Product documentation
Citrix Endpoint Management™
View PDF

Authentication with Okta through NetScaler Gateway for MAM enrollment

September 6, 2025
Contributed by: 
C S K

Citrix Endpoint Management supports authentication with Okta credentials through NetScaler Gateway. This authentication method is available only for users enrolling in MAM through Citrix Secure Hub.

Prerequisites

To configure Citrix Endpoint Management to use Okta through NetScaler Gateway as an identity provider (IdP) for devices enrolled with MAM, make sure that the following prerequisites are met:

  • Configure Citrix Endpoint Management with Okta through Citrix Cloud as IdP for devices enrolled with MDM. For more information about configuring Okta for MDM, see Authentication with Okta through Citrix Cloud.
  • Enable the following relevant feature flags depending on the platform respectively:
    • iOS:
      • iOS-V3Form-MAM
      • iOS-SAMLAuth-MAM
    • Android:
      • Android-V3Form-MAM
      • Android-SAMLAuth-MAM

    Note:

    To enable this feature, contact your support team.

  • Download and install the latest version of Citrix Secure Hub.
  • Make sure that the Okta service is available for your organization and the relevant users and groups are created or imported to Okta.

Configure NetScaler Gateway in Citrix Endpoint Management

  1. Sign in to the Citrix Endpoint Management console and then click the Settings Settings icon.

  2. Click NetScaler Gateway under Server.

  3. Enable the Authentication toggle button.

    Enable NetScaler Gateway Authentication toggle button

  4. Make sure that the Logon Type of the gateway is the Identity provider.

  5. Click Save.

Prepare on-premises NetScaler Gateway

  1. If you do not have an on-premises NetScaler Gateway configured for Citrix Endpoint Management, then do the following steps:

    1. In the Citrix Endpoint Management console. click the Settings Settings icon.

    2. Click NetScaler Gateway under Server.

    3. Click Edit.

    4. Click the Logon Type drop-down menu and select Domain only.

      log on type as Domain only

    5. Click Export Configuration Script.

      Download Export Configuration Script The Export Configuration Script is downloaded.

    6. Click the Logon Type drop-down menu and select Identity provider.

      Update Logon Type as Identity Provider

    7. Click Save.

    8. Open the downloaded zip file and extract the files from it.

    9. Run the scripts in the extracted .txt files to prepare the on-premises NetScaler Gateway.

      Extract the zip file information

  2. Sign in to the Citrix ADC management console and then navigate to NetScaler Gateway > Virtual Servers.

  3. Click the gateway relevant to your Citrix Endpoint Management setup.

  4. Unbind any existing authentication policies on the on-premises NetScaler Gateway.

Configure Okta

  1. Sign in to Okta as administrator.

  2. Click Applications > Applications > Browse App Catalog.

    Browse App Catalog at Okta

  3. Type NetScaler Gateway in the search bar under Browse App Integration Catalog and then select NetScaler Gateway (SAML, SWA).

    Search NetScaler Gateway in Browse App Integration Catalog

  4. Click Add Integration.

    NetScaler Gateway Add Integration

  5. Enter the relevant name in the Application label field.

  6. Enter the gateway virtual server URL in the Login URL field and then click Next.

    NetScaler Gateway general settings

    Note:

    The URL entered in the Login URL field must be the same as the NetScaler Gateway URL for Citrix Endpoint Management settings.

  7. Under Sign-On Options Required > Sign on methods, select SAML 2.0.

    NetScaler Gateway - SAML 2.0

  8. Click View Setup Instructions and follow the instructions provided in the page to create the SAML policy in the Citrix® on-premises gateway admin console.

    NetScaler Gateway SAML - View Set up Instructions

    Note:

    • After installing the CA certificate while configuring NetScaler Gateway versions 11.1 or later, create a SAML action. To create SAML action, navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Actions > SAML Actions. Click Add and fill the information as provided in the preceding page. Don’t follow the navigation provided in the page that is, Netscaler Gateway > Policies > Authentication > SAML > Servers.
    • Also, don’t follow the steps provided to create SAML policy as those steps are using classic policy. We are using advanced policy now. Do the following step 9 to create a SAML policy using an advanced policy.

  9. Create a corresponding SAML policy for the SAML action, and bind the policy to the authentication virtual server as follows:

    1. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies and click Add.

    2. On the Create Authentication Policy page, provide the following details:

      • Name - Specify a name for the SAML policy.
      • Action Type - Select SAML as the authentication action type.
      • Action - Select the SAML server profile to bind the SAML policy with.
      • Expression - Displays the name of the rule or expression that the SAML policy uses to determine if the user must authenticate with the SAML server. On the text box, set the value rule = true for the SAML policy to take effect and the corresponding SAML action to be run.

    3. Bind the SAML policy to the VPN virtual server and link the VPN virtual server to the authentication virtual server through an authentication profile. For more information about the binding procedure, see Bind the authentication policy.

  10. Create a AAA virtual server by using To set up an authentication virtual server by using the GUI.

  11. Configure the AAA virtual server by using Configure the authentication virtual server.

  12. Create and configure the authentication profile by using Authentication profiles.

  13. Bind the authentication profile with the Gateway virtual server and save all the configurations.

  14. After creating the SAML policy in the Citrix on-premises gateway admin console, click Done.

    Now, you can see two applications for Citrix Endpoint Management integration that is, a web application for Citrix Cloud and a SAML application for Citrix Endpoint Management MAM authentication.

  15. Assign the relevant users and groups to the SAML application that you created.

Now, Okta is added as an identity provider for devices enrolled with MAM and you can authenticate them using Okta.

Expected behavior

The following example is using an Android device:

  1. On your mobile device, open the Citrix Secure Hub app.

    Citrix Secure Hub app icon

  2. Provide the required permissions.

  3. On the sign-in page, enter the credentials provided by your organization and then tap Next.

    Citrix Secure Hub Sign in page

    You are redirected to the Okta sign in page.

  4. On the Okta sign in page, enter your credentials and then tap Sign in.

    Okta Sign in page

  5. On the Let’s set up your work profile page, tap Accept & continue.

    Lets setup your work profile page

  6. Create the pin for the Citrix Secure Hub app and confirm the same.

    Citrix Secure Hub pin

    You are successfully redirected to the Citrix Secure Hub home page.

Authentication with Okta through NetScaler Gateway for MAM enrollment
September 6, 2025
Contributed by: 
C S K
September 6, 2025
Contributed by: 
C S K

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.