This is unique way to Integrate OKTA with Netscaler without configuring FAS.
Traffic Flow
Ø
External facing Citrix URL will be provided to Vendor
by ABC-COMPANY Citrix team (It's very simple just select NS module @OKTA and give Internet facing URL. It will populate all required settings)
Ø
URL based configuration at OKTA will be done by Vendor
OKTA Or You
Ø
All configurations will be provided by Vendor OKTA Or You
Ø
OKTA certificate will be installed at NetScaler
Ø
SAML authentication Server will be created as per
information provided by OKTA
o
From
the Configuration page, select NetScaler Gateway
> Policies > Authentication > SAML
o
Name: Give the server an easy to understand name.
o
IDP certificate Name: Select the one you imported
earlier.
o
Redirect URL*: Enter the value from the View Setup
Instructions page from Okta.
o
Single Logout URL: Enter the value from the View Setup
Instructions page from Okta.
o
User Field: This should be Name ID unless another
identifier is being used. You can verify this by checking a SAML assertion from
an Okta SAML test login and look for the login URL name used and you will find
where it specifies the nameid-format.
o
Signing Certificate Name: Enter the certificate for
your Gateway VIP.
o
Issuer Name: Enter your Gateway VIP URL.
o
Scroll down to the Signature Algorithm section
o
Signature Algorithm: RSA AA-SHA256
o
Digest Method: SHA256
o
SAML Binding: POST
o
Click OK to save the server definition.
o
Back in the SAML section, select the Policies
tab, then click Add
o
Enter the following in the Create Authentication
SAML Policy form:
o
Name: Give the policy an easy to understand name.
o
Server*: Use the drop down menu to select the Server
Entry you just created. Note that it may be added by default if it is the only
one.
o
Expression*: Enter ns_true as the value. This
enables this policy to always be active when bound to a VIP. A more restrictive
expression can be created to allow for more control over when this SAML
policy is used and should be based on the customers need.
o
Click OK to save the policy.
Ø
In the left hand tree, select Virtual Servers
under NetScaler Gateway section
Ø
Locate the virtual server you wish to bind Okta SAML
to.
o
Click Edit.
o
Scroll down to the Authentication section and
unbind any existing policies and close the Authentication sub-window.
Ø
Back in the Virtual Server configuration
screen, in the Authentication section, select the + (plus) icon
on the right hand side of the section title
Ø
In the Choose Policy* option select SAML.
In the Choose Type* option select Primary. Click Continue.
Ø
In the Policy Binding section, click the >
icon to select the SAML policy you created above. Click the radial button to
the left of the policy and click OK (or Select).
Ø
Set the Priority to 100 and click Bind.
Ø
Back at the Virtual Server configuration screen
scroll to the end and click on Done.
After this is completed, we need to make a change to this setup. In the
setup of the SAML Server (Create Authentication SAML Server) we need to change
one setting
Ø
You may have to click on a
“More” option to see the “Two Factor” option.
Ø
Bind the LDAP policy to the
NSGW VIP. Make sure that you have already bound the SAML policy first, then
bind the LDAP policy at the same priority level
Ø
This completes the configuration and you can now test
logins.
Now the Okta OIN App need to be created
using a Template app which will be created by Vendor\You and ABC-COMPANY Citrix
team need to provide NetScaler Gateway URL.
Ø
To enable SSO responder policy need to be created.
Inputs for responder policy will be provided by Vendor.
o
POST app Embed link
o
set the Sign On properties
Ø
In the NS configuration go to AppExpert, then Responder,
Ø
Action and a Policy need to be created as per
deployment instructions.
Ø
Bind the responder policy with NetScaler Gateway VIP
*Note: ABC-Company & XYZ-Company are sample names of companies.
No comments:
Post a Comment
Thanks for Messaging i will respond ASAP.