XenMobile: How to Enable Okta as IDP for Enrollment with XenMobile

Xenmobile
Objective

With the latest version XenMobile server, you are provided with a new feature where an Okta can be the identity provider for the XenMobile server.

To achieve the above use case, you as an admin need to setup the following.

1.      Okta AD Agent Integrating with Enterprise Active Directory.

2.      User Attribute Mapping in Okta.

3.      Secure Hub Application Registration with Okta.

4.      Client Attribute Mapping in Okta.

5.      Managing Okta as IDP in XenMobile Server.


Instructions
Pre-requisites

This document is prepared assuming that

·        You have your domain registered with Okta.
·        You have admin access to the Okta portal.
·        You have both NetScaler and XenMobile server talking to same Active Directory.
·        You have a XenMobile environment up and running enabled with Certificate only based authentication.
·        You have Active Directory Service/admin Account, to sync the users from AD to Okta.

Note: All screenshots in this document are for representational purposes only.

Okta AD Agent Integrating with Enterprise Active Directory
         1. Login to Okta admin portal.

User-added imageNote: This portal address/access will given to you by the Okta, which is unique for your enterprise.

         2. Post login, click on Admin.

User-added image
         3. In admin Dash board, click on Directory Directory Integrations.

User-added image
         4. Under Directory Integrations, from the Add Directory Drop down, Select the Directory server that your enterprise has.

User-added image

Note: In this case, my enterprise Directory server is Active Directory, I have selected the Active Directory respectively.

         5. Go through the described pre-requisites and click on “Setup Active Directory”.Set the Installation folder path and Click Install.

User-added image
         6. As a first step, Download the Agent using the “Download Agent” Link.

User-added image

Note: Once you download the Agent, make sure you install the same on the Windows domain member server. (as mentioned in Pre-Requisites in step 5).

         7. Run the Agent installation file as an administrator and click Next.

User-added image

         8. Set the Installation folder path and click Install.
User-added image
         9. User-added image
        10. In the Domain text box, provide your enterprise Domain name and click Next.
User-added image
        11. Select the Use an Alternate account that I specify radio button, provide the existing service account details and click Next.

User-added image
Note: Alternatively, you can select the Create or Use the OktaService account, depending your requirement. Here in this case I choose an Alternate account, which I already have.

        12. If you do not wish you use Proxy server click Next.

User-added image
Note: Else you can check the Use proxy check box to configure proxy server in AD Agent.

        13. Select the appropriate radio button, based on your Okta account type and provide the Subdomain, click Next.
User-added image
        14. Now you will be re-directed to the Okta portal based on the subdomain that you have provided, enter the admin credentials and click Sign In.

User-added image
        15. Click Allow Access.

User-added image
        16. Once the AD Agent is registered with Okta, you will see that the installation will be completed.
User-added image
        17. Once the installation is completed, you can see the AD Agent running.
User-added image
User Attribute Mapping in Okta
         1.           Once the enterprise domain is registered with Okta, you can view the same under Directory Integrations. Click on your enterprise domain.

User-added image
         2.           Under the enterprise domain click on Settings.

User-added image
         3.           From Settings tab, you can get to know the AD Agent status.

User-added image

From Import and Account Settings Section, select the required OU’s and Groups and set the Okta username format to User Principal Name(UPN).
You can leave all other settings as default or you can modify them as per your organizational needs.

User-added image

Scroll down and click Save Settings.

User-added image
         4.           Click on Directory Profile Editor

User-added image
         5.           Click on Okta and Edit the Profile.

User-added image
         6.           Under Profile Editor, click Custom Add Attribute.

User-added image
         7.           Here we will add two custom flags.
Firstly, we will add the UPN config as shown below and Click Save.

Display Name : User Principal Name
Variable Name : upn

User-added image
         8.           Now will add the SID Object as shown below and Click Save.

Display Name : OnPrem AD Object SID.
Variable Name : onprem_sid.

User-added image
         9.           Click on Custom to verify the added custom attribute.

User-added image
        10.        Now click on Directory Profile Editor.

User-added image
        11.        Now Click on Directories and edit your enterprise Active Directory Profile.

User-added image
        12.        Under Profile Editor, Click on Map Attributes.

User-added image
        13.        Map appuser.userName to upn and appuser.objectSid to Onprem_sid using the Arrow drop down.

User-added image
        14.        Post mapping, you should see the mappings as below (as reference). Scroll down and click Save Mappings.

User-added image
Secure Hub Application Registration with Okta
         1.           In Okta admin portal, click on Applications.

User-added image
         2.           Under Applications, click Add Application.

User-added image
         3.           Under Add Application, click on Create New App.

User-added image
         4.           In the Create a New Application Integration pop up window, select the Platform as Native app and click Create.

User-added image
         5.           Under General Settings, Provide the Application Name as Citrix Secure Hub and proceed to next.

User-added image
         6.           Under Configure OpenID Connect, click Add URI to provide the Redirect URIs.

User-added image
         7.           Provide the Redirect URI as : com.citrix.Secure Hub://oauth/redirect_uri and click Finish.

User-added image
         8.           Under General Settings tab, For Allowed Grant Types check the Authorization code and Refresh token check boxes. And from the Client Credentials section note the Client ID for this application.

User-added image

Note: The Client ID that you have collected here will be used in XMS while managing Okta as IDP in XMS.

Client Attribute Mapping in Okta
         1.           In Okta admin portal, Click on Directory Profile Editor.

User-added image
         2.           Under Profile Editor, click on Apps. Select the Secure Hub Profile that we have created in the previous step and edit the same.

User-added image
         3.           Under the Secure hub that you have created, click on Map Attributes.

User-added image
         4.           Select entry for mapping “userName” and click “Override with mapping”.

User-added image
         5.           Choose “user.upn” attribute and map the attribute.

User-added image

Note: if SID based mapping is desired, instead of “upn” above, substitute “onprem_sid”.

         6.           Click on Applications and select the Secure Hub application that you have created in the previous step.

User-added image
         7.           Click on Groups and Select the required group which needs access.

User-added image
Configuring Okta as Identity Provider in XenMobile Server
         1.           Login to the XenMobile server using a browser.
Go to Settings Authentication Click on the Identity Provider (IDP).

User-added image
         2.           Now under Identity Provide (IDP), click Add.

User-added image
         3.           ·        Provide the IDP Name (Enter a name of your choice)
·        Select the IDP Type as Generic from the dropdown
·        Provide the Open Id Connect Discovery Point URL as https://<Okta_FQDN>/.well-known/openid-configuration

User-added image

Scroll down and click Next.

Note: Other details are automatically pre-populated after you provide the Tenant ID.

         4.           Under Secure Hub, Provide the Client ID details which you have collected in the previous section. Click Next

User-added image
         5.           Under IDP Claims Usage, select the User Identifier type as userPrincipalName from the drop down and change the User Identifer Stringfrom ${id_token}.upn to ${id_token}.preferred_username

User-added image
         6.           Validate the Summary and click Save.

User-added image
End User Enrollment Experience on iOS Device
         1.           On your iOS device download Secure Hub from App Store. Launch Secure Hub, provide the enrollment FQDN and click Next.

User-added image
         3.           On “Enroll Your iPhone” popup, tap on Yes, Enroll

User-added image
         4.           Secure Hub will now be redirected to the Okta Login screen. Enter the enterprise credentials and click Sign in.

User-added image

         5.           On successful authentication, the Enrollment in progress status is displayed.

User-added image
         6.           Certificate and profile are pushed down to the device. The end user will have to install the Enrollment Certificate and Profile.

User-added image
         7.           Once the enrollment is completed, user will be asked to set a Citrix Pin for the Secure Hub.

User-added image
         8.           After setting the Citrix Pin, user will be able to view/access the apps entitled.

User-added image