Duo for NetScaler Web - OAuth with Duo Universal Prompt

Last updated: September 12th, 2025

Duo integrates with your on-premises NetScaler (formerly Citrix Gateway) to add two-factor authentication to NetScaler Gateway logins via advanced authentication policies. Duo supports inline user enrollment, self-service device management, and support for a variety of authentication methods — such as passkeys and security keys, Duo Push, or Verified Duo Push — in the Universal Prompt.

Overview

In this configuration, your NetScaler acts as an OAuth client and Duo acts as an OIDC/OAuth identity provider for two-factor authentication. After verifying a user's credentials against your primary authentication server, such as an Active Directory domain controller, your NetScaler then redirects the user to Duo's service for secondary authentication and policy verification in the interactive web-based Duo Universal Prompt.

Unlike Duo RADIUS configurations for NetScaler, there is no need to deploy any Duo software on your premises. Duo authentication via OIDC for NetScaler also does not require a Citrix Federated Authentication Services (FAS) deployment, which is necessary to deploy Duo Single Sign-On for NetScaler.

This solution supports password changes directly against your primary authentication server prior to Duo authentication.

Prerequisites

Use of Duo as an OIDC/OAuth provider for NetScaler requires the following:

NetScaler Advanced or Premium licensing. Verify your NetScaler license before continuing.
- Premium licenses were called Platinum licenses in some older NetScaler versions.
NetScaler firmware 14.1-29.63 or newer.
A working NetScaler virtual server authenticating against your preferred primary authentication server, typically an LDAP server action pointing to an Active Directory domain controller or LDAP directory server.
Direct outbound access from the NetScaler to Duo's cloud service via HTTPS/443.
DNS configured on the NetScaler so the NSIP can perform lookups and resolve your Duo account's API hostname (i.e. api-XXXXXXXX.duosecurity.com).
NTP configured on the NetScaler with a reachable time server so that the device's time is correct.
The URL for accessing NetScaler must be a valid HTTPS URL and port, using an RFC-1034-compliant hostname (not an IP address), with a maximum length of 1024 characters.

If you do not have the necessary NetScaler product license, or you cannot update your NetScaler software to a supported version, another option for Duo Universal Prompt support is to configure Duo Single Sign-On for NetScaler (requires a Citrix Federated Authentication Service (FAS) deployment).

If you cannot make use of either Duo as an OAuth provider or Duo Single Sign-On in your organization's NetScaler deployment, try Duo RADIUS Challenge Text Prompt for NetScaler nFactor which offers a text-based Duo prompt.

Learn more about the differences between Duo's NetScaler deployment configurations.

First Steps

Sign up for a Duo account.
Log in to the Duo Admin Panel and navigate to Applications → Application Catalog.
Locate the entry for NetScaler Web with the "2FA" label in the catalog. Click the + Add button to create the application, and get your Client ID, Client secret, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications with Duo and additional application options.
No active Duo users can log in to new applications until you grant access. Update the User access setting to grant access to this application to users in selected Duo groups, or to all users. Learn more about user access to applications. If you do not change this setting now, be sure to update it so that your test user has access before you test your setup.
This setting only applies to users who exist in Duo with "Active" status. This does not affect application access for existing users with "Bypass" status, existing users for whom the effective Authentication Policy for the application specifies "Bypass 2FA" or "Skip MFA", or users who do not exist in Duo when the effective New User Policy for the application allows access to users unknown to Duo without MFA.

Connectivity Requirements

This application communicates with Duo's service on SSL TCP port 443.

Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337.

Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.

Duo Universal Prompt

The Duo Universal Prompt provides a simplified and accessible Duo login experience for web-based applications, offering a redesigned visual interface with security and usability enhancements.

Universal Prompt	Traditional Prompt

The Duo NetScaler Web application supports the Universal Prompt by default, so there's no additional action required on your part to start using the newest authentication experience.

Activate Universal Prompt

Activation of the Universal Prompt is a per-application change. Activating it for one application does not change the login experience for your other Duo applications. Universal Prompt is already activated for new NetScaler Web applications at creation.

The "Universal Prompt" area of the application details page shows that this application's status is "Activation complete", with these activation control options:

Show traditional prompt: Your users experience Duo's traditional prompt via redirect when logging in to this application.
Show new Universal Prompt: (Default) Your users experience the Universal Prompt via redirect when logging in to this application.

The application's Universal Prompt status shows "Activation complete" both here and on the Universal Prompt Update Progress report.

Universal Prompt Info - Universal Prompt Activation Complete

For the time being, you may change this setting to Show traditional prompt to use the legacy experience. Keep in mind that support for the traditional Duo prompt ended for the majority of applications in March 2024. This option will be removed in the future.

Universal Update Progress

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications. You can also activate the new prompt experience for multiple supported applications from the report page instead of visiting the individual details pages for each application.

Configure your NetScaler for Duo

The configuration steps you need to take on your NetScaler are:

Create an authentication profile with an OAuth policy and action for Duo two-factor.
Add your LDAP policy for primary authentication.
Update the NetScaler login schema.
Update and bind your traffic policy.

Please refer to the Step by Step configuration for Duo Universal Prompt documentation on Citrix Tech Zone and follow those instructions for adding Duo OIDC/OAuth authentication to your NetScaler logins, using the Client ID, Client secret, and API hostname information from the NetScaler Web application you created earlier when needed.

Be sure to save all the changes made to the NetScaler's running configuration when done.

Migration from Duo Authentication Proxy Solutions to Duo OAuth

If you currently protect your NetScaler logins with a Duo RADIUS or LDAP configuration featuring primary authentication at the Duo Authentication Proxy, please update your NetScaler authentication policies so that primary authentication requests route directly to your AD domain controller, LDAP directory server, or RADIUS server instead of passing through the Duo proxy.

If you had the Duo Authentication Proxy configured to handle both primary and secondary authentication with a single RADIUS server action and ad_client, then you will need to create a new NetScaler LDAP server pointing directly to your primary Active Directory domain controller or LDAP server during setup. If you want to do this ahead of time:

Log in to the NetScaler GUI as an administrator.
Navigate to Security → AAA - Application Traffic → Policies → Authentication → Advanced Policies → Actions → LDAP.
Click Add.
Enter the information for your AD or LDAP directory server, such as the hostname or IP, base DN, bind DN and password, etc.
Save the new LDAP server action and verify connectivity before continuing.

Learn more about configuring LDAP authentication in the NetScaler documentation.

Test Your Setup

To test your setup, go to the URL you normally use to log in to your NetScaler as a user in a browser window. After you complete primary authentication at the NetScaler, you'll be redirected to the Duo Prompt or Duo user enrollment. Completing Duo authentication returns you to the NetScaler to complete your login.

*Universal Prompt experience shown.

Grant Access to Users

If you did not already grant user access to the Duo users you want to use this application be sure to do that before inviting or requiring them to log in with Duo.

Troubleshooting

Need some help? Take a look at the NetScaler Frequently Asked Questions (FAQ) page or try searching our NetScaler Knowledge Base articles or Community discussions. For further assistance, contact Support.

Please see our FAQ if you are having an issue with existing iframe Duo web authentication after installing NetScaler firmware 14.1-29.63 to test Duo OAuth.

If your users experience issues with StoreFront logins failing after completing primary and secondary authentication at the NetScaler please see Duo Knowledge Base article 9044 for suggestions.