Product Documentation

Reference

May 11, 2015

This reference describes the settings and setting default conditions available in the Single Sign-on node of the Citrix AppCenter, grouped by their locations in the console.

User Configurations

This section describes the user configuration settings and controls. All navigation hints provided in this section are made to an existing user configuration when performing an edit function. To access the Edit User Configuration dialog box, navigate as follows:

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on> User Configurations > [configuration] > Edit user configuration

Basic Plug-in Interaction

These controls customize how the Single Sign-on Plug-in works for this user configuration. The user interface preferences are set here.

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on> User Configurations > [configuration] > Edit user configuration > Basic Plug-in Interaction

allow users to reveal passwords

This setting controls if users can reveal passwords in the Manage Passwords window. When the setting is not selected, the Reveal Password button is disabled. To restrict the ability to reveal a password to specific applications, select this setting and then use the corresponding password policy setting to control whether users can reveal passwords for applications managed by that policy.

Default setting: selected

force re-authentication before revealing user passwords

This setting controls if users must re-authenticate to Single Sign-on before a reveal password request is honored.

Default setting: selected

automatically detect applications and prompt user to store credentials

This setting controls if the plug-in software prompts the user to add credentials for applications newly detected by the plug-in software.

Clear this option to disable the Single Sign-on Plug-in software’s ability to detect any applications that are not associated with this user configuration. If this option is cleared, users must submit credentials manually to these applications. Use this setting to prevent users from adding applications that are not currently part of their assigned user configuration to their set of SSO-enabled applications.

If cleared, this option overrides the Enable users to cancel credential storage when a new application is detected option available on the Advanced Settings > Client-Side Interaction page. Also, if you plan to use provisioning, clearing this option prevents users from being prompted to enter their credentials.

Default setting: selected

automatically process defined forms when Single Sign-on Plug-in detects them

Select this option to permit the plug-in software to submit stored credentials automatically without user intervention. Credential fields in the application will automatically populate if the corresponding setting Submit this form automatically is selected in the application definition associated with this user configuration.

Default setting: selected

time between re-authentication requests

This setting specifies the time between plug-in re-authentication requests. When the specified time expires, the user's device is locked and users must re-authenticate by entering their primary credentials. The minimum allowed value is 1 minute.

Default setting: 8 hours

Plug-in User Interface

These controls are used to set the credential submission delay and the columns in the Manage Passwords window.

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on> User Configurations > [configuration] > Edit user configuration > Plug-in User Interface

Specify the length of time plug-in delays credential submission

Select this setting to specify the length of time the plug-in software delays credential submission after detecting an allowed application. If selected, specify the length of time (in seconds) to delay credential submission. Use this setting to ensure that the application is ready to receive the credentials. During this time, the plug-in software will show a progress indicator, indicating that the plug-in software is working.

Default setting: not selected (0 seconds)

Set the default columns and column order in Logon Manager

This setting controls which columns are shown in the Details view of the Manage Passwords window (formerly known as Logon Manager). It also controls the order in which the columns are presented.

The default settings are:

  • Application Name
  • Description
  • Group
  • Last Used
  • Modified

Client-Side Interaction

These settings are used to configure plug-in software event logging, registry key retention on shutdown, and credential storage on newly detected applications.

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on > User Configurations > [configuration] > Edit user configuration > Client-side Interaction

log Single Sign-on Plug-in events using Windows event logging

Select this control to track plug-in software informational events in the local Windows Event Log. Warnings and error events are always logged, regardless of this setting.

Default setting: not selected

delete user’s data folder and registry keys when Single Sign-on Plug-in is shut down

Select this control to delete the user’s registry keys and data folder (including encrypted credentials) when the plug-in software is shut down.

Default setting: not selected

enable users to cancel credential storage when a new application is detected

This setting is used to control whether users are prompted to store credentials every time the plug-in software recognizes an application for which no credentials are stored. If selected, users can choose to store their credentials in the Manage Passwords window (formerly known as Logon Manager) now, later, or never. If the setting Automatically detect applications and prompt users to store credentials is not selected on the Configure plug-in interaction page, the plug-in software does not prompt users to store credentials.

Default setting: selected

limit the number of days to keep track of deleted credentials

Use these controls to specify how long the central store tracks credentials deleted from Manage Passwords window (formerly known as Logon Manager). When user credentials are stored on multiple client devices, the plug-in deletes the credentials when it synchronizes with the central store during this time period. If the credentials are still stored on the client device when the time elapses, they are restored when the plug-in synchronizes with the central store.

Default setting: selected / 180 days

Synchronization

These controls are used to allow users to refresh Single Sign-on Plug-in settings, synchronize user configuration information, allow the plug-in to continue to operate if it cannot connect to the central store, and to specify automatic synchronization intervals

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on> User Configurations > [configuration] > Edit user configuration > Synchronization

allow users to update Single Sign-on Plug-in settings

Select this setting to allow users to refresh the plug-in software settings in Manage Passwords window (formerly known as Logon Manager). When the setting is not selected, the Manage Passwords window Refresh button is disabled.

Default setting: selected

synchronize every time users launch recognized applications or Logon Manager

Select this setting to have the plug-in software synchronize user configuration information whenever a user launches a recognized application or Manage Passwords window (formerly known as Logon Manager). Frequent synchronization can degrade performance on both the client and server, as well as increase network traffic.

Default setting: not selected

allow Single Sign-on Plug-in to operate when unable to reconnect to central store

This setting controls whether or not Single Sign-on operates when unable to connect to the central store for synchronization. When selected, a licensed instance of Single Sign-on Plug-in continues to operate even if the connection fails. If not selected, the plug-in software operates only when connected to the central store.

Default setting: selected

specify the time between automatic synchronization requests

This control is used to specify the time in minutes between automatic synchronization attempts. Automatic synchronization is independent of user activity and takes place in addition to other events that trigger synchronization.

Default setting: not selected / 0 minutes

allow user credentials to be accessed through the Credential Synchronization Module

Select this setting to allow remote clients to access user credentials through the service. This option is used with the Account Association feature, which allows a plug-in software user to log on to any application from one or more Windows accounts.

Default setting: not selected

Account Association

Because companies can maintain multiple Windows domains, users can also have more than one Windows account. The Account Association option allows a user to log on to any application from one or more Windows accounts. These controls allow users to associate logon information among multiple Windows accounts.

Start > All Programs > Management Consoles > Citrix AppCenter > Single Sign-on > User Configurations > [configuration] > Edit user configuration > Account Association

allow users to associate accounts

Select this setting to allow users to associate multiple Windows accounts, provide the URL, and port where the Credential Synchronization Module is installed. This option cannot be set when initially configuring a User Configuration. It can be defined only when editing an existing configuration.

Default setting: not selected

provide default service address

Select this setting to allow the default service address and service port to the Credential Synchronization Module to be defined. After defining the settings, you can select the Validate option to validate the address path and service port.

Default setting: <AddressOfYourServer > /MPMService/

service port: 443

allow users to edit service address

If a service address is defined, select this setting to allow the user to edit the settings through the plug-in interface. Select this option if credential synchronization is run in multiple places and users need to be able to switch.

Default setting: not selected

provide default domain

Select this setting to specify the default domain used for authentication when the plug-in software synchronizes with the associated Windows account. If this setting is selected, enter the default domain name in the space provided. If you do not provide the domain, users might be confused as to which user credentials they should provide.

Default setting: not selected

allow users to edit domain

Select this setting to allow users to edit the default domain used for authentication when the plug-in software synchronizes with the associated Windows account.

Default setting: not selected

allow users to remember password

Select this setting to allow users to save their associated Windows account password in the plug-in software.

Default setting: not selected

Application Support

These controls allow the plug-in software to detect client-side application definitions, enable support for terminal emulator, and specify the minimum number of domain name levels to match for web applications.

Start > All Programs > Management Consoles > Citrix AppCenter > Single Sign-on > User Configurations > [configuration] > Edit user configuration > Application Support

detect client-side application definitions

Select this setting to allow Single Sign-on to detect applications in one of the following ways.

  • All applications

    Detects and responds to applications defined by an administrator or a user (in Manage Passwords window, formerly known as Logon Manager) and defined in the default settings at installation.

  • Only applications that are defined by users in Logon Manager

    Detects and responds to applications defined by an administrator and a user in Manage Passwords window (formerly known as Logon Manager). The plug-in software will not recognize or respond to applications defined in the default settings at installation.

  • Only applications that are included with Single Sign-on Plug-in

    Detects and responds to applications defined by an administrator and defined in the default settings at installation. Users cannot create their own application definitions from Manage Passwords window (formerly known as Logon Manager).

Default setting: All applications

enable support for terminal emulators

This setting controls support for terminal emulation programs. When this setting is enabled, the plug-in software runs a process that detects terminal emulators and terminal emulator-based applications.

Default setting: not selected

time interval in which plug-in checks the terminal emulator for changes

This setting is used to specify how much time in milliseconds must pass before the plug-in software checks the terminal emulator for screen changes. Lower values can use more CPU time on the client and increase network traffic.

Default setting: 3000 milliseconds

number of domain name levels to match

This setting is used to specify the minimum number of domain name levels to match for allowed Web applications. A value of 2 or less would match *.domain1.topleveldomain; a value of 3 would match *.domain2.domain1.topleveldomain. Domain name levels beyond the specified number are treated as wild cards. To strictly control URL matching for Web applications, set strict URL matching in your application definitions.

Default setting: 99

Hot Desktop

These controls specify how Hot Desktop sessions are handled.

Start > All Programs > Management Consoles > Citrix AppCenter > Single Sign-on > User Configurations > [configuration] > Edit user configuration > Hot Desktop

session settings script path

This control specifies the path of the session settings file that defines the scripts to be executed at the start and end of a Hot Desktop session. The start script can be used to start applications. The stop script can be used to perform cleanup tasks such as file removal. The file used must be accessible to all users.

Default setting: [blank]

lock time-out

This control is used to specify the length of time in minutes that a Hot Desktop session will remain active when the workstation is idle. If this interval is exceeded, the desktop is locked.

Default setting: 10 minutes

session time-out

This control is used to specify the length of time in minutes that a Hot Desktop session will run while the desktop is locked. If this time is exceeded, the session is terminated and a new session is started when the desktop is unlocked.

Default setting: 5 minutes

enable session indicator

This setting controls whether a window identifying the Hot Desktop session is enabled. When this setting is selected, a transparent moveable window appears on the desktop during Hot Desktop sessions. This window displays the user's name and the elapsed time of the active session.

Default setting: selected

enable graphic

This control is used to specify the path of the graphic file displayed in the Hot Desktop session indicator. The specified file must be in a location accessible to all users and must be in Windows bitmap (.bmp) file format.

A default bitmap named Citrix.bmp is available from the %ProgramFiles%\Citrix\MetaFrame Password Manager\Hot Desktop folder on each Hot Desktop workstation.

Default setting: [none]

Licensing

These controls are used to identity the license server and licensing model.

Start > All Programs > Management Consoles > Citrix AppCenter > Single Sign-on > User Configurations > [configuration] > Edit user configuration > Licensing

Important: Locally installed instances of the Single Sign-on Plug-in do not require a separate license for users who have access to hosted applications in a Citrix XenApp, Platinum Edition environment.

license server name

The fully qualified domain name (hostname.domain.tld) associated with the license server must be identified.

Default setting: [blank]

use default value (for license server port number)

Select this setting to use the default access port on the license server. If the license server is listening on a different port than its default port, disable this setting and enter the access port in the provided field.

Default setting: selected

Default port: 27000

named user licensing

This option is selected if you choose Single Sign-on Advanced as the product edition. You can also choose this option if you select Single Sign-on Enterprise as the product edition. With this license type, Single Sign-on can be used only by specific, named users. If this option is selected, you must specify the time period (in days, hours, and minutes) that the license is assigned to the named user before the license expires and the plug-in software reconnects to the license server. The user maintains control of the license for the specified time period even if the user computer shuts down.

Default setting: selected if Single Sign-on Advanced Edition; not available if XenApp Platinum Edition

Default disconnect setting: 21 days

concurrent user licensing (Enterprise and Platinum Edition only)

This option is enabled if you select the product edition as Single Sign-on Enterprise or XenApp Platinum. It is not available if you select Advanced Edition as the product edition.
Note: This license model is enabled if you upgraded from Password Manager Version 4.1. Citrix Systems considers this previous version as equivalent to Single Sign-on 5.0 Enterprise Edition for licensing purposes when you upgrade.

With this license type, a single Single Sign-on license can be shared by different users (although not at the same time; this license type is sometimes also known as a floating license).

Default setting: selected if Single Sign-on Enterprise or XenApp Platinum Edition; not available if Single Sign-on Advanced Edition

Default disconnect setting: 1 hour, 30 minutes if Allow license to be consumed for offline use is not selected; 21 days if Allow license to be consumed for offline use is selected

allow license to be consumed for offline use

This option is available only if Concurrent User Licensing is selected. Select this setting to specify the amount of time that the user can be disconnected (offline) before the license expires and is returned to the pool of available licenses. If specified, the user maintains control of the license for the specified time period even if the user computer shuts down. The default time period is 1 hour 30 minutes; the recommended value is between 2 and 365 days.

Default setting: Not selected

continue without validating licensing information

This setting allows the editing process to continue without requiring a valid license server name and access port.

Default setting: not selected