Product Documentation

Configuring Single Sign-on to Recognize Applications

May 09, 2015

Single Sign-on recognizes and responds to applications based on the settings identified in application definitions.

Application definitions contain forms that allow the Single Sign-on Plug-in to analyze each application as it is started, recognize certain identifying features, and determine if the starting application requires the plug-in to perform some specific action, such as:
  • Submit user credentials at a logon prompt.
  • Negotiate a credential changing interface.
  • Process a credential confirmation interface.

Application definitions consist of sets of specific user credential form recognition and action characteristics referred to as form definitions, and the set of configuration options that apply to all the forms in the configuration.

The form definition settings define the actions that Single Sign-on performs when an application requests a specific user credential action.

An application definition contains all the user credential management forms associated with a single application.

Although most applications and their corresponding application definitions use only two forms for managing user credentials, you can define as many forms as necessary in a single application definition.

Single Sign-on provides support for a variety of applications including Windows, Web, and terminal emulator-based applications. It works with Java applications; SAP solutions; and applications hosted on a mainframe, AS/400 system, or UNIX server.

Use the provided wizards to create application definitions for applications that do not have predefined application templates. The Application Definition Wizard configures the characteristics associated with all the forms included in the definition. The Form Definition Wizard leads you through a step-by-step procedure to define support for Windows, Web, and terminal emulator-based applications.

Single Sign-on also provides the ability to perform external application discovery and action processing support. This allows third-party implementers to extend the application detection and credential submission tasks associated with a form by providing access to external processes during the application detection and action submission processing phases in the Single Sign-on Plug-in.

These features combine to provide you with a flexible and adaptable application definition development environment to support your user community with secure and flexible Single Sign-on access to critical applications.

Caution: Single Sign-on is dependent on the secure operation of the computers hosting the product’s components. If the user device becomes infected with any malicious code, there is a risk that this code could undermine the security provided by Single Sign-on. To reduce this risk, follow standard security best practices to maintain the security of your organization’s infrastructure.

Application Templates

Application templates are XML files used to share application definitions between different Single Sign-on environments. Application templates save time and effort because you can convert them to application definitions with minimal intervention or configuration. Templates require you to provide information to complete the application definition, such as a URL or executable file name, password expiration, and any advanced detection settings.

Install application templates using the Single Sign-on node of the Citrix AppCenter or the Application Definition Tool. Both of these include application templates for commonly-used Windows and Web applications.

Important: To write to an Active Directory central store while running in Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7, grant the Application Definition Tool an integrity level of High. Log onto an account that is a member of the local administrators group to start the tool on the system computer as well as be a member of the domain administrators group or have write privileges to the Active Directory objects in the central store. Provide these credentials when running the tool, either at the User Account Control prompt or when logging on to the system. The tool is assigned a High integrity level and can write to the Active Directory.

When an application template cannot be found for an application, create an application definition using the Single Sign-on node of the Citrix AppCenter or the Application Definition Tool.