downloadWhy can't I download this file?Citrix Workspace Vs OktaCitrix Workspace Apps For Windows Citrix Workspace Okta Log Citrix Workspace Log In
# Change this value for your Store
$storeVirtualPath = '/Citrix/Store1'
$auth = Get-STFAuthenticationService -Store (Get-STFStoreService -VirtualPath $storeVirtualPath)
$spId = $auth.AuthenticationSettings['samlForms'].SamlSettings.ServiceProvider.Uri.AbsoluteUri
$acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + '/SamlForms/AssertionConsumerService')
$md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + '/SamlForms/ServiceProvider/Metadata')
$samlTest = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + '/SamlTest')
Write-Host 'SAML Service Provider information:
Service Provider ID: $spId
Assertion Consumer Service: $acs
Metadata: $md
Test Page: $samlTest'
The sample output of the above command looks like this.
Service Provider ID: https://storefront.example.com/Citrix/StoreAuth
Assertion Consumer Service: https://storefront.example.com/Citrix/StoreAuth/SamlForms/AssertionConsumerService
Metadata: https://storefront.example.com/Citrix/StoreAuth/SamlForms/ServiceProvider/Metadata
Test Page: https://storefront.example.com/Citrix/StoreAuth/SamlTest
Okta Configuration:
Note:
Storefront Configuration:
Get-Module 'Citrix.StoreFront*' -ListAvailable | Import-Module
# Remember to change this with the virtual path of your Store.
$StoreVirtualPath = '/Citrix/Store'
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath 'File path of the metadata file you downloaded from Okta'
Note:
Note: The above configuration will work with the Receiver for Web
Applicable Products
- Citrix Workspace app with passthrough (Mac Domain Joined) By the end of this blog, you should have a good understanding of how with Citrix Workspace + Okta you can deliver an experience that will make your users want to use the Workspace.
- Native Okta groups: Before you connect Okta to applications or other resources, you can create groups in your Okta org. The default group Everyone contains all users in your Okta org. To manage your Okta groups, sign in to your Okta Admin Console and click Directory Groups. Active Directory groups: Active Directory (AD) is the most common.
- Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site.
- SAML in StoreFront without Citrix ADC seems to work in Workspace app and Receiver Self-Service for Windows. For an example configuration using StoreFront PowerShell commands and SAML metadata, see CTX232042 Configure StoreFront with OKTA.
Open an elevate PowerShell and run the below command to import the Okta metadata file. Get-Module 'Citrix.StoreFront.' -ListAvailable Import-Module # Remember to change this with the virtual path of your Store. $StoreVirtualPath = '/Citrix/Store' $store = Get-STFStoreService -VirtualPath $StoreVirtualPath.
- StoreFront 3.9
- StoreFront 3.11
Objective
This article illustrates how to configure StoreFront and OKTA for Windows Server 2016. This will demonstrate how to configure both StoreFront and OKTA using SAML metadata exchange.
Instructions
On the Storefront run the below PowerShell commands to identify the Service Provider Information:- Open an Elevate PowerShell and run the command asnp citrix* to load the Citrix Modules.
- Once the modules are loaded run the below command to fetch the Service Provider Information.
# Change this value for your Store
$storeVirtualPath = '/Citrix/Store1'
$auth = Get-STFAuthenticationService -Store (Get-STFStoreService -VirtualPath $storeVirtualPath)
$spId = $auth.AuthenticationSettings['samlForms'].SamlSettings.ServiceProvider.Uri.AbsoluteUri
$acs = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + '/SamlForms/AssertionConsumerService')
$md = New-Object System.Uri $auth.Routing.HostbaseUrl, ($auth.VirtualPath + '/SamlForms/ServiceProvider/Metadata')
![Okta citrix cloud Okta citrix cloud](/uploads/1/1/8/8/118883393/792928604.png)
Write-Host 'SAML Service Provider information:
Service Provider ID: $spId
Assertion Consumer Service: $acs
Metadata: $md
Test Page: $samlTest'
The sample output of the above command looks like this.
Citrix Workspace Vs Okta
SAML Service Provider information:Service Provider ID: https://storefront.example.com/Citrix/StoreAuth
Assertion Consumer Service: https://storefront.example.com/Citrix/StoreAuth/SamlForms/AssertionConsumerService
Metadata: https://storefront.example.com/Citrix/StoreAuth/SamlForms/ServiceProvider/Metadata
Test Page: https://storefront.example.com/Citrix/StoreAuth/SamlTest
Okta Configuration:
- On the Okta create a new application for the Web Platform with SAML 2.0 enabled.
- Once the new application is created follow the below steps to configure the SAML settings
Note:
- The Single Sign On URL in the above step should be the Assertion Consumer Service URL from the StoreFront Output.
- The Audience URI should be the Service Provider ID from the Storefront Output.
- Rest of the setting can be default.
- In the next step you can Preview the SAML assertion click on the link shown up in the below image.
- On the next step click on finish to the Service Provider configuration on the Okta.
- In the next step, click on the Sign On tab and edit the application user format to reflect AD User Principle Name
- Also click on the Identity Provider Metadata to download the metadata file which we will use in the Storefront Configuration steps below.
- In the next step assign the users to application on the Okta who will go through Okta to Storefront.
Storefront Configuration:
- On the Storefront, enable the SAML Authentication under the Manage Authentication Methods in the Storefront Console.
- Open an elevate PowerShell and run the below command to import the Okta metadata file.
Get-Module 'Citrix.StoreFront*' -ListAvailable | Import-Module
Citrix Workspace Apps For Windows
# Remember to change this with the virtual path of your Store.
Citrix Workspace Okta Log
$StoreVirtualPath = '/Citrix/Store'
Citrix Workspace Log In
![Okta Okta](/uploads/1/1/8/8/118883393/789049965.jpg)
$auth = Get-STFAuthenticationService -StoreService $store
Update-STFSamlIdPFromMetadata -AuthenticationService $auth -FilePath 'File path of the metadata file you downloaded from Okta'
Note:
- Change this value for your Store.
- Also point the file path to the location where you saved the Okta metadata file.
- Now when you go to the Storeweb, you should get redirected to the Okta page for sign in.
Note: The above configuration will work with the Receiver for Web
Additional Resources
References for Configuring FAS:
https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-12/secure/federated-authentication-service.html
Disclaimer
Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.