Domain pass-through to Citrix Workspace using Okta as identity provider

You can achieve single sign-on to Citrix Workspace using Okta as the identity provider (IdP).

Prerequisites:

  • Citrix Cloud
    • Cloud Connectors

    Note: If you’re new to Citrix Cloud, define a Resource Location, and have the connectors configured. It’s recommended to have at least two cloud connectors deployed in production environments. For information on how to install Citrix Cloud Connectors, see Cloud Connector Installation.

    • Citrix Workspace
    • Federated Authentication Service (optional)
  • Citrix DaaS (formerly Citrix Virtual Apps and Desktops Service)
  • AD domain joined VDA or physical AD joined devices
  • Okta Tenant
    • Okta IWA Agent (Integrated Windows Authentication)
    • Okta Verify (Okta Verify can be downloaded from the app store) (optional)
  • Active Directory
  1. Deploy the Okta AD Agent:
    1. In the Okta Admin portal, click Directory > Directory Integrations.
    2. Click Add Directory > Add Active Directory.
    3. Review the installation requirements by following the workflow, which covers the Agent Architecture and Installation Requirements.
    4. Click the Set Up Active Directory button and then click Download Agent.
    5. Install Okta AD Agent onto a Windows server by following the instruction provided in Install the Okta Active Directory agent.

      Note:

      Make sure that the prerequisites mentioned in Active Directory integration prerequisites are met before installing the agent.

  2. Set up Integrated Windows Authentication (IWA):
    1. On the Okta Admin portal, click Security and then Delegated Authentication.
    2. Scroll down to the On-prem Desktop SSO part on the page that loads and click Download Agent.
    3. Set up the Routing Rules for IWA. For more information, see Configure Identity Provider routing rules.
  3. Launch the Okta customer portal.

    Note:

    • When you install Okta IWA Agent and the status is enabled, you can sign in from a Windows Domain joined device. This configuration also jumps past the login and directs you to the IWA login page and passes the user credentials. My Workspace Sign-in
    • For more information on how to troubleshoot any issues, see Install and configure the Okta IWA Web agent for Desktop single sign-on.
  4. Sign in to Citrix Cloud at https://citrix.cloud.com and enable Okta as the IdP. For information, see Tech Insight: Authentication - Okta in the Citrix Tech Zone documentation.

    Note:

    You can sign in from either the Citrix Workspace app or browser, both provides the pass-through experience as per the Tech Zone documentation.

  5. To achieve SSO to virtual apps and desktops, you can either deploy FAS or configure the Citrix Workspace app.

    Note:

    Without FAS, you’re prompted for the AD user name and password. For information on how to enable FAS, see Enable Federated Authentication Service in Configuring Single sign-on to Workspace app. If you aren’t using FAS, Configure Citrix Workspace app to support SSO.

Domain pass-through to Citrix Workspace using Okta as identity provider

In this article