As remote work becomes the norm, organizations are increasingly relying on virtual application delivery. When it comes to balancing security with ease of access, Okta is a popular choice for identity and access management. But integrating Citrix Virtual Apps and Desktops (formerly XenApp and XenDesktop) into Okta can present a few obstacles—especially when users haven’t yet authenticated through Citrix Gateway.

In this step-by-step guide, we’ll show you how to seamlessly publish Citrix applications in the Okta dashboard so that they appear alongside your SaaS apps—no matter the sign-on path.

What You Need to Know Before You Start

Before jumping into configuration, be aware of the following:

• Accessing traditional Citrix-published apps requires Citrix NetScaler (aka Citrix Gateway) and StoreFront.
• Using SAML authentication can disrupt single sign-on to Windows app sessions.
• Citrix solves this with Federated Authentication Service (FAS), which uses a virtual smart card to restore SSO. We recommend checking out Carl Stalhood’s guide for a walkthrough on setting up FAS.

Step 1: Configure SAML in Citrix ADC

Okta provides a built-in Citrix Gateway app for easy SAML configuration. Use this to:

• Set up the SAML integration
• Follow the provided documentation to configure the SAML Server/Action in Citrix ADC

Step 2: Create a Citrix App Tile in Okta

To make a Citrix app visible on the Okta dashboard:

1. Use an Okta Bookmark App.

2. In Citrix StoreFront, go to Manage Receiver for Web Sites.

3. Click “Get Shortcuts” to reveal user-specific app URLs.

4. Swap the hostname with your Citrix Gateway address.

5. Paste the modified URL into the Bookmark App in Okta and assign an appropriate icon.

Important: This URL works only if the user is already authenticated via Citrix Gateway.

Step 3: Handle URL Fragment Loss

Here’s the catch: URLs from StoreFront contain a fragment (#)—like this:

https://citrixgatewayurl.mylab.com/Citrix/StoreWeb/#/launch/AHEAD%20Demo%20Desktop/…

When users are redirected to the login page, that fragment is lost because it isn’t sent to the server. This causes the app shortcut to break.

The Fix:

Change # to %23 in the URL used in the Bookmark App. This ensures the fragment is preserved during redirects and stored correctly in the NSC_TASS cookie.

Example:

/Citrix/StoreWeb/%23/launch/AHEAD%20Demo%20Desktop/…

Step 4: Add Responder Policies in Citrix Gateway

To ensure that users land on the correct page post-login, set up two responder policies.

Policy 1: Restore Fragment Identifier

add responder action RES-ACT-CheckTassCookie respondwith q{“HTTP/1.1 302 Moved Temporarily\r\nSet-Cookie: NSC_TASS=” + HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).BEFORE_REGEX(re/%23/) + “;Path=/;Secure;HttpOnly\r\nLocation:” + HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).BEFORE_REGEX(re/%23/) + “#” + HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).AFTER_REGEX(re/%23/) + “\r\n\r\n”}

add responder policy RES-POL-CheckTassCookie “HTTP.REQ.COOKIE.VALUE(\”NSC_TASS\”).CONTAINS(\”%23\”) && HTTP.REQ.URL.PATH.ENDSWITH(\”Web/\”)” RES-ACT-CheckTassCookie

Policy 2: Fix “Page Not Found” Errors

add responder action RES-ACT-CheckLaunchPath redirect “HTTP.REQ.URL.PATH.BEFORE_STR(\”Web/\”) + \”Web/#/launch\” + HTTP.REQ.URL.PATH.AFTER_STR(\”/launch\”)” -responseStatusCode 302

add responder policy RES-POL-CheckLaunchPath “HTTP.REQ.URL.PATH.CONTAINS(\”/launch\”)” RES-ACT-CheckLaunchPath

Bind the Policies to Citrix Gateway

bind vpn vserver citrixgatewayvserver -policy RES-POL-CheckTassCookie -priority 100 -gotoPriorityExpression END -type REQUEST

bind vpn vserver citrixgatewayvserver -policy RES-POL-CheckLaunchPath -priority 110 -gotoPriorityExpression END -type REQUEST

Final Outcome

Once the above configuration is complete, users can:

• Launch Citrix apps from the Okta dashboard, just like any SaaS app
• Access these apps whether or not they’ve pre-authenticated through Citrix Gateway

Bonus: These responder policies can be adapted for use with other application dashboards, not just Okta.

Wrapping Up

This guide offers a streamlined path to modernize application publishing by integrating Citrix Virtual Apps and Desktops into Okta. With proper URL handling and Citrix Gateway policies, organizations can deliver secure, unified access to users—anytime, anywhere.