The main components of Single Sign-on are:
- The central store
- The Single Sign-on component of the Citrix AppCenter
- The Single Sign-on Plug-in
- The Single Sign-on Service (optional)
The Central Store
The central store is a centralized repository used by Single Sign-on to store and manage user and administrative data. User data includes user credentials, security question answers, and other user-focused data. Administrative data includes password policies, application definitions, security questions, and other wider-ranging data. When a user signs on, Single Sign-on compares that user’s credentials to those stored in the central store. As the user opens password-protected applications or Web pages, the appropriate credentials are drawn from the central store.
The Single Sign-on Component of the Citrix AppCenter
The Single Sign-on component of the Citrix AppCenter is the command center of Single Sign-on. Here, you configure how Single Sign-on works, which features are deployed, which security measures are used, and other important password-related settings.
The component has four main items, or nodes, in the left pane. By selecting a node, tasks specific to that node appear. These nodes are:
- User Configurations allow you to tailor particular settings for your users based on their geographic locations or business roles.
- Application Definitions provide the required information for the Single Sign-on Plug-in to supply user credentials to applications and to detect error conditions if they occur. Use the application definition templates supplied with Single Sign-on to speed this process or create your own customized definitions for applications that cannot use these templates.
- Password Policies control password length and the type and variety of characters used in both user-defined and automatically-generated passwords. Password policies also allow you to identify characters to exclude from use in passwords and whether or not previous passwords can be reused. Creating password policies consistent with your company’s security policies ensures that Single Sign-on can manage password security appropriately.
- Identity Verification enables you to create security questions that provide an added layer of security to the Single Sign-on Plug-in. Security questions protect against user impersonation, unauthorized password changes, and unauthorized account unlocking. Users who enroll and answer your security questions can then verify their identity by providing the same answers when challenged. Once verified, users can perform self-service tasks to their account, such as resetting their primary password or unlocking their user account. Security questions can also be used for key recovery.
The Single Sign-on Plug-in
The Single Sign-on Plug-in submits the appropriate credentials to the applications running on the user’s client device, enforces password policies, provides self-service functionality, and enables users to manage their credentials with the Manage Passwords window (formerly known as Logon Manager). In addition, the plug-in provides users with a wide array of features as determined by the administrative settings you make in the user configurations.
The Single Sign-on Service
The Single Sign-on Service runs on a Web server that provides the foundation for optional features included in this release. Install the Single Sign-on Service if you plan to implement at least one of the following modules:
- Self-Service, which allows users to reset their Windows passwords and unlock their Windows accounts
- Data Integrity, which protects data from being compromised while in transit from the central store to the Single Sign-on Plug-in
- Key Management, which provides users with the capability to recover their secondary credentials when their primary password changes, either with automatic key recovery or after answering security questions with question-based authentication
- Provisioning, which allows you to use the Single Sign-on component of the Citrix AppCenter to add, remove, or update Single Sign-on user data and credential information
- Credential Synchronization, which synchronizes user credentials among domains using a Web service
If you are not implementing the modules mentioned above, do not install the Single Sign-on Service.