Product Documentation

Planning for Optional Single Sign-on Service Features

Feb 06, 2011

The Single Sign-on Service is a Web service that uses Secure Sockets Layer (SSL) to encrypt the data shared by the Single Sign-on Service, the console, and the plug-in software. It uses a dedicated Web server to host the optional features included in Single Sign-on.

Install the Single Sign-on Service if you plan to implement one or more of the following modules:
  • Key Management
  • Data Integrity
  • Provisioning
  • Self-Service
  • Credential Synchronization
Important: The server that hosts the Single Sign-on Service contains highly sensitive user-related information. Citrix recommends that you use a dedicated server and that you place the server in a physically secure location.

Key Management

Key management allows users to log on to the network and have immediate access to applications managed by Single Sign-on without needing to verify their identities through question-based authentication (also known as automatic key management). To reduce security threats, automatic key management uses key splitting (the process of dividing a private key into two parts).

However, automatic key management does not protect against access by an unauthorized user or administrator impersonating a user because there is no “user secret” to protect the user’s network password. To help prevent this potential problem, implement automatic key management in combination with the Account Self-Service Module and question-based authentication.
Important: Depending on the security policy your organization implements, system administrators might be able to access passwords for applications managed by Single Sign-on. Check your organization’s security policy before allowing Single Sign-on to handle passwords that users want to keep completely private. Clearing automatic key management features in the Data Protection Methods setting in the user configuration can also help prevent this unauthorized access.

Data Integrity

The Data Integrity Module contains the public and private key files used for signing the data. It utilizes RSA public key cryptography to ensure that the plug-in software obtains configuration data provided by an authorized source only. The Data Integrity Module never distributes its private key.

After the console signs the data, the console sends both the data and the signature to the central store. The plug-in software receives the data and signature from the central store during synchronization. The plug-in software then contacts the Single Sign-on Service to obtain a copy of the public key it needs to verify the signature it received from the central store.

Install the Data Integrity Module if you want to ensure that data transmitted among the Single Sign-on components is provided by a trusted and authorized source. This module is optional and is designed for users who have non-trusted networks.

If the plug-in software is configured to use the Data Integrity Module, it never accepts configuration data that failed the data integrity check. If a check fails, the plug-in software logs the event and displays an error message telling users to contact their administrator directly. The plug-in software then defaults to previous configurations or returns to an offline state.

If you already implement a security framework that protects data in transit, such as IPsec (Internet Protocol Security) or SMB (Server Message Block) signing, you do not need to install the Data Integrity Module.


Provisioning (also known as credential provisioning) allows you to automate certain credential management processes. You can:
  • Add, modify, and delete credentials in the central store
  • Reset user credential information
  • Remove users and their application credentials from Single Sign-on

Credential provisioning is achieved by using information about your environment to create a template that you can use to add, remove, or change credential information in your central store.


You can configure the self-service features of Single Sign-on to allow your users to reset their primary password or unlock their Windows domain accounts without intervention by administrative or help desk staff. Depending on your needs, you can implement one or both of the self-service password reset and account unlock features securely in your Single Sign-on environment.
Note: You can use the Account Self-Service feature only in an Active Directory environment to allow your users to reset their primary password or unlock their Windows domain accounts.

These account features are protected by Question-Based Authentication to help ensure that your users are authorized to reset their passwords or unlock their accounts. With Account Self-Service enabled, users must enroll, a process that requires them to answer the security questions you create and select. These security questions are then presented to users when they need to reset their password or unlock their account. When the questions are answered correctly, users are allowed to reset their password or unlock their account.

Credential Synchronization

Credential synchronization (also known as account association) allows a user to log on to any application from one or more Windows accounts. Because Single Sign-on typically binds user credentials to a single account, the credential information is not automatically synchronized among multiple accounts that a user owns. However, administrators can configure Account Association to synchronize user credentials. Users with Account Association configured have access to all applications from any of their accounts in their Single Sign-on environment. When user credentials are changed, added, or removed from one account, the credentials are automatically synchronized with each of the user’s associated accounts.