Product Documentation

Single Sign-on Plug-in Software Deployment Scenarios

Apr 13, 2011

You can use Single Sign-on in environments that include XenApp hosted applications, locally installed applications, or both.

In a XenApp deployment, you install the Single Sign-on Plug-in software on each server in the XenApp farm that hosts applications requiring credential authentication. Users access these applications through Citrix connections. The plug-in software on the server determines the application type (Windows, Web, or terminal emulator) and retrieves the appropriate credentials from the local credential store in the user's profile.

You can also install a Single Sign-on Plug-in on each user device. For a XenApp deployment, see the considerations described below. If users run applications that are installed locally on their devices, the Single Sign-on plug-in must be installed on the user device to provide credentials and access to the local applications.

Regardless of whether the Single Sign-on Plug-in is installed on the user device, users can reregister answers to their security questions without being prompted, or synchronize credentials by using Account Association only by using published applications you can give them access to after installing the plug-in on a XenApp server.

Single Sign-on can be used with:
  • Access Gateway Advanced Edition (applications are available from XenApp through a web browser)
  • Citrix XenApp features:
    • Citrix Receiver for Windows
    • Citrix Offline Plug-in
    • Web Interface

Deploying the Single Sign-on Plug-in on User Devices in a XenApp Environment

In a XenApp environment, deciding whether or not to install or publish the Single Sign-on Plug-in on the user device depends on what you want users to be able to do. In all cases, credentials are submitted to published applications.
  • If you do not install the Single Sign-on Plug-in on the user device, users can:
    • Register answers for security questions when prompted
    • Store credentials automatically when prompted by Single Sign-on
    • Change the password for a program or Web site when prompted by Single Sign-on
  • If you publish the Manage Passwords application (LogonManager.exe, installed when the Single Sign-on Plug-in is installed), users can:
    • Register answers for security questions when prompted
    • Store credentials automatically when prompted by Single Sign-on
    • Change the password for a program or Web site when prompted by Single Sign-on
    • Edit, delete, or reveal passwords stored in Single Sign-on
  • If you install the Single Sign-on Plug-in on the user device, users can perform all available Single Sign-on tasks:
    • Register answers for security questions when prompted
    • Store credentials automatically when prompted by Single Sign-on
    • Change the password for a program or Web site when prompted by Single Sign-on
    • Edit, delete, or reveal passwords stored in Single Sign-on
    • Submit credentials manually, when not prompted by Single Sign-on
    • Add additional passwords for programs and Web sites already in Single Sign-on
    • Pause Single Sign-on, resume Single Sign-on, or determine whether Single Sign-on is paused
    • Use Account Self-Service