XenMobile: How to Enable Okta as IDP for Enrollment with XenMobile -

Objective

With the latest version XenMobile server, you are provided with a new feature where an Okta can be the identity provider for the XenMobile server.

To achieve the above use case, you as an admin need to setup the following.

1. Okta AD Agent Integrating with Enterprise Active Directory.

2. User Attribute Mapping in Okta.

3. Secure Hub Application Registration with Okta.

4. Client Attribute Mapping in Okta.

5. Managing Okta as IDP in XenMobile Server.

Instructions

Pre-requisites

This document is prepared assuming that

·        You have your domain registered with Okta.
·        You have admin access to the Okta portal.
·        You have both NetScaler and XenMobile server talking to same Active Directory.
·        You have a XenMobile environment up and running enabled with Certificate only based authentication.
·        You have Active Directory Service/admin Account, to sync the users from AD to Okta.

Note: All screenshots in this document are for representational purposes only.

Okta AD Agent Integrating with Enterprise Active Directory

1.	Login to Okta admin portal. Note: This portal address/access will given to you by the Okta, which is unique for your enterprise.
2.	Post login, click on Admin.
3.	In admin Dash board, click on Directory > Directory Integrations.
4.	Under Directory Integrations, from the Add Directory Drop down, Select the Directory server that your enterprise has. Note: In this case, my enterprise Directory server is Active Directory, I have selected the Active Directory respectively.
5.	Go through the described pre-requisites and click on “Setup Active Directory”.Set the Installation folder path and Click Install.
6.	As a first step, Download the Agent using the “Download Agent” Link. Note: Once you download the Agent, make sure you install the same on the Windows domain member server. (as mentioned in Pre-Requisites in step 5).
7.	Run the Agent installation file as an administrator and click Next.
8.	Set the Installation folder path and click Install.
9.
10.	In the Domain text box, provide your enterprise Domain name and click Next.
11.	Select the Use an Alternate account that I specify radio button, provide the existing service account details and click Next. Note: Alternatively, you can select the Create or Use the OktaService account, depending your requirement. Here in this case I choose an Alternate account, which I already have.
12.	If you do not wish you use Proxy server click Next. Note: Else you can check the Use proxy check box to configure proxy server in AD Agent.
13.	Select the appropriate radio button, based on your Okta account type and provide the Subdomain, click Next.
14.	Now you will be re-directed to the Okta portal based on the subdomain that you have provided, enter the admin credentials and click Sign In.
15.	Click Allow Access.
16.	Once the AD Agent is registered with Okta, you will see that the installation will be completed.
17.	Once the installation is completed, you can see the AD Agent running.

User Attribute Mapping in Okta

1.	Once the enterprise domain is registered with Okta, you can view the same under Directory Integrations. Click on your enterprise domain.
2.	Under the enterprise domain click on Settings.
3.	From Settings tab, you can get to know the AD Agent status. From Import and Account Settings Section, select the required OU’s and Groups and set the Okta username format to User Principal Name(UPN). You can leave all other settings as default or you can modify them as per your organizational needs. Scroll down and click Save Settings.
4.	Click on Directory > Profile Editor
5.	Click on Okta and Edit the Profile.
6.	Under Profile Editor, click Custom > Add Attribute.
7.	Here we will add two custom flags. Firstly, we will add the UPN config as shown below and Click Save. Display Name : User Principal Name Variable Name : upn
8.	Now will add the SID Object as shown below and Click Save. Display Name : OnPrem AD Object SID. Variable Name : onprem_sid.
9.	Click on Custom to verify the added custom attribute.
10.	Now click on Directory > Profile Editor.
11.	Now Click on Directories and edit your enterprise Active Directory Profile.
12.	Under Profile Editor, Click on Map Attributes.
13.	Map appuser.userName to upn and appuser.objectSid to Onprem_sid using the Arrow drop down.
14.	Post mapping, you should see the mappings as below (as reference). Scroll down and click Save Mappings.

Secure Hub Application Registration with Okta

1.	In Okta admin portal, click on Applications.
2.	Under Applications, click Add Application.
3.	Under Add Application, click on Create New App.
4.	In the Create a New Application Integration pop up window, select the Platform as Native app and click Create.
5.	Under General Settings, Provide the Application Name as Citrix Secure Hub and proceed to next.
6.	Under Configure OpenID Connect, click Add URI to provide the Redirect URIs.
7.	Provide the Redirect URI as : com.citrix.Secure Hub://oauth/redirect_uri and click Finish.
8.	Under General Settings tab, For Allowed Grant Types check the Authorization code and Refresh token check boxes. And from the Client Credentials section note the Client ID for this application. Note: The Client ID that you have collected here will be used in XMS while managing Okta as IDP in XMS.

Client Attribute Mapping in Okta

1.	In Okta admin portal, Click on Directory > Profile Editor.
2.	Under Profile Editor, click on Apps. Select the Secure Hub Profile that we have created in the previous step and edit the same.
3.	Under the Secure hub that you have created, click on Map Attributes.
4.	Select entry for mapping “userName” and click “Override with mapping”.
5.	Choose “user.upn” attribute and map the attribute. Note: if SID based mapping is desired, instead of “upn” above, substitute “onprem_sid”.
6.	Click on Applications and select the Secure Hub application that you have created in the previous step.
7.	Click on Groups and Select the required group which needs access.

Configuring Okta as Identity Provider in XenMobile Server

1.	Login to the XenMobile server using a browser. Go to Settings > Authentication Click on the Identity Provider (IDP).
2.	Now under Identity Provide (IDP), click Add.
3.	· Provide the IDP Name (Enter a name of your choice) · Select the IDP Type as Generic from the dropdown · Provide the Open Id Connect Discovery Point URL as https://<Okta_FQDN>/.well-known/openid-configuration Scroll down and click Next. Note: Other details are automatically pre-populated after you provide the Tenant ID.
4.	Under Secure Hub, Provide the Client ID details which you have collected in the previous section. Click Next
5.	Under IDP Claims Usage, select the User Identifier type as userPrincipalName from the drop down and change the User Identifer Stringfrom ${id_token}.upn to ${id_token}.preferred_username
6.	Validate the Summary and click Save.

End User Enrollment Experience on iOS Device

1.	On your iOS device download Secure Hub from App Store. Launch Secure Hub, provide the enrollment FQDN and click Next.
3.	On “Enroll Your iPhone” popup, tap on Yes, Enroll
4.	Secure Hub will now be redirected to the Okta Login screen. Enter the enterprise credentials and click Sign in.
5.	On successful authentication, the Enrollment in progress status is displayed.
6.	Certificate and profile are pushed down to the device. The end user will have to install the Enrollment Certificate and Profile.
7.	Once the enrollment is completed, user will be asked to set a Citrix Pin for the Secure Hub.
8.	After setting the Citrix Pin, user will be able to view/access the apps entitled.