Product Documentation

Configuring Applications for User Account Management

Nov 20, 2013

When you configure an application for SSO, you can also configure some application connectors to enable user account creation and management. When you enable user account management, you can configure settings to create new user accounts automatically or by using a workflow. You must select one or the other option. If you use a workflow, the workflow settings specify the correct number of approvals that are necessary to create user accounts. When all the approvals are received, App Controller creates the user account.

If an application is available for user account management, after you configure the URL and licenses, you click Next to configure the settings for creating user accounts, including workflow settings. If an application is not available for user account management, the check box does not appear when you configure the URL and license information.

After you configure the application to enable user account creation and management, you can synchronize the application accounts with Active Directory. When you synchronize application accounts, App Controller uses the users' Active Directory credentials for SSO to the application.

Configuring Workflows for User Account Management

You can use workflows to manage the creation and removal of user accounts. Before you can use a workflow, you need to identify individuals in your organization who have the authority to approve user account requests. Then, you can use the workflow template to create and approve user account requests.

When you configure App Controller for the first time, you configure workflow email settings. You must configure workflow email settings to use workflows. You can change workflow email settings at any time by using the System Configuration panel in App Controller. These settings include the email server, port, email address, and whether the request to create the user account requires approval or not.

You can configure workflows in two places in App Controller:

  • On the Workflows tab in the App Controller management console. On the Workflows tab, you can configure multiple workflows for use with application connectors. When you configure workflows from this tab, you can select the workflow when you configure the application.
  • When you configure an application connector. In the application, you provide a workflow name and then configure the individuals who can approve the user account request.

You can assign up to three levels for manager approval of user accounts. If you need other individuals to approve the user account, you can search and select additional approvers by using the person's name or email address. When App Controller finds the individual, you then add the person to the workflow. All individuals in the workflow receive emails to approve or deny the new user account.

To configure settings to create user accounts

When you configure an application connector to create user accounts, you select a checkbox that allows you to define how the user name and password appears, as well as who approves the new user account.

Some applications do not support the creation of new user accounts. If the check box Enable user management for provisioning appears on the Details page of the Configure App dialog box, you can create user accounts for the application.

  1. In the management console, click the Apps & Docs tab.
  2. Under Apps & Docs > APPS, click Web & SaaS.
  3. In the right pane, click the plus (+) sign and then select an application from the catalog.
  4. On the first page of the Configure App dialog box, configure the following:
    1. In App name, accept the default name or type a name of your choice.
    2. In Description, accept the default description or type one of your own.
    3. In URL, type the web address for the application.
      Note: Some SAML applications might require additional parameters, such as subdomain and cookies domain names. For more information, see List of Application Connector Types.
    4. Select App is hosted in internal network if the app is running on a server in your internal network.
    5. Select Use Active Directory for SSO to obtain user names and passwords from Active Directory.
    6. Select Require app installation if the application is used on a mobile device.
    7. In Category, select a category for the application. This is an optional parameter and defines categories in Citrix Receiver that contain applications.
    8. In Assigned Roles, select the role for the application. You must select a role to which to assign the application.
    9. Select Enable user management for provisioning and then click Next.
      Note: If you enable this setting, App Controller disables the setting Use Active Directory for SSO.
  5. Click Next.
  6. On the Service Account page of the Configure App dialog box, do one of the following:
    1. Under Service account, in User name and Password, type the service account credentials for the application.

      This is the account that you use to log on to the application as an administrator. You must enter the user name and password.

    2. To automatically create new users accounts, under User Accounts, do the following:
      1. Select Create account automatically.
      2. In When user entitlement ends, select what happens to user accounts if the user's status changes and then click Next.
  7. On the User Names page of the Configure App dialog box, under User Name Rule, select the following:
    1. In User attribute, select the parameters for the user name. The default is Email address.
    2. In Length (characters), enter the number of characters from the user attribute to include in the user name. The default is All.
    3. Repeat Steps a and b for each parameter you want to include in the user name. The Rule field is automatically populated. The default is $EMAIL.
  8. Under Password Requirement, in Length, type the number of characters required for user passwords.
  9. Under Password Expiration, in Validity (days), type the number of days the password is valid.

    You must type a value from 0 through 90. Passwords are valid for a maximum of 90 days.

  10. Select Automatically reset password after it expires to change user passwords automatically and then click Next.

    If you do not select this check box, when user passwords expire, users cannot access the app.

  11. On the Workflow page of the Configure App dialog box, do the following:
    1. Select Requires Approval and then select a workflow or click Create New Workflow.
    2. If you select Create New Workflow, in Workflow name, enter a name for the workflow.
    3. Optionally, in Description, describe the workflow purpose and then click Next.
  12. On the Manager Approvals page of the Configure App wizard, do the following:
    1. Under Manager Approvals, in Levels of approval needed, select the number of levels required for user account approval.

      You can select up to three levels of managerial approvers. Approval goes through the workflow according to the managers identified in Active Directory. If you do not need managerial approval, you can select Not needed. If you select this setting, you must add approvers in Additional Approvers. You must select at least one workflow approver.

    2. Under Additional Approvers, add the people whom you would also like to approve the user account.

      You can search by using the person's full or partial name. You can add a total of five approvers to the list.

    3. When the person's name appears in the text box, select the name and then click the plus (+) sign.
    4. Click Next.
  13. On the Policies page of the Configure App wizard, configure the network and security policies for the app and then click Save.

To synchronize application users with Active Directory

After you configure an application connector to enable user account creation and management, you need to synchronize the users who have application accounts with the users in Active Directory.

When you add users to Active Directory, you must enter the first name, last name, and email in the user properties. If you do not configure users in Active Directory with this information, App Controller cannot synchronize these individuals. When users attempt to start an app, users receive a message that they are not authorized to use the app.

Note: The Sync icon only appears when you select an application that is configured for user account management.
  1. In the App Controller management console, click the Apps & Docs tab.
  2. In the details pane, click an application.
  3. In the dialog box that appears, click the Sync icon.