Okta and Citrix Workspace

I have spent some time recently testing the OKTA preview and Citrix Workspace experience. Its now possible to bring more identities to Citrix Cloud and Okta is one of the newest options in Citrix Cloud / Identity and Access management. Its currently in tech preview. I wanted to show you how I configured it and what the experience was like. There is also a good blog from Citrix. https://www.citrix.com/blogs/2019/05/22/citrix-supports-identity-choice-with-okta-integration/

Here are some of my prerequsites:

Before I configured Okta as an IDP, I setup my on prem AD to sync with Okta via the Okta Agent on my Active directory. I tested and checked to ensure that my on premise AD accounts sync’d correctly with OKTA.

In order to configure Okta, we must login to the correct Okta admin console https://yourname-admin.okta.com/admin/

Choose the option for Security

Now choose API from the security drop list

Create a token under the API setting , giving it a name and clicking create token

Copy and paste the details for use shortly. (we need this token value to connect to Citrix Cloud Platform)

Now lets pop over to the Citrix Cloud console and choose the option for Identity and Access Management

You can see the identity options options available when using Citrix Cloud. Craig has just completed a blog on configuring on Citrix as an IDP which is available in our blog feed. https://citrixie.com/2019/10/23/citrix-workspace-with-on-premises-citrix-gateway-as-idp/

Choose Authentication, and Okta (tech preview) and click connect.

This is where we connect to the Okta URL.

Add the Okta URL that users access yourcompany.okta.com

Now its time to paste in that API token key we saved earlier into the Oka API Token dialog box. Now pop back over to okta, and lets leave this page open.

Choose the Applications option.

Choose the option to add an application

Create a new application

Give the application a name, and in my case I uses “Citrix Cloud to Okta” for example. We now need to add the login redirect URLS

On the first dialog box, add in https://accounts.cloud.com/core/login-okta

On the second dialog box, add your own tenant name from Citrix cloud. https://youcompany.cloud.com (you can find this in the Citrix Cloud console, under workspace configuration \ Access as shown below.

Once the redirect URL’s are added, click save.

We now need to edit this newly created application to make some additional changes. Click on the edit button

Once the dialog box opens, choose all the “Allowed grant types” check boxes

Scroll to the end of the dialog box to see the client credentials. Keep these values for pasting in our Citrix cloud Okta connections very soon.

Click on the Citrix Cloud to Okta application and choose the option right hand side and click assign to groups. Choose “everyone”

You will now see the option for everyone in groups for the application.

Navigate to the profile editor under the directory drop down list

Choose the Okta profile and click on profile under the actions section.

Click Add attribute and fill in the details shown below for three settings.




Add the cip_sid as below and click save

Add the cip_upn as below and click save

Add the cip_oid as below and click save

Navigate to directory integrations and choose your Active directory that is configured with Okta.

Click on the option for settings

Scroll to the bottom and edit attributes mappings and click on Edit Mappings

Now lets map the newly created attributes in the profile mappings dialog box. This maps the AD setting to Okta and the Okta attribute to AD.

Navigate back to the Citrix Cloud console and input the client and secret key to complete the connection to Okta. Click on test and finish and it should be successful.

Navigate to Workspace Configuration. Note how FAS is enabled. This allows for seamless login to desktops. Please see my blog on MYCUGC on configuring cloud FAS. https://www.mycugc.org/blogs/wendy-gay/2019/07/23/citrix-cloud-citrix-workspace-experience-and-feder

Choose the option for Okta

Now lets see what it looks like for an end user.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.