Product Documentation


Mar 29, 2011

You can use password policies to define rules that control the characteristics of users' stored passwords. These rules comprise password policies that you can apply to all users or to specific groups of applications as determined by your organization’s needs.

Note: Citrix XenApp provides policy rules that allow you to configure and control which users can access Single Sign-on when they connect to servers and published applications in the server farm. Despite the similar names, these two types of policies are not related.

Single Sign-on includes two standard password policies named Default and Domain. You can use these policies as is, copied, or modified to suit your enterprise policies and regulations. You cannot delete the Default and Domain policies.

When a user adds credentials to Manage Passwords window (formerly known as Logon Manager) for an application not defined by an administrator, Single Sign-on uses the Default policy to manage that application. If you want an application group to be treated as a domain password sharing group, apply the Domain policy to that application group.

Because Single Sign-on applies the Default password policy to user-added applications, configure the Default policy to be as broad as needed to accept passwords for those applications for which you allow passwords to be stored.

You can create as many policies as you need in your enterprise. For example, you can apply one policy for your domain sharing group, and create individual policies to apply to individual groups of applications to define the requirements further. With a password policy, you can:
  • Automate password changes for applications.
  • Implement security schemes that include complex passwords and application-specific passwords not visible to the users.
  • Define password expiration for applications, even if the application does not have a password expiration feature.
  • Prevent users from reusing passwords for the same application twice in a row.

Password Sharing Groups

Users might have a single password that is used for multiple applications (in a suite of products, for example). This is known as password sharing, where the same authentication authority is used for the applications.

While other credentials for those applications (such as user name and custom fields) might be different, the user’s password is the same. In this case, create an application group that is a password sharing group to ensure that Single Sign-on Plug-in manages the password for all applications in the group as a single entity. When the password is changed in one of the applications, Single Sign-on Plug-in ensures that the password change is reflected in the stored credentials for all applications in the group.

Domain Password Sharing Groups

Domain password sharing groups differ from other password sharing groups because the user’s domain password is the master password for the application group. When the user changes the domain password, Single Sign-on Plug-in reflects the change in the credentials for all other applications in the group. Only the domain password can be changed; users cannot initiate password changes on any of the other applications in the group unless the administrator removes the application from the domain password sharing group.

Enforcing Password Policies

Single Sign-on enforces password policies, regardless of whether the password is user-defined or automatically generated by Single Sign-on.

A password policy is not enforced when:
  • A user registers with Single Sign-on (during first-time use).
  • A user edits a password from the Manage Passwords window (formerly known as Logon Manager).
  • An administrator creates an application definition.

Single Sign-on also does not enforce a password policy on existing passwords (those created before Single Sign-on is implemented in the enterprise) because users might be denied access to applications or resources currently in use.