.
  5. Citrix identity sends the code to Citrix Secure Hub, which sends the code to the Citrix Endpoint Management server.
  6. Citrix Endpoint Management gets an ID token by using the code and secret, and then validates the user information that’s in the ID token. Citrix Endpoint Management returns a session ID.
Authentication with Okta through Citrix Cloud