| 
Single Sign-on - Citrix Single Sign-on provides password security and seamless access to Windows, web, and terminal emulator applications running in the Citrix environment. End users authenticate once and Single Sign-on automatically logs on to password-protected information systems, enforces password policies, and automates end user tasks, including password changes.
Single Sign-on Components - Single Sign-on is comprised of the following components:
- Central Store - This is a centralized repository, created as an NTFS network share or in Active Directory, that stores and manages end user and administrative data. End user data includes end user credentials and security question answers, while administrative data includes password policies, application definitions, and other wider-ranging data. Once an end user logs on, Single Sign-on compares that end user’s credentials to those stored in the central store. As the end user opens password-protected applications or web pages, the appropriate credentials are drawn from the central store.
- Single Sign-on Component of the Citrix AppCenter - This is an area in Citrix AppCenter that Single Sign-on features are configured. You can specify end user configurations, application definitions, password policies, and additional identity verification settings within this component of Citrix AppCenter.
- Single Sign-on Plug-in - This is the plug-in responsible for submitting the end user credentials to the applications running on the end user’s device, enforcing password policies, and providing self-service functionality. The Single Sign-on Plug-in is installed on each end user device and on the XenApp servers in the environment.
- Single Sign-on Service - This is an optional web service that uses Secure Sockets Layer (SSL) to encrypt the data shared by the Single Sign-on Service, the console, and the plug-in software. It uses a dedicated Web server to host the optional features included in Single Sign-on, which include self-service, data integrity, key management, provisioning, and credential synchronization. If you plan to implement any of the addition features, the Single Sign-on Service must be installed.
Note:The server that hosts the Single Sign-on Service contains highly sensitive end user-related information. Citrix recommends that you use a dedicated server and that you place the server in a physically secure location.
Single Sign-on Component Requirements - The following requirements must be met for each Single Sign-on component:
Installing Single Sign-on -
Single Sign-on Components - Single Sign-on is comprised of the following components:
- Central Store - This is a centralized repository, created as an NTFS network share or in Active Directory, that stores and manages end user and administrative data. End user data includes end user credentials and security question answers, while administrative data includes password policies, application definitions, and other wider-ranging data. Once an end user logs on, Single Sign-on compares that end user’s credentials to those stored in the central store. As the end user opens password-protected applications or web pages, the appropriate credentials are drawn from the central store.
- Single Sign-on Component of the Citrix AppCenter - This is an area in Citrix AppCenter that Single Sign-on features are configured. You can specify end user configurations, application definitions, password policies, and additional identity verification settings within this component of Citrix AppCenter.
- Single Sign-on Plug-in - This is the plug-in responsible for submitting the end user credentials to the applications running on the end user’s device, enforcing password policies, and providing self-service functionality. The Single Sign-on Plug-in is installed on each end user device and on the XenApp servers in the environment.
- Single Sign-on Service - This is an optional web service that uses Secure Sockets Layer (SSL) to encrypt the data shared by the Single Sign-on Service, the console, and the plug-in software. It uses a dedicated Web server to host the optional features included in Single Sign-on, which include self-service, data integrity, key management, provisioning, and credential synchronization. If you plan to implement any of the addition features, the Single Sign-on Service must be installed.
Note:The server that hosts the Single Sign-on Service contains highly sensitive end user-related information. Citrix recommends that you use a dedicated server and that you place the server in a physically secure location.
Single Sign-on Component Requirements - The following requirements must be met for each Single Sign-on component:
| Component | Software Requirement | Hardware Requirement |
| Central Store | None | 30 KB disk space for each end user |
| Single Sign-on Component of the Citrix AppCenter | Microsoft .NET Framework 3.5 Service Pack 1 |
64 MB RAM |
| Single Sign-on Plug-in | Internet Explorer Enhanced Security Configuration - Disabled. Note: If left enabled, the Signle Sign-on Plug-in does not respond to Web application definitions. |
10 MB RAM 35 MB disk space (if optional features are installed) 25 MB disk space (if optional features are not installed) |
| Single Sign-on Service | Microsoft .NET Framework 3.5 Service Pack 1 ASP.NET | 128 MB RAM 30 MB disk space |
Installing Single Sign-on -
- Create the central store. Ensure that the current server is part of the Active Directory domain and that the end user account that is installing the central store is a member of the Schema Administrators group and Domain Administrators group. The Active Directory Schema Master is configured to allow updates. If the server you are extending the Active Directory schema from is not the domain controller, the Microsoft Windows utility Ldifde.exe must be installed on it before beginning this step or the installation will fail.
- Install Citrix AppCenter, which includes the Single Sign-on component.
Note: The Single Sign-on central store must be installed before you can successfully complete the Configure and run discovery wizard and use Single Sign-on. - (Optional) Install the Single Sign-on Service. Before you install the Single Sign-on Service, ensure that the appropriate accounts and components are available to support the service. Also, because the service uses secure HTTP (HTTPS), the service requires a server authentication certificate for Secure Sockets Layer (SSL) communication with the console and Single Sign-on Plug-in.
- Install the Single Sign-on Plug-in on each end user device and on the XenApp servers in the environment.