Product Documentation

Using Provisioning to Automate Credential Entry

May 09, 2015

Use the Provisioning Module (also known as credential provisioning) to manipulate user credentials associated with applications defined in a user configuration. Provisioning enables you to automate these procedures and apply them to multiple users. If you plan to deploy new software to your users, create an application definition for the application and use credential provisioning to add the credentials for all users who will use the application.

Summary of Provisioning Tasks

To manipulate credential information in your central store for SSO-enabled applications contained in user configurations, you must perform the following tasks:

  1. Install the Provisioning Module of the Single Sign-on Service.
  2. Create a user configuration that uses the provisioning service.
  3. Generate a credential provisioning template.
  4. Populate the template with user credential data and select a command to run.
  5. Process your provisioning data.
Important: The XML file you use to provision credentials contains highly sensitive user-related information. Consider deleting the file or moving it to a secure location when credential provisioning is completed.

After the credentials are added, removed, or modified in the central store, the credentials are ready for use in your environment. When users start the plug-in software, the credentials updated in the plug-in software and applications are made available to your users.

Adding, changing, or removing credentials from the central store can consume a large amount of system resources. When possible, perform credential provisioning during off-peak hours.

The Credential Provisioning SDK

If you need to manipulate the credentials of many users, consider using the Credential Provisioning Software Development Kit (SDK). The SDK provides a description of the APIs made available when you install the Provisioning Module of the Single Sign-on Service. Use this SDK and included sample code to create your own provisioning client for use with Single Sign-on.

Generating a Credential Provisioning Template

The following procedure assumes that you created a user configuration consisting of at least one of the following: application definition, application group, password policy (perhaps including an optional password sharing group) and provisioning is enabled in the user configuration.

A provisioning template is an XML document that contains information about the applications included in your selected user configuration:

  • Application group
  • Application definition name and globally unique identifier number (GUID)
  • User information like user name and password

It also includes add, remove, and modify commands that you use when you use the edited template from the console to run provisioning.

The resulting template includes example command information and specific information about the selected user configuration.

To generate a credential provisioning template

  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node and select User Configurations.
  3. Select a user configuration.
  4. From the Action menu, click Generate Provisioning Template.
  5. In the Generate Provisioning Template dialog box, type a name for the template.

To process your provisioning template

Use the Single Sign-on component of the Citrix AppCenter to perform the provisioning tasks specified in your XML file. Single Sign-on validates the syntax of each command, executes the commands, and adds or modifies the data in the central store.

Caution: Do not close the provisioning process screen until provisioning has fully stopped or fully completed. Closing this screen does not halt the provisioning process. If the screen is closed while the previsioning process is running, there is no way to capture any information or halt the process until it completes.
  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node and expand User Configurations.
  3. Select a user configuration or application group of a user configuration.
  4. From the Action menu, click Run provisioning. The Provisioning Wizard appears.
  5. Click Next.
  6. Type the name of your provisioning XML file or click Browse to locate it, then click Next. Single Sign-on validates the XML file.
    • If no syntax errors are found, a summary of the changes that can be made is shown. You can save the summary.
    • If syntax or other errors are found, an error log appears. You can save the error log and click Cancel to close the wizard.
  7. If no errors were found, click Next to execute the commands in the file. As the information is changed in the central store, any errors that occur as a result of provisioning appear. To stop provisioning while it is in process, click Abort. When Single Sign-on reaches the end of the current section of data in process (by default, data is processed in groups of 50 lines of code), provisioning terminates.

When you finish the wizard, you can save the provisioning results.

Tuning Credential Provisioning Processing

Caution: This procedure requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Always back up a copy of your system registry before continuing

By default, if you use Single Sign-on for credential provisioning, your information is processed in batches of 50 commands with a time-out of 100,000 milliseconds. The following registry keys can be edited to change these default values:

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Console\Provisioning\BatchSize

Type: DWORD

Default value if left blank: 50

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Console\Provisioning\ServiceTimeout

Type: DWORD

Default value in milliseconds if left blank: 100000