To give you an overview, these are the necessary steps to implement a basic setup of Single Sign-on:

Does not look to difficult or?

Citrix Single Sign-on (formerly known as Password Manager) is part of the XenDesktop Platinum Edition and therefore sold millions of times. But its actual installed base is much smaller, as I’ve experienced on many customer engagements. So I asked myself, why is that?

To start using Single Sign-on it is necessary to have access to a file share and an instance of the Delivery Services Console. For the use of Single Sign-on the Citrix Single Sign-on Plugin is needed on each client device. The client device can vary from any client operating system like Windows 7 up to Microsoft Windows Server 2008 R2 in a XenApp infrastructure.
From a licensing perspective you would just point to your existing Citrix License Server which is hosting a license file which allows the use of Single Sign-on.

The only thing need to be considered in terms of licensing is, that the license file itself has a Subscription Eligibility date of the 17th of March 2010 as this is the eligibility date for using Single Sign-on 4.8. More information about Eligibility dates can be found here

So from a technical perspective we would then need a Delivery Services Console and a file share. The file share is needed to host the credential store for the configuration of Single Sign-on and the user data. You could also use Active Directory for hosting the credential store but you would have to implement a schema extension which many companies don’t like as AD schema extensions are irreversible.
If you start using Single Sign-on just for your administrative users and for testing purposes a file share would be sufficient enough even in terms of availability. I will talk about high availability for Single Sign-on in an additional blog later on.
The file share itself can be created manually or could also be created using the Tool “CtxFileSyncPrep.exe” which is located in the Support – Tools folder on the media and just need to be run on the server which will host the file share. The tool will create a default share but could also be customized through the command line.

Now, as the file share is created, we would need to run the Delivery Service Console and run a discovery pointing to our newly created file share. During discovery you will be asked which encryption should be used to encrypt the data. If you are not intending to use older Single Sign-on Clients you can go for the AES encryption, which offers best security.

As with all new things, don’t turn on all features. Therefore we will not use Data Integrity at this stage.
At this point the discovery should finish and you should see a pretty empty Single Sign-on Delivery Services Console. First thing we need is a user configuration. The user configuration contains settings about licensing, Agent behavior and other stuff. A name for the user configuration is necessary as well as the specification of users who are able to use the Agent. If you don’t specify an OU or an AD group you could also select the share itself. This makes Single Sign-on available also to users which are using devices not belonging to the domain. This setting to choose AD or OU is illustrated in the next picture.

All other options can be left as they are for this first initial setup, the only thing really need to be configured is the “Select product edition” option and the “Configure licensing” option. For the product edition option you may use the XenApp Platinum edition and for the licensing option you would point to your existing Citrix License server.

With this we are almost ready. We just need a client device which should be equipped with the Single Sign-on Plugin. The latest Single Sign-on Plugin can be found on the Citrix Site You can also use the Plugin which is shipped with the installation media but you should always consider using the latest available Plugin.
During the installation of the Plugin everything is left default. The only thing that needs to be entered is the location of the Central Store (the file share, we just created).

And now we are reading to use Single Sign-on. The usage of our currently deployed setup is only allowing us the use of Web Applications through Internet Explorer if the fields are correctly detected. Throughout my next blogs we will go through the variety of settings and also implement application definitions.

One last note: If you have various logins for a given webpage you could create a copy of your existing record for this site and Single Sign-on will ask with a Logon Chooser which account to use for logging on. I find this functionality quite nice as I also have various logins for mycitrix or other pages.