Citrix Endpoint Management

Authentication with Okta through Citrix Cloud

Endpoint Management supports authentication with Okta credentials through Citrix Cloud. This authentication method is available only to users enrolling in MDM through the Citrix Workspace app or Citrix Secure Hub. If Endpoint Management is Workspace enabled, users access resources from the Citrix Workspace app. If you don’t enable Citrix Workspace integration with Citrix Endpoint Management, users access resources from Secure Hub.

Devices enrolling in MAM can’t authenticate using Okta credentials through Citrix Cloud. To use Secure Hub with MDM+MAM, configure Endpoint Management to use Citrix Gateway for MAM enrollment. For more information, see Citrix Gateway and Endpoint Management.

Endpoint Management uses the Citrix Cloud service, Citrix identity, to federate with Okta. Citrix recommends that you use the Citrix identity provider instead of a direct connection to Okta.

Endpoint Management supports authentication with Okta for the following platforms:

  • iOS devices
  • Android Enterprise devices (Preview), for BYOD and fully managed modes
  • Android devices that run in the legacy Device Administration mode

Authentication with Okta through Citrix Cloud has these limitations:

  • Isn’t available for Endpoint Management local accounts.
  • Doesn’t support authentication through Okta for enrollment invitations. If you send users an enrollment invitation containing an enrollment URL, users authenticate through LDAP instead of Okta.

Prerequisites

  • Okta user credentials
  • User groups in Active Directory must match the user groups in Okta.
  • Uiser names and email addresses in active directory must match those in Okta.
  • Citrix Cloud account, with Citrix Cloud Connector installed for directory services synchronization
  • Citrix Gateway. Citrix recommends that you enable certificate-based authentication for a full single sign-on experience. If you use LDAP authentication on the Citrix Gateway for MAM registration, end users experience a dual authentication prompt during enrollment. For more information, see Client certificate or certificate plus domain authentication.
  • Secure Hub if Endpoint Management is not Workspace enabled.
  • Citrix Workspace app if Endpoint Management is Workspace enabled. For information on enabling Citrix Workspace integration, see Workspace configuration.
  • In enrollment profiles for Android Enterprise, set Allow users to decline device management to Off. If users decline device management, they can’t enroll using an identity provider to authenticate. For more information, see Enrollment security.

You can configure this feature with and without Workspace enabled.

Configuration if Endpoint Management is Workspace enabled

If you integrate Endpoint Management with Citrix Workspace, the general steps to configure authentication with Okta through Citrix Cloud are:

  1. Configure Citrix Cloud to use Okta as your identity provider.
  2. Configure Okta as the authentication method for Citrix Workspace.

To configure Citrix Cloud to use Okta as your identity provider and set up Okta as the authentication method for Citrix Workspace, see Connect Okta as an identity provider to Citrix Cloud.

After you complete the configuration, you can enroll user devices through the Citrix Workspace app.

Configuration if Endpoint Management is not Workspace enabled

If Citrix Workspace isn’t enabled for Endpoint Management, the general steps to configure authentication with Okta through Citrix Cloud are:

  1. Configure Citrix Cloud to use Okta as your identity provider.
  2. Configure Citrix identity as the IdP type for Endpoint Management.

Configure Citrix Cloud to use Okta as your identity provider

To configure Okta in Citrix Cloud, see Connect Okta as an identity provider to Citrix Cloud.

Configure Citrix identity as the IdP type for Endpoint Management

This configuration applies only to users enrolling through Secure Hub. After you configure Azure Active Directory in Citrix Cloud, configure Endpoint Management as follows.

  1. In the Endpoint Management console, go to Settings > Identity Provider (IDP) and then click Add.

  2. On the Identity Provider (IDP) page, configure the following:

    • IDP Name: Type a unique name to identify the IdP connection that you are creating.
    • IDP Type: Choose Citrix Identity Platform.
    • Authentication Domain: Choose Okta. This domain corresponds to your Identity provider domain on the Citrix Cloud Workspace Configuration > Authentication page.
  3. Click Next. In the IDP Claims Usage page, configure the following:

    • User Identifier type: By default, this field is set to userPrincipalName. Ensure that you configure all users with the same identifier in both your on-premises Active Directory and in Okta. Endpoint Management uses this identifier to map users on the identity provider with on-premises Active Directory users.
    • User Identifier string: This field is automatically filled.

After this configuration, Secure Hub users who are domain-joined can use Secure Hub to sign in with their Okta credentials. Secure Hub uses client certificate authentication for MAM devices.

Secure Hub authentication flow

Endpoint Management uses the following flow to authenticate users with Okta as an IdP on devices enrolled through Secure Hub:

  1. A user starts Secure Hub.
  2. Secure Hub passes the authentication request to Citrix identity, which passes the request to Okta.
  3. The user types their Okta user name and password.
  4. Okta validates the user and sends a code to Citrix identity.
  5. Citrix identity sends the code to Secure Hub, which sends the code to the Endpoint Management server.
  6. Endpoint Management obtains an ID token by using the code and secret and then validates the user information that’s in the ID token. Endpoint Management returns a session ID.
Authentication with Okta through Citrix Cloud