OpenCloud Access Administration Guide - Citrix Knowledge Center
OpenCloud Access Administration Guide - Citrix Knowledge Center
OpenCloud Access Administration Guide - Citrix Knowledge Center
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>OpenCloud</strong> <strong>Access</strong><br />
<strong>Administration</strong> <strong>Guide</strong><br />
<strong>Citrix</strong>® <strong>OpenCloud</strong> <strong>Access</strong>® 1.0
Copyright and Trademark Notice<br />
Copyright and Trademark Notice<br />
© CITRIX SYSTEMS, INC., 2010. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE<br />
REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK<br />
(SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN<br />
PERMISSION OF CITRIX SYSTEMS, INC.<br />
ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS<br />
PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL<br />
RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL.<br />
CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE<br />
USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS<br />
DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN<br />
EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.<br />
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to<br />
comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to<br />
provide reasonable protection against harmful interference when the equipment is operated in a commercial<br />
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in<br />
accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this<br />
equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the<br />
interference at their own expense.<br />
Modifying the equipment without <strong>Citrix</strong>' written authorization may result in the equipment no longer complying with FCC<br />
requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC<br />
regulations, and you may be required to correct any interference to radio or television communications at your own<br />
expense.<br />
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was<br />
probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes<br />
interference, try to correct the interference by using one or more of the following measures:<br />
Move the NetScaler equipment to one side or the other of your equipment.<br />
Move the NetScaler equipment farther away from your equipment.<br />
Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler<br />
equipment and your equipment are on circuits controlled by different circuit breakers or fuses.)<br />
Modifications to this product not authorized by <strong>Citrix</strong> Systems, Inc., could void the FCC approval and negate your<br />
authority to operate the product.
BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScaler Request Switch<br />
are trademarks of <strong>Citrix</strong> Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft,<br />
PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of<br />
the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a<br />
trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other<br />
brand and product names may be registered trademarks or trademarks of their respective holders.<br />
Software covered by the following third party copyrights may be included with this product and will also be subject to the<br />
software license agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L.<br />
Mills 1993, 1994. Copyright © 1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler.<br />
Copyright © 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos,<br />
Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright © 1982, 1985, 1986,<br />
1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright © 1995 Tatu Ylonen, Espoo,<br />
Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V Murray. Copyright<br />
1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston<br />
Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network,<br />
Inc. Copyright © 1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights<br />
reserved. Copyright © 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002<br />
Networks Associates Technology, Inc. Copyright 1999-2001© The Open LDAP Foundation. All Rights Reserved.<br />
Copyright © 1999 Andrzej Bialecki. All rights reserved. Copyright © 2000 The Apache Software Foundation. All rights<br />
reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004<br />
University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon.<br />
All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas.<br />
All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik<br />
Lindergren.<br />
All rights reserved.<br />
Last Updated: October 2010
CONTENTS<br />
Contents<br />
Preface<br />
Chapter 1<br />
Chapter 2<br />
Chapter 3<br />
Chapter 4<br />
Chapter 5<br />
Chapter 6<br />
Chapter 7<br />
About This <strong>Guide</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i<br />
Formatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii<br />
Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii<br />
<strong>Knowledge</strong> <strong>Center</strong>. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii<br />
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii<br />
<strong>OpenCloud</strong> <strong>Access</strong> High Availability<br />
How <strong>OpenCloud</strong> <strong>Access</strong> High Availability Works . . . . . . . . . . . . . . . . . . . . . . . . . .1<br />
Configuring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2<br />
Configuring Kerberos on Active Directory<br />
User Creation for <strong>OpenCloud</strong> <strong>Access</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5<br />
Keytab File Generation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6<br />
Testing Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6<br />
Activating SSO Applications<br />
Activating an Application for SSO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9<br />
Viewing an SSO Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11<br />
View User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12<br />
Removing an SSO Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12<br />
Configuring Responder Policies on NetScaler<br />
Viewing Users<br />
Configuring a DNS Server entry for <strong>OpenCloud</strong> <strong>Access</strong><br />
<strong>OpenCloud</strong> <strong>Access</strong> Reporting
Contents<br />
v<br />
Built-in Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23<br />
License Utilization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23<br />
Inactive Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24<br />
Concurrent Logins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25<br />
Failed Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25<br />
Custom Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26<br />
Chapter 8<br />
Chapter 9<br />
Chapter 10<br />
Installing Connector Updates<br />
<strong>OpenCloud</strong> <strong>Access</strong> SSO Connector Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27<br />
Service Packs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27<br />
Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27<br />
Installing Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27<br />
Hot Fixes and Bug Fixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28<br />
Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29<br />
Installing Bug Fixes and Hot Fixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29<br />
Connector Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30<br />
Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30<br />
Installing Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30<br />
Upgrading <strong>OpenCloud</strong> <strong>Access</strong><br />
Provisioning SSO Applications<br />
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35<br />
Adding Active Directory as an Authoritative List . . . . . . . . . . . . . . . . . . . . . . . . . .35<br />
Adding Active Directory as an Authentication Server . . . . . . . . . . . . . . . . . . . . . .37<br />
Adding an SSO Web Application as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . .39<br />
Creating Active Directory Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40<br />
Fine-grained Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41<br />
Fine-grained Authoritative List Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42<br />
Associating the <strong>OpenCloud</strong> <strong>Access</strong> Administrator to an Employee . . . . . . . . . . . .42<br />
Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43<br />
Deleting User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43<br />
Enabling User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44<br />
Disabling User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
PREFACE<br />
Preface<br />
About This <strong>Guide</strong><br />
Before you begin to manage and monitor <strong>Citrix</strong> <strong>OpenCloud</strong> <strong>Access</strong>, take a few<br />
minutes to review this chapter and learn about related documentation, other<br />
support options, and ways to send us feedback.<br />
In This Preface<br />
About This <strong>Guide</strong><br />
Formatting Conventions<br />
Getting Service and Support<br />
Documentation Feedback<br />
The <strong>Citrix</strong> <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong> provides a conceptual<br />
reference and instructions for configuring and managing <strong>Citrix</strong>® <strong>OpenCloud</strong><br />
<strong>Access</strong>®.<br />
The guide provides the following information:<br />
• Chapter 1, “<strong>OpenCloud</strong> <strong>Access</strong> High Availability.” Learn about<br />
<strong>OpenCloud</strong> <strong>Access</strong> High Availability and how to configure it.<br />
• Chapter 2, “Configuring Kerberos.” Configure Kerberos<br />
Authentication on Active Directory for <strong>OpenCloud</strong> <strong>Access</strong>.<br />
• Chapter 3, “Activating SSO Applications.” Activate and configure<br />
new applications for SSO by using <strong>OpenCloud</strong> <strong>Access</strong>. Also, learn<br />
how to view and remove activated applications.<br />
• Chapter 4, “Configuring Responder Policies on NetScaler.” Learn<br />
how to configure responder policies on NetScaler.<br />
• Chapter 4, “Viewing Users.” View details of the enterprise users, in<br />
<strong>OpenCloud</strong> <strong>Access</strong>.<br />
• Chapter 5, “Configuring a DNS Server entry for <strong>OpenCloud</strong> <strong>Access</strong>.”<br />
Learn how to configure a DNS entry for <strong>OpenCloud</strong> <strong>Access</strong>.
ii<br />
<strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
Formatting Conventions<br />
• Chapter 6, “<strong>OpenCloud</strong> <strong>Access</strong> Reporting.” Learn how to use<br />
<strong>OpenCloud</strong> <strong>Access</strong> to display single sign-on usage as reports with<br />
graphs.<br />
• Chapter 7, “Uploading Connector Library.” Learn about different<br />
types of periodic updates and fixes provided by <strong>Citrix</strong>. This also<br />
includes the procedure to upload and install them on <strong>OpenCloud</strong><br />
<strong>Access</strong>.<br />
• Chapter 8, “Upgrading <strong>OpenCloud</strong> <strong>Access</strong>.” Learn how to upgrade<br />
<strong>OpenCloud</strong> <strong>Access</strong> to the latest build.<br />
• Chapter 9, “Provisioning for SSO Applications.” Learn how to enable<br />
provisioning for single sign-on applications activated in <strong>OpenCloud</strong><br />
<strong>Access</strong>.<br />
This documentation uses the following formatting conventions.<br />
Table 1: Formatting Conventions<br />
Convention<br />
Boldface<br />
Monospace<br />
<br />
Meaning<br />
In text paragraphs or steps in a procedure,<br />
information that you type exactly as shown (user<br />
input), or an element in the user interface.<br />
Text that appears in a command-line interface.<br />
Used for examples of command-line procedures.<br />
Also used to distinguish interface terms, such as<br />
names of directories and files, from ordinary text.<br />
A term enclosed in angle brackets is a variable<br />
placeholder, to be replaced with an appropriate<br />
value. Do not enter the angle brackets.<br />
Getting Service and Support<br />
<strong>Citrix</strong> provides technical support primarily through the <strong>Citrix</strong> Solutions Network<br />
(CSN). Our CSN partners are trained and authorized to provide a high level of<br />
support to our customers. Contact your supplier for first-line support, or check for<br />
your nearest CSN partner at http://support.citrix.com/.<br />
You can also get support from <strong>Citrix</strong> Customer Service at http://citrix.com/. On<br />
the Support menu, click Customer Service.
Preface iii<br />
<strong>Knowledge</strong> <strong>Center</strong><br />
The <strong>Knowledge</strong> <strong>Center</strong> offers a variety of self-service, Web-based technical<br />
support tools at http://support.citrix.com.<br />
<strong>Knowledge</strong> <strong>Center</strong> features include:<br />
• A knowledge base containing thousands of technical solutions to support<br />
your <strong>Citrix</strong> environment.<br />
• An online product documentation library.<br />
• Interactive support forums for every <strong>Citrix</strong> product.<br />
• <strong>Access</strong> to the latest hotfixes and service packs.<br />
• <strong>Knowledge</strong> <strong>Center</strong> Alerts that notify you when a topic is updated.<br />
Note: To set up an alert, sign in at http://support.citrix.com/ and, under<br />
Products, select a specific product. In the upper-right section of the screen,<br />
under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the<br />
<strong>Knowledge</strong> <strong>Center</strong> product and, under Tools, click Remove from your<br />
Hotfix Alerts.<br />
• Security bulletins.<br />
• Online problem reporting and tracking (for organizations with valid support<br />
contracts).<br />
Documentation Feedback<br />
You are encouraged to provide feedback and suggestions so that we can enhance<br />
the documentation. You can send email to the following alias or aliases, as<br />
appropriate. In the subject line, specify “Documentation Feedback.” Be sure to<br />
include the document name, page number, and product release version.<br />
• For <strong>OpenCloud</strong> <strong>Access</strong> documentation, send email to<br />
nsdocs_feedback@citrix.com.
iv<br />
<strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong>
CHAPTER 1<br />
<strong>OpenCloud</strong> <strong>Access</strong> High Availability<br />
<strong>OpenCloud</strong> <strong>Access</strong> high availability (HA) refers to an implementation in which<br />
two <strong>OpenCloud</strong> <strong>Access</strong> VMs are installed on different hardware platforms and<br />
are configured such that if one system fails for any reason, the other is available<br />
to provide the services <strong>OpenCloud</strong> <strong>Access</strong>. The two VMs work in an activepassive<br />
configuration, in which only one device is active, at any given time.<br />
The active VM listens for requests, serves clients, and synchronizes its data with<br />
the data on the passive VM. Each VM has its own individual IP address. The VM<br />
pair is also assigned with a well known IP Address, which is used by the VM that<br />
is active. Clients access the active VM by using a fully qualified domain name<br />
that resolves to the well known IP address.<br />
System-setting data is synchronized by a client-server mechanism. A client on the<br />
active <strong>OpenCloud</strong> <strong>Access</strong> pushes the necessary information to a virtual server on<br />
the passive VM as a series of requests. The virtual server parses the requests and<br />
performs the necessary action.<br />
How <strong>OpenCloud</strong> <strong>Access</strong> High Availability Works<br />
The <strong>OpenCloud</strong> <strong>Access</strong> VM on which the high availability configuration is<br />
initiated is termed the primary VM, and the other is termed the secondary. The<br />
names primary and secondary are static.The names with the respective VMs does<br />
not change over time. Both the devices will be aware as to which device among<br />
the two is primary device and which device is secondary.<br />
Both VMs retain these identities even if the secondary becomes active and the<br />
primary passive.<br />
If the primary VM or its host hardware fails, the secondary VM immediately<br />
assumes the tasks of serving user requests and providing single sign-on<br />
functionality. As the active VM, it also inherits the role of synchronizing system<br />
and database information.
2 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
Each VM in an <strong>OpenCloud</strong> <strong>Access</strong> high availability pair generates a heartbeat<br />
request once each minute. A diagnostics script on each VM generates healthstatus<br />
information, and the heartbeat service running on the two VMs monitors<br />
the health of each <strong>OpenCloud</strong> <strong>Access</strong> system and the health of the HA pair.<br />
If the passive VM does not respond to a heartbeat request or reports a failure, the<br />
active VM marks the passive as failed and sends an email message notifying the<br />
administrator. If the active VM does not respond or reports a failure, the passive<br />
VM acquires the well known IP address, becomes active, and sends an email<br />
message notifying the administrator.<br />
When the failed VM comes back online, the active VM updates it with<br />
differential data and updates its status from failed to passive.<br />
Configuring High Availability<br />
Before configuring a high availability pair, make sure that the two <strong>OpenCloud</strong><br />
<strong>Access</strong> VMs are running the same build version. If you have installed any<br />
hotfixes or bug fixes on one of the VMs, the same set of fixes should be installed<br />
on the other VM as well. <strong>OpenCloud</strong> <strong>Access</strong> currently supports high availability<br />
within the same subnet only. Make sure that the IP addresses assigned to the<br />
primary and secondary VMs are in the same subnet.<br />
When you configure high availability the Primary device IP address is<br />
automatically be assigned as the well known IP address for the pair. You must set<br />
aside one more IP address to assign to the Primary VM.<br />
Configure high availability settings<br />
1. Log on to <strong>OpenCloud</strong> <strong>Access</strong> Management interface.<br />
2. In the navigation pane, expand Settings, and then click HA.<br />
3. Click Add link in the High Availability details screen. The Create High<br />
Availability Configuration dialog box appears.<br />
4. Configure the following HA parameters:<br />
• Primary IP Address<br />
• Secondary IP Address<br />
• Well Known IP Address, Subnet Mask and Default Gateway<br />
automatically acquire default settings. Edit these as required.<br />
• Heartbeat Tolerance Level: The heartbeat periodically checks the<br />
availability of an HA node. Specify the interval at which the active<br />
VM must communicate with the passive VM. The default value is 3.
Chapter 1 <strong>OpenCloud</strong> <strong>Access</strong> High Availability 3<br />
Note: Subnet Masks and Default Gateways of Primary and<br />
Secondary IP Address are populated by default.<br />
5. Click Next.<br />
6. Click OK, unless you want to modify settings.<br />
After a few minutes, the primary and secondary <strong>OpenCloud</strong> <strong>Access</strong> VMs reboot.
4 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong>
CHAPTER 2<br />
Configuring Kerberos on Active<br />
Directory<br />
Kerberos is a secure computer network authentication protocol that <strong>Citrix</strong>®<br />
<strong>OpenCloud</strong> <strong>Access</strong>® uses to identify the users of client computers<br />
communicating over a network. <strong>OpenCloud</strong> <strong>Access</strong> uses Kerberos over HTTP as<br />
an authentication mechanism to identify a domain client workstation user.<br />
As part of the identification process, <strong>OpenCloud</strong> <strong>Access</strong> uses a keytab file. A<br />
keytab file contains pairs of Kerberos principles and encrypted keys. The keytab<br />
file is used in the authentication process.<br />
Once <strong>OpenCloud</strong> <strong>Access</strong> has determined the identity of the user, it stores this<br />
identity and provides a transparent mapping between users, network IDs, and<br />
their various single sign-on application IDs.<br />
User Creation for <strong>OpenCloud</strong> <strong>Access</strong><br />
The first step in setting up the Kerberos environment for <strong>OpenCloud</strong> <strong>Access</strong> is to<br />
set up a user account on Active Directory. This user account is used to generate a<br />
keytab file.<br />
Set up a user account<br />
1. Create a user account in Active Directory for <strong>OpenCloud</strong> <strong>Access</strong><br />
(Example: cloudaccess).<br />
2. Set the password expiry of the user to Password Never Expires.<br />
Note: The password for this account should not be reset once the keytab<br />
file is generated.
6 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
Keytab File Generation<br />
The keytab file contains the <strong>OpenCloud</strong> <strong>Access</strong> fully qualified domain name, key,<br />
and key encryption type. To generate the keytab file, you have to make use of the<br />
ktpass tool on the Active Directory Windows server.<br />
1. Create a keytab file with the following command from the Active Directory<br />
server command prompt:<br />
ktpass –princ HTTP/@ -<br />
ptype KRB5_NT_PRINCIPAL –mapuser -mapop set –pass -out <br />
(Example: ktpass -princ HTTP/<br />
cloudaccess.example.com@EXAMPLE.COM -ptype<br />
KRB5_NT_PRINCIPAL -mapuser cloudaccess@EXAMPLE.COM -<br />
mapop set -pass Passwd123 -out CloudAccesSSOkey)<br />
Note: ktpass is not part of Active Directory by default. It is part of Windows<br />
Server 2003 Service Pack 1 Windows Support Tools. You can download the<br />
Support Tools from the following Web site:<br />
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-<br />
4E81-B3BE-4E7AC4F0912D.<br />
For Windows 2000 server, the ktpass command selects the DES encryption<br />
option by default. DES encryption should be selected in Windows 2000 for<br />
Kerberos to work.<br />
(For Windows 2000 server, Download the Windows 2000 Support Tools.)<br />
2. Once the keytab file is generated, the <strong>OpenCloud</strong> <strong>Access</strong> user properties in<br />
AD appear as follows: HTTP/< <strong>OpenCloud</strong> <strong>Access</strong> FQDN> (Example:<br />
HTTP/cloudaccess.example.com).<br />
3. Copy the keytab file and keep it in a safe location. You will need it when<br />
you set up User Authentication.<br />
Note: <strong>OpenCloud</strong> <strong>Access</strong> and Active Directory clock must be in sync for<br />
Kerberos authentication over HTTP to work, as required.<br />
Testing Kerberos<br />
Once you have uploaded the keytab file to <strong>OpenCloud</strong> <strong>Access</strong>, to test whether the<br />
environment is working properly:
Chapter 2 Configuring Kerberos on Active Directory 7<br />
1. Log on to the domain using a client workstation.<br />
2. Open a Web browser and access the following URL:<br />
https:///kerbsso/index.jsp<br />
3. If the Kerberos environment is working as it should be, a test Web page<br />
loads. The message “AD Authentication Test ... username@domain.com”<br />
appears.<br />
Example: If Mark Taylor uses his Active Directory username (mark.taylor)<br />
and password to log into the domain example.com, when he accesses the<br />
URL shown in Step 2, the message "AD Authentication Test....<br />
mark.taylor@example.com" appears.
8 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong>
CHAPTER 3<br />
Activating SSO Applications<br />
With <strong>Citrix</strong>® <strong>OpenCloud</strong> <strong>Access</strong>®, you can provide enterprise users with single<br />
sign-on (SSO) to your enterprise and SaaS Web applications. To enable this<br />
facility you use, the <strong>OpenCloud</strong> <strong>Access</strong> connector library. The connector library<br />
consists a set of Web application SSO connectors with which you can enable<br />
single sign-on for corresponding applications. These applications are referred to<br />
as SSO Applications.<br />
This chapter provides a detailed description of how to activate SSO for an<br />
application by using one of the existing SSO connectors from the library, using<br />
<strong>OpenCloud</strong> <strong>Access</strong>.<br />
If you want an SSO connector for an application that is not part of the list of SSO<br />
connectors available in the <strong>OpenCloud</strong> <strong>Access</strong> connector library, please contact<br />
<strong>Citrix</strong> support.<br />
Activating an Application for SSO<br />
To activate a new application in <strong>OpenCloud</strong> <strong>Access</strong> for SSO, do the following:<br />
1. <strong>Access</strong> the <strong>OpenCloud</strong> <strong>Access</strong> Management Interface by using the<br />
following URL: https:///. This brings up the Login<br />
screen. Enter your <strong>OpenCloud</strong> <strong>Access</strong> administrator credentials and click<br />
Login.<br />
2. Once you are logged on to <strong>OpenCloud</strong> <strong>Access</strong>, use the navigation tree in<br />
the left pane to access the Applications section. This option is available<br />
under the Users & Applications menu.<br />
3. Upon clicking Applications, you see a set of applications that have been<br />
activated for SSO, in the right pane. At the bottom of this screen, click Add<br />
to use one of the available connectors for SSO.<br />
A new window appears displaying a list of pre-packaged connectors, which<br />
are not activated for SSO. From the list of available connectors, select one<br />
and click Add. This launches a two-step process.<br />
During the process, you are prompted to enter the following information:
10 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
• Name<br />
This is the name of the application.<br />
• Description<br />
This field is meant to provide basic details about the application. The<br />
page has a pre-filled description. If you wish to edit this description,<br />
click the text field and edit the description.<br />
• URL<br />
In this field, enter the URL used to access the Web application.<br />
• # of Licenses<br />
This is the subscription limit of user licenses that you purchased for<br />
the selected application.<br />
• Max Threshold<br />
This is used to monitor your license usage for the application you are<br />
activating. Specify a maximum threshold, as a numeric value.<br />
• Min Threshold<br />
This is used to monitor your license usage for the application you are<br />
activating. Specify a minimum threshold, as a numeric value.<br />
Using the <strong>OpenCloud</strong> <strong>Access</strong> License Utilization report, you are<br />
able to determine whether you can increase or decrease the number of<br />
licenses that you purchased, based on the minimum and maximum<br />
thresholds that you set. This helps you maximize your ROI.<br />
• CRD Policy Configuration<br />
This check box is enabled only if the connector has autoconfiguration<br />
capabilities. However, this feature is not available in<br />
<strong>OpenCloud</strong> <strong>Access</strong> release 1.0.<br />
You have to manually create responder policies for the application on<br />
the <strong>Citrix</strong>® NetScaler® appliance.<br />
4. Click Next to move forward to the SSO properties page.<br />
5. If you are activating an application using a Native SSO Type connector,<br />
you will have to add a redirection URL in the DNS server.<br />
6. Click Next to continue to the Summary Details page.This Summary<br />
Details page contains a summary of the details you entered on the first<br />
page.<br />
7. To confirm and save your settings, click Create.
Viewing an SSO Application<br />
Chapter 3 Activating SSO Applications 11<br />
At any time after activating an application for SSO, you might want to update<br />
some of the application details, such as the description, the access URL, or the<br />
license utilization thresholds that were previously entered.<br />
Once you are logged on to <strong>OpenCloud</strong> <strong>Access</strong>, use the navigation tree in the left<br />
pane to access the Users & Applications section. When you click Applications,<br />
the right pane displays set of applications that are activated for SSO. Highlight an<br />
application by clicking it, and then click the Open button at the bottom of the<br />
screen. You can then edit the application details.<br />
The application details dialog box displays the following details:<br />
• Description: The page has a pre-filled description. If you wish to edit<br />
this description, click the text field and edit the content.<br />
• URL<br />
In this field, you can enter the URL that was used to access the Web<br />
application.<br />
• # of Licenses<br />
This is the subscription limit of user licenses that you purchased for<br />
the selected application.<br />
• Max Threshold<br />
This is used to monitor your license usage for the application you are<br />
activating. Specify a maximum threshold, as a numeric value.<br />
• Min Threshold<br />
This is used to monitor your license usage for the application you are<br />
activating. Specify a minimum threshold, as a numeric value.<br />
Using the <strong>OpenCloud</strong> <strong>Access</strong> License Utilization report, you will be<br />
able to determine whether you can increase or decrease the number of<br />
licenses that you purchased, based on the minimum and maximum<br />
thresholds that you set. This helps you maximize your ROI.<br />
• CRD Policy Configuration<br />
This check box is enabled only if the connector has autoconfiguration<br />
capabilities. However, this feature is not available in<br />
<strong>OpenCloud</strong> <strong>Access</strong> release 1.0.<br />
1. Click Next to move forward to the SSO properties page.
12 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
View User Accounts<br />
2. Click Next to continue to the Summary Details page.This Summary<br />
Details page contains a summary of the details that are entered on the first<br />
page.<br />
3. To confirm and save your settings, click OK, or click Close to exit without<br />
saving.<br />
Once you are logged on to <strong>OpenCloud</strong> <strong>Access</strong>, use the navigation tree in the left<br />
pane to access the Users & Applications section. When you click Applications,<br />
right pane displays a set of applications managed for SSO. You can select an<br />
application and click the View User Accounts button to view the user accounts<br />
that are using SSO for this application.<br />
This brings up a new window. The window contains a table that lists the user<br />
accounts. Each row in the table contains the following fields:<br />
• User ID: This is the user ID that <strong>OpenCloud</strong> <strong>Access</strong> captured the first time<br />
a user’s application credentials were captured for single sign-on.<br />
• Account Status: This field is blank if the application is used only for SSO.<br />
If the <strong>OpenCloud</strong> <strong>Access</strong> Identity Management feature is turned on for the<br />
application being viewed, the user account status is displayed indicating<br />
whether the user account is Active or Disabled.<br />
• State: This field is blank if the application is used only for SSO. If the<br />
<strong>OpenCloud</strong> <strong>Access</strong> Identity Management feature is turned on for the<br />
application being viewed, the user account state is displayed indicating<br />
whether the user account is Assigned to a user or is Unreconciled.<br />
Removing an SSO Application<br />
Once you are logged on to <strong>OpenCloud</strong><strong>Access</strong>, use the navigation tree in the left<br />
pane to access the Users & Applications section. Click Applications, to display<br />
the set of applications that <strong>OpenCloud</strong> <strong>Access</strong> is managing for SSO.<br />
To remove a managed SSO application from <strong>OpenCloud</strong> <strong>Access</strong>:<br />
1. Highlight the application that you would like to remove and, at the bottom<br />
of the screen, click Remove.<br />
2. At the prompt confirm that you want to remove the application.<br />
3. Once you confirm your decision, <strong>OpenCloud</strong> <strong>Access</strong> stops performing SSO<br />
for the application removed. This connector then reappears in the connector<br />
list section.
Chapter 3 Activating SSO Applications 13
14 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong>
CHAPTER 4<br />
Configuring Responder Policies on<br />
NetScaler<br />
Create a Responder Action by using the configuration utility<br />
1. In the navigation pane, expand Responder, and then select Actions.<br />
2. In the details pane, click Add.<br />
3. In the Name field, enter the name for the new responder action.<br />
4. From Type drop-down, select Redirect.<br />
5. In the Target field enter the expression by substituting the <strong>OpenCloud</strong><br />
<strong>Access</strong> host name and application name, enclosed in double quotes in the<br />
following string.<br />
“https:///<br />
webssouser/websso.do?action=authenticateUser&app=&reqtype=1”<br />
For Example: “https://oca.enterprise.com/webssouser/<br />
websso.do?action=authenticateUser&app=example&reqtype=1”<br />
Note: In the above example, the top-level domain (TLD) “.com” is used.<br />
However, the following TLDs are also accepted, in place of “.com”:<br />
.org, .net, .edu, .mil, etc.<br />
6. Click Create.<br />
7. Click Close.<br />
Create a Responder Policy by using the configuration utility<br />
The responder policies created here reference the action created in the previous<br />
step.<br />
1. In the navigation pane, expand Responder, and then select Policies.<br />
2. In the details pane, click Add.<br />
3. In the Name field, enter the name for the new responder policy.
16 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
4. In Action drop-down list, select the responder action that you previously<br />
created.<br />
5. In the Expression field, enter HTTP.REQ.HOSTNAME.EQ(“”).<br />
If there are more than one URL used to logon to an application, this must be<br />
repeated for each of the URLs.<br />
For Example: HTTP.REQ.HOSTNAME.EQ("logon.example.com")<br />
6. Click Create.<br />
7. Click Close.<br />
Activate the Responder Policy by using the Policy Manager<br />
Here, we use the Policy Manager to bind the responder policies in order for the<br />
responder policies to take effect.<br />
1. In the navigation pane, expand Responder, and then select Policies.<br />
2. In the Responder Policies pane, click Policy Manager.<br />
3. In the Responder Policy Manager window, click Default Global in the<br />
left pane.<br />
4. Click Insert Policy.<br />
5. In Policy Name drop-down list, select the responder policy that you<br />
previously created.<br />
6. Click Apply Changes.<br />
7. Click Close.<br />
8. Save the configuration and click Refresh All.
CHAPTER 5<br />
Viewing Users<br />
The Users section in <strong>Citrix</strong>® <strong>OpenCloud</strong> <strong>Access</strong>® displays a list of all the current<br />
users in your enterprise. Typically, this is the list of existing users in your<br />
enterprise Active Directory server. Users and their details appear in the Users<br />
section only if the user list is retrieved from the enterprise Active Directory.The<br />
list captures various details about the users, such as their first name, last name,<br />
employee number, physical address, and so on.<br />
Users listed here are a combination of the users who have signed up for SSO and<br />
those who have not yet signed up for SSO but are eligible to use the SSO service<br />
for your enterprise or SaaS applications.<br />
Select Users & Applications in the left pane and click Users to access the user<br />
list. The list of users appears in the right pane; this section has a read-only view.<br />
You can drill down on any of the users listed to find out more details about the<br />
user.<br />
Display more details about a user<br />
1. Click the record corresponding to the user whose details you want to find<br />
out about.<br />
2. Click Open.<br />
3. After viewing the user details, click Close to close the window.<br />
For information about how to add a user list in <strong>OpenCloud</strong> <strong>Access</strong>, see<br />
Add Active Directory As an Authoritative List in the “Provisioning for<br />
SSO Applications” Chapter of the <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong><br />
<strong>Guide</strong>.
18 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong>
CHAPTER 6<br />
Configuring a DNS Server entry for<br />
<strong>OpenCloud</strong> <strong>Access</strong><br />
You first have to configure a DNS entry for <strong>OpenCloud</strong> <strong>Access</strong>; this is a one-time<br />
effort.<br />
Following are the prerequisites for creating host entries in the DNS server:<br />
• A DNS server<br />
• <strong>OpenCloud</strong> <strong>Access</strong><br />
• SaaS application information from <strong>OpenCloud</strong> <strong>Access</strong><br />
Configure a DNS entry for <strong>OpenCloud</strong> <strong>Access</strong><br />
1. Log on to the Windows server hosting your DNS server.<br />
2. Navigate to Start > Programs > Admin Tools > DNS.<br />
3. Navigate to the Forward Look Up Zone in the DNS and expand Forward<br />
Look Up Zone.<br />
4. Right-click your enterprise domain and select New Host.<br />
5. On the New Host screen, enter the following information. This step must<br />
be performed only once.<br />
• Name: The Name should be the same as the Active Directory user<br />
account name.<br />
• IP Address: <strong>OpenCloud</strong> <strong>Access</strong> IP address.<br />
(Example: opencloudaccess as the name and 192.168.70.200 as the IP<br />
address. Here, 192.168.70.200 is the IP address of the <strong>OpenCloud</strong> <strong>Access</strong><br />
VM.)<br />
6. Click Done.
20 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong>
Chapter 6 Configuring a DNS Server entry for <strong>OpenCloud</strong> <strong>Access</strong> 21
22 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong>
CHAPTER 7<br />
<strong>OpenCloud</strong> <strong>Access</strong> Reporting<br />
<strong>Citrix</strong>® <strong>OpenCloud</strong> <strong>Access</strong>® maintains user account details for each application.<br />
These details are gathered as part of the SSO learning process. When a user<br />
attempts to log on to a managed application for the first time, <strong>OpenCloud</strong> <strong>Access</strong><br />
captures the user account credentials. The user account entered is associated with<br />
the application to build the users per application report.<br />
<strong>OpenCloud</strong> <strong>Access</strong> also captures SSO events per application. <strong>OpenCloud</strong> <strong>Access</strong><br />
works in conjunction with <strong>Citrix</strong>® NetScaler® appliance to gather details about<br />
when (specifically, the date and time) SSO was performed for which user<br />
account; this data is maintained by <strong>OpenCloud</strong> <strong>Access</strong> in its database. With this<br />
information, <strong>OpenCloud</strong> <strong>Access</strong> can show high-level reports of SSO frequency<br />
per application. You can drill down and view the actual SSO events of interest by<br />
clicking the application of choice.<br />
The list of user accounts present in <strong>OpenCloud</strong> <strong>Access</strong> consists of users who have<br />
signed up with <strong>OpenCloud</strong> <strong>Access</strong> during the SSO process. Utilization reports<br />
reflect user accounts that have been used for SSO.<br />
In addition to using the built-in reports, you can create custom reports that have<br />
been used for SSO.<br />
Built-in Reports<br />
To access the built-in reports, click the Reports link in the left pane in<br />
<strong>OpenCloud</strong> <strong>Access</strong>. The tree view expands. Next, highlight Built-in Reports.<br />
You are then presented with the following set of reports. When you click any of<br />
these links in the left pane, the actual report appears in the right pane.<br />
License Utilization<br />
The License Utilization report provides you with information about the SSO<br />
utilization for each application.<br />
1. The right pane shows a bar graph where x-axis represents the applications<br />
and the y-axis represents the percentage of license utilization based on the<br />
application user licenses available. The graph depicts three types of license
24 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
utilization percentages, namely Over Utilization, Effective Utilization<br />
and Under Utilization.<br />
2. Each application is represented by a single bar in the graph. You can click<br />
the utilization bar corresponding to an application to drill down and see the<br />
user account details.<br />
3. Clicking a bar in the graph brings up a new window. The window lists the<br />
user accounts in a table. Each row in the table contains the following fields:<br />
• User ID: This is the application user ID that <strong>OpenCloud</strong> <strong>Access</strong><br />
captured the first time a user’s application credentials were captured<br />
for single sign-on.<br />
• Account Status: This field is blank if the application is used only for<br />
SSO. If the Identity Management feature is turned on in <strong>OpenCloud</strong><br />
<strong>Access</strong>, for the application being viewed, the user account status is<br />
also displayed. This field captures whether the user account is Active<br />
or Disabled.<br />
• User Name: This field contains the user’s first and last name,<br />
retrieved from the user list.<br />
• State: This field is blank if the application is used only for SSO. If the<br />
Identity Management feature is turned on in <strong>OpenCloud</strong> <strong>Access</strong>, for<br />
the application being viewed, the user account status is also<br />
displayed. This field contains information about whether the user<br />
account is Assigned to a user in the user list or is Orphaned.<br />
Inactive Accounts<br />
The Inactive Accounts report displays information about the user accounts that<br />
have signed up for SSO with <strong>OpenCloud</strong> <strong>Access</strong> but have not been used for a<br />
period of time.<br />
1. The right pane shows summary views for SSO usage per application for the<br />
following four time periods:<br />
• Last month<br />
• Last quarter<br />
• Last half year<br />
• Last year<br />
2. The summary view shows a bar graph, where the x-axis represents the<br />
applications and the y-axis represents the number of user accounts in each<br />
of the applications.
Chapter 7 <strong>OpenCloud</strong> <strong>Access</strong> Reporting 25<br />
Concurrent Logins<br />
The Concurrent Logins report displays details about the users currently logged<br />
on to the various SSO applications managed in <strong>OpenCloud</strong> <strong>Access</strong>.<br />
1. The report in the right pane shows summary views for current concurrent<br />
SSO usage per application, in the form of a bar graph. The x-axis represents<br />
the applications and the y-axis represents the number of users currently<br />
logged on to the applications.<br />
2. You can then click an application to drill down and see the list of user<br />
accounts that are currently logged on to the application.<br />
3. Clicking a bar in the graph brings up a new window. The window contains<br />
the user accounts presented in a table. Each row in the table contains the<br />
following fields:<br />
• User ID: This is the user’s network ID that <strong>OpenCloud</strong> <strong>Access</strong><br />
captured after identifying the user.<br />
• Domain Name: This field contains the domain name associated with<br />
the application for which single sign-on was performed.<br />
• Login Name: This field contains the user’s application login name.<br />
• SSO Application Name: This field contains the name of the<br />
application for which single sign-on was performed.<br />
• Login Time: The time that the user was logged on to the application<br />
by using <strong>OpenCloud</strong> <strong>Access</strong>.<br />
Failed Logins<br />
The Failed Logins report contains information about the failed single sign-on<br />
attempts by <strong>OpenCloud</strong> <strong>Access</strong>.<br />
1. The right pane shows summary views of authentication failures per<br />
application. The report appears in the form of a bar graph, where the x-axis<br />
represents the applications and the y-axis represents the number of failed<br />
login attempts.<br />
2. You can then click a bar in the graph to drill down and see the list of<br />
authentication failures for each application. The window lists the user<br />
accounts in a table. Each row in the table contains the following fields:<br />
• <strong>Access</strong> Type: This field provides information about whether<br />
<strong>OpenCloud</strong> access was attempting to sign in a local user, that is, a<br />
user was logged on to the domain or if <strong>OpenCloud</strong> <strong>Access</strong> was<br />
attempting to sign on a remote user.
26 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
Custom Reports<br />
• First Name: This field contains the first name of the user. It is<br />
populated only if the user account is Assigned to a user record in the<br />
user list.<br />
• Last Name: This field contains the last name of the user. It is<br />
populated only if the user account is Assigned to a user record in the<br />
user list.<br />
• Middle Name: This field contains the middle name of the user. It is<br />
populated only if the user account is Assigned to a user record in the<br />
user list.<br />
• Application Name: The name of the application for which<br />
<strong>OpenCloud</strong> <strong>Access</strong> attempted to sign in.<br />
• User ID: This is the user’s network ID that <strong>OpenCloud</strong> <strong>Access</strong><br />
captured after identifying the user.<br />
• Domain Name: This field contains the domain name associated with<br />
the application for which single sign-on was performed.<br />
• Login Time: The time that <strong>OpenCloud</strong> <strong>Access</strong> attempted to sign in a<br />
user to the application.<br />
In addition to the standard built-in reports, you can also request for custom<br />
reports generated from the data stored in the <strong>OpenCloud</strong> <strong>Access</strong> database. You<br />
can build reports to display specific information in the format of your choice.<br />
Contact <strong>Citrix</strong> support to learn more about or submit a request for custom reports.
CHAPTER 8<br />
Installing Connector Updates<br />
<strong>Citrix</strong>® <strong>OpenCloud</strong> <strong>Access</strong>® ships with a standard set of SSO connectors. These<br />
SSO connectors are packaged into a single SSO connector library.<br />
SSO connectors for new applications are first released as Formfill connectors and<br />
released later as Native connectors.<br />
SSO connectors with auto-configuration capabilities are not available in<br />
<strong>OpenCloud</strong> <strong>Access</strong> release 1.0. In a future release, you will be able to use these<br />
connectors to automatically push responder policies to NetScaler.<br />
<strong>OpenCloud</strong> <strong>Access</strong> SSO Connector Library<br />
In addition to the standard set of connectors that are delivered as part of<br />
<strong>OpenCloud</strong> <strong>Access</strong>, connector library updates are available in the form of<br />
monthly service packs.<br />
Connector library upgrades containing new SSO connectors are released every<br />
month.<br />
Service Packs<br />
At the end of every quarter, a consolidated set of connector updates, in the form<br />
of a connector library, and connector bug or hot fixes if applicable, is made<br />
available on the <strong>Citrix</strong> Web site. This service pack might also includes<br />
generalized bug or hot fixes that have been released earlier to resolve specific<br />
customer issues. If <strong>OpenCloud</strong> <strong>Access</strong> already has these fixes installed, they are<br />
skipped at installation time.<br />
A set of release notes is also included to keep you aware of what is being released<br />
as part of each service pack.<br />
Availability<br />
To download the latest service pack, please visit the <strong>Citrix</strong> Web site.<br />
Installing Service Packs<br />
Once you have saved the file on your computer,
28 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
To install a Service Pack:<br />
1. Open a Web browser and access the <strong>OpenCloud</strong> <strong>Access</strong> landing page at the<br />
following URL: https://. The <strong>OpenCloud</strong><br />
<strong>Access</strong> landing page appears. Click Advanced Configuration.<br />
2. The System Login page appears. Enter the administrator username and<br />
password and click Login.<br />
3. Click the Troubleshoot tab.<br />
4. Click the Click Here For Debug Window link.<br />
5. The Troubleshoot Login page appears. Enter the administrator username<br />
and password and click Login.<br />
6. Navigate to the Patch Management link in the left pane.<br />
7. In the right pane, click Upload Patch.<br />
8. Click Browse, to locate the hotfix on your local workstation, and click<br />
Open.<br />
9. Click the Upload button. This uploads the hotfix to <strong>OpenCloud</strong> <strong>Access</strong> and<br />
displays the result.<br />
10. Click Done. The hotfix will appear in the Patch Management page with<br />
details of PatchID, Patch State and Action. The patch state appears as “Un<br />
installed” and the Action displays an Install link.<br />
11. Click Install to install the patch. Do not refresh the page.<br />
12. Once the patch is installed, click Done. The patch state will then change to<br />
Installed to reflect the new state.<br />
13. Click Logout in the left pane.<br />
Note: Upon completion, the Web service restarts. Wait for a minute before<br />
accessing the <strong>OpenCloud</strong> <strong>Access</strong> Web interface.<br />
Hot Fixes and Bug Fixes<br />
If an issue with one of the SSO connectors is reported and it is determined to be a<br />
bug, <strong>Citrix</strong> releases a Hot Fix.<br />
If a critical issue is found with any of the connectors during the regular Quality<br />
Assurance cycles, a Bug Fix is released immediately.
Chapter 8 Installing Connector Updates 29<br />
Availability<br />
Both hot fixes and bug fixes are made available with <strong>Citrix</strong> support.<br />
Installing Bug Fixes and Hot Fixes<br />
To install a bug fix/hot fix:<br />
1. Open a Web browser and access the <strong>OpenCloud</strong> <strong>Access</strong> landing page at the<br />
following URL: https://. The <strong>OpenCloud</strong><br />
<strong>Access</strong> landing page appears. Click Advanced Configuration.<br />
2. The System Login page appears. Enter the administrator username and<br />
password and click Login.<br />
3. Click the Troubleshoot tab.<br />
4. Click the Click Here For Debug Window link.<br />
5. The Troubleshoot Login page appears. Enter the administrator username<br />
and password and click Login.<br />
6. Navigate to the Patch Management link in the left pane.<br />
7. In the right pane, click Upload Patch.<br />
8. Click Browse, to locate the hotfix on your local workstation, and click<br />
Open.<br />
9. Click the Upload button. This uploads the hotfix to <strong>OpenCloud</strong> <strong>Access</strong> and<br />
displays the result.<br />
10. Click Done. The hotfix will appear in the Patch Management page with<br />
details of PatchID, Patch State and Action. The patch state appears as “not<br />
installed” and the Action displays an Install link.<br />
11. Click Install to install the patch. Do not refresh the page.<br />
12. Once the patch is installed, click Done. The patch state will then change to<br />
Installed to reflect the new state.<br />
Note: The procedure from step 7 to 12 can be repeated in case you have to<br />
install multiple hot fixes.<br />
13. Click Logout in the left pane.
30 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
Connector Upgrades<br />
SSO connectors for new applications are constantly added to the connector<br />
library. These connectors are part of the connector library made available in<br />
quarterly (or semiannual) releases, on the <strong>Citrix</strong> Web site.<br />
These SSO connectors are first released as Formfill SSO connectors, and once<br />
they are released as Native connectors, a corresponding SSO connector is added<br />
to the monthly connector service pack or connector library upgrade, whichever is<br />
released first.<br />
Availability<br />
Connector upgrades are available with <strong>Citrix</strong> support.<br />
Installing Upgrades<br />
To install a connector:<br />
1. Log on to <strong>OpenCloud</strong> <strong>Access</strong> using your administrator credentials.<br />
2. Use the navigation tree in the left pane to access the Users & Applications<br />
section.<br />
3. Click Applications.<br />
4. Click the Add button in the right pane.<br />
5. In the pop-up window, click the Upload Connector(s) button.<br />
6. In the Upgrade Wizard dialog box, click Next.<br />
7. Click Browse, to locate the upgrade file on your local workstation, and<br />
click Next.<br />
8. The Readme displays information about the number of connectors<br />
enclosed within the connector library that you are uploading. Click Next.<br />
9. The Change Log displays information about the changes since the previous<br />
connector library release. Click Next.<br />
10. Click Finish on the Summary screen.<br />
Upon completion, the Web service restarts, and you are taken to the <strong>OpenCloud</strong><br />
<strong>Access</strong> login page.
Chapter 8 Installing Connector Updates 31<br />
Note: The Connectors’ list upload process takes between 5 and 10 minutes to<br />
complete, depending on your server configuration.<br />
If there are multiple versions of an enterprise SSO application, the corresponding<br />
supported versions appear in the <strong>OpenCloud</strong> <strong>Access</strong> interface. One version does<br />
not interfere with the other.
32 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong>
CHAPTER 9<br />
Upgrading <strong>OpenCloud</strong> <strong>Access</strong><br />
When enhancements and bug fixes, become available for <strong>Citrix</strong>® <strong>OpenCloud</strong><br />
<strong>Access</strong>®, a new build is released. You can download new builds from the <strong>Citrix</strong><br />
Web site at http://www.citrix.com/site/SS/downloads/index.asp. New builds can<br />
be downloaded and installed on your <strong>OpenCloud</strong> <strong>Access</strong> virtual appliance.<br />
These builds must be installed through the <strong>OpenCloud</strong> <strong>Access</strong> Management<br />
Interface. Refer to the release notes before proceeding with the upgrade.<br />
If you upgrade a high availability pair, upgrade the active VM first.<br />
Upgrade <strong>OpenCloud</strong> <strong>Access</strong> to the latest build<br />
1. Log on to <strong>OpenCloud</strong> <strong>Access</strong>.<br />
2. Click the <strong>OpenCloud</strong> <strong>Access</strong> link in the left pane.<br />
3. On the System Overview page, click Upgrade Wizard located at the<br />
bottom of the System Overview page in the right pane.<br />
4. In the Upgrade Wizard dialog box, click Next.<br />
5. Click Browse, to locate the upgrade file on your local computer, and click<br />
Next.<br />
6. This uploads the file into <strong>OpenCloud</strong> <strong>Access</strong>. Upon successful completion<br />
of the file upload, a summary displays the details of the <strong>OpenCloud</strong> <strong>Access</strong><br />
Upgrade.<br />
7. Click Finish to complete upgrade process.<br />
Note: The upgrade process takes between 5 and 10 minutes to complete,<br />
depending on your server configuration. Upon completion, the Web service<br />
restarts, and you are taken to the <strong>OpenCloud</strong> <strong>Access</strong> login page.
34 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong>
CHAPTER 10<br />
Provisioning SSO Applications<br />
Prerequisites<br />
<strong>Citrix</strong>® <strong>OpenCloud</strong> <strong>Access</strong>® uses its provisioning connector framework to<br />
seamlessly provision user accounts in SSO applications. Using the enterprise<br />
Active Directory group mapping, <strong>OpenCloud</strong> <strong>Access</strong> provisions a new user<br />
account for users added to the existing or new application group in the Active<br />
Directory.<br />
Before attempting to enable provisioning for an SSO application that is currently<br />
active in the <strong>OpenCloud</strong> <strong>Access</strong> VM, make sure that you are accompanied by<br />
someone who is well versed with the enterprise Active Directory.<br />
As an alternative, gather the following information:<br />
1. Active Directory IP Address: The IP address of the enterprise Active<br />
Directory server.<br />
2. Active Directory Port Number: The port number that is used to<br />
communicate over LDAP with the enterprise Active Directory server.<br />
Typically, the port number used to communicate with Active Directory is<br />
389.<br />
3. Service Account: A user name and password with the required privileges<br />
to retrieve user account information from Active Directory.<br />
4. Domain Name: The enterprise domain that Active Directory is managing.<br />
5. Base DN Information: The base DN is the starting point in the Active<br />
Directory hierarchy from which the user account retrieval begins. An<br />
example of a base DN is ou=cloudusers,dc=cloud,dc=com.<br />
Adding Active Directory as an Authoritative List<br />
Your first task in provisioning new accounts in SSO applications is to add Active<br />
Directory as an Authoritative List in <strong>OpenCloud</strong> <strong>Access</strong>. You can do so at the<br />
following URL: https://.
36 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
At the landing page, click Advanced Configuration. This takes you to a login<br />
page. Use your <strong>OpenCloud</strong> <strong>Access</strong> administrator credentials to log on.<br />
Once you are logged on to the Advanced Configuration portal, click the ID<br />
Consolidation & Reconciliation tab. The first option that appears is<br />
Authoritative List. Click Load Authoritative List. A new window<br />
appears.Then:<br />
1. Select activedirectory from the Connector Type drop-down list.<br />
2. Provide an Authoritative List with a name. (for example: Domain User list).<br />
3. Enter the IP Address and Port number used to access Active Directory<br />
over LDAP.<br />
4. Enter the username@domain.com, identifier and password in the<br />
appropriate fields.<br />
5. Once you have entered this information, move to the Connector Attribute<br />
Mapping section. In this section, you are presented with a set of<br />
<strong>OpenCloud</strong> <strong>Access</strong> attributes (on the left side) and the place holders for<br />
the corresponding Active Directory attributes (on the right side).<br />
• Mandatory: Make sure that the First Name, Last Name, Email<br />
Address, and Employee ID <strong>OpenCloud</strong> <strong>Access</strong> attributes have the<br />
corresponding LDAP attribute entries.<br />
• Leave the fd1, fd2 and, fd3 fields blank.<br />
6. Skip the following check boxes:<br />
• Employee State Transition Required<br />
• Automatic Provisioning Required<br />
• Miscellaneous<br />
• Cloud Integration<br />
7. Move to the Employee Synchronization section. Select Daily from the<br />
Periodicity drop-down list.<br />
8. Leave the Week Days Only check box unchecked, and select a time of day<br />
at which you would like <strong>OpenCloud</strong> <strong>Access</strong> to synchronize with Active<br />
Directory.<br />
Note: Synchronization retrieves new account information and synchronizes any<br />
existing user account information, that has been updated.
Chapter 10 Provisioning SSO Applications 37<br />
9. Once you have entered all the details, click Load in the bottom right corner<br />
of the page. This commences the retrieval of user account information from<br />
Active Directory to <strong>OpenCloud</strong> <strong>Access</strong>.<br />
Upon successful completion of the retrieval process, the window closes and you<br />
are taken back to the ID Consolidation & Reconciliation page you first arrived<br />
at.<br />
Adding Active Directory as an Authentication Server<br />
After adding Active Directory as an authoritative list, you configure management<br />
of Active Directory as an authentication server. Navigate to the Discovery tab.<br />
You are presented with three options. Select the Auth Server Domains option.<br />
1. Click Manual in the right pane. This opens a new pop-up window.<br />
2. Enter the following information in the sequence below:<br />
• Name: Active Directory.<br />
• IP Address: IP Address of Active Directory.<br />
• Domain Name: Active Directory Domain Name.<br />
• Port Number: 389.<br />
• Protocol: TCP.<br />
• The Location and Organization drop-down lists are blank. Scroll to<br />
the bottom of the page and click Create Category. A pop-up appears:<br />
• Type in a location name in the Category Name text box.<br />
Location refers to the physical location of your office.<br />
(for example: San Jose).<br />
• Select Location from the Category Type drop-down list, and<br />
click Done.<br />
• Repeat this process for Organization. Organization refers to<br />
the name of your organization. Example: <strong>Citrix</strong> Inc.<br />
• You are returned to the previous page.<br />
• Select the location and organization in the appropriate drop-down<br />
lists.<br />
• Choose AD from the Type drop-down list.<br />
3. Leave the remaining fields blank and click Done.
38 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
Next, go back to the ID Consolidation & Reconciliation tab. This time,<br />
click Network Users. You see Active Directory in the right pane. To the<br />
extreme right side, you see three hyperlinks; click Fetch Users. This opens<br />
a new window.<br />
4. Select activedirectory from the Connector Type drop-down list.<br />
5. In the Select User List list box, select the Authoritative List you created<br />
earlier.<br />
6. Enter the username@domain.com, identifier and password to retrieve the<br />
user account list.<br />
7. Once you have entered this information, move to the Connector Info for<br />
Identities section. In this section, you are presented with four fields to enter<br />
Base DNs. Enter the DN information gathered in the first section. You can<br />
enter one to four DNs.<br />
8. Next, move to the Connector Attribute Mapping section. In this section,<br />
you are presented with a set of <strong>OpenCloud</strong> <strong>Access</strong> attributes (on the left<br />
side) and the place holders for the corresponding Active Directory<br />
attributes (on the right side).<br />
• Leave the page as is and click Next in the bottom right corner.<br />
• On the User ID Creation tab, in the User ID Creation Rule field,<br />
enter the rule used to create Active Directory accounts on Active<br />
Directory. Enter the same rule in the Reconciliation Rule field.<br />
9. Next, move to the Password Rule section. In this section add a minimum<br />
and maximum number in the Min Length and Max Length fields. This<br />
represents the minimum and maximum characters in a password.<br />
10. Click Last to skip the remaining tabs and go directly to the ID<br />
Synchronization page. On the page, select Daily from the Periodicity<br />
drop-down list. Leave the Week Days Only check box unchecked and<br />
select a time of the day at which you want <strong>OpenCloud</strong> <strong>Access</strong> to<br />
synchronize with Active Directory.<br />
11. Once you have entered all the details, click Fetch. This commences the<br />
retrieval of user account information from Active Directory.<br />
12. Upon successful completion of the retrieval process, click Reconciliation<br />
in the left pane.<br />
13. Click the Reconcile Users link in the right pane. This opens a new window<br />
and starts the reconciliation process.<br />
14. When the Close button appears, click it.
Chapter 10 Provisioning SSO Applications 39<br />
Note: Synchronization retrieves new account information and synchronizes any<br />
existing user account information, if updated.<br />
Adding an SSO Web Application as a Service<br />
After configuring Active Directory, you can manage an SSO application as an<br />
application server in <strong>OpenCloud</strong> <strong>Access</strong>.<br />
If the application is already managed for single sign-on from the <strong>OpenCloud</strong><br />
<strong>Access</strong> Management interface, skip steps 1, 2, and 3.<br />
If the application is not managed for single sign-on from the <strong>OpenCloud</strong> <strong>Access</strong><br />
Management interface, navigate to the Discovery tab. You are presented with<br />
three options. Select the Applications option.<br />
1. Click Manual in the right pane. This displays a pop-up window.<br />
2. Enter the following information in the sequence below:<br />
• Name: Application Name.<br />
• IP Address: 127.0.0.1.<br />
• Domain Name: Active Directory Domain Name.<br />
• Port Number: 22.<br />
• Protocol: TCP.<br />
• Select the Location and Organization in the appropriate drop-down<br />
lists.<br />
• Choose WEBAPP from the Type drop-down list.<br />
3. Leave the remaining fields blank and click Done.<br />
4. Click the ID Consolidation & Reconciliation tab and then, click<br />
Application Users. You see the new Web application in the right pane. To<br />
the extreme right, you see three hyperlinks; click Fetch Users.<br />
This opens a new window.<br />
5. Select the application connector from the Connector Type drop-down list.<br />
6. In the Select User List list box, select the Authoritative List you created<br />
earlier.<br />
7. Enter the user name and password to retrieve the user account list.
40 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
8. Enter the application Fully Qualified Domain Name in the IP Address<br />
field, if the IP Address field is available.<br />
9. Leave the page as is and click Next in the bottom right corner. In the User<br />
ID Creation tab and, in the User ID Creation Rule field enter the rule that<br />
was used to create new user accounts from <strong>OpenCloud</strong> <strong>Access</strong>. Enter the<br />
same rule in the Reconciliation Rule field.<br />
10. Next, move to the Password Rule section. In this section add a minimum<br />
and maximum number in the Min Length and Max Length fields. This<br />
represents the minimum and maximum characters in a password.<br />
11. Click Last to skip the remaining tabs and go directly to the ID<br />
Synchronization page.<br />
12. Select Daily from the Periodicity drop-down list. Leave the Week Days<br />
Only check box unchecked and select a time at which you would like<br />
<strong>OpenCloud</strong> <strong>Access</strong> to synchronize with Active Directory.<br />
13. Once you have entered all the details, click Fetch. This migrates SSO<br />
accounts to the Identity Management section in <strong>OpenCloud</strong> <strong>Access</strong>.<br />
14. Upon successful completion of the retrieval process, navigate to the<br />
reconciliation section by clicking Reconciliation in the left pane.<br />
15. Click the Reconcile Users link in the right pane. This opens a new window<br />
and starts the reconciliation process.<br />
16. When the Close button appears, click it.<br />
Note: Synchronization migrates new SSO accounts to the Identity Management<br />
section.<br />
Creating Active Directory Groups<br />
After adding SSO applications, you need to decide whether to use existing Active<br />
Directory groups or create new groups. The users added to a group are<br />
provisioned on a corresponding SSO application, so make sure that you use a<br />
relevant name.<br />
<strong>OpenCloud</strong> <strong>Access</strong> bases the provision of a new user account for any user added<br />
to an Active Directory group on an application-to-group mapping. Similarly,<br />
when a user account is removed from the Active Directory group, the user<br />
account is de-provisioned from the application, on the basis of group to<br />
application mapping.
Chapter 10 Provisioning SSO Applications 41<br />
For example, if an Active Directory group Sales is mapped to the application<br />
MySalesApplication, when an Active Directory user account is added to the<br />
Sales group in AD, <strong>OpenCloud</strong> <strong>Access</strong> detects this event at the next scheduled<br />
synchronization and provisions a user account on MySalesApplication.<br />
Similarly, when the Active Directory user account Sales group membership is<br />
removed, the MySalesApplication user account is de-provisioned.<br />
To enter this mapping information:<br />
1. Use your <strong>OpenCloud</strong> <strong>Access</strong> administrator credentials to log in.<br />
2. Use the navigation tree in the left pane to access the Applications section.<br />
3. Expand the System option and select AD Group Mapping in the left pane.<br />
4. Enter the Active Directory group name in the AD Group Name field.<br />
5. Enter the application name as managed in the <strong>OpenCloud</strong> <strong>Access</strong> Identity<br />
Management Administrator section, in the Application Name field.<br />
6. Click Create to save your settings.<br />
Fine-grained Privileges<br />
Fine-grained Privileges enables the <strong>OpenCloud</strong> <strong>Access</strong> Administrator to exercise<br />
complete control over the operations performed on application user accounts, by<br />
application administrators. This feature ensures that administrators have only<br />
those privileges that are needed for the specific tasks allotted to them.<br />
To set fine-grained privileges to various Application Administrators<br />
1. Click the Admin Setup link in the configuration section and navigate into<br />
the <strong>OpenCloud</strong> <strong>Access</strong> Administrators.<br />
2. Click the Fine-grained Privileges link adjacent to the name of the<br />
Administrator for whom fine-grained privileges need to be set. This<br />
displays the Fine-grained privileges screen which lists various applications<br />
managed by the Administrator.<br />
3. Select the check box adjacent to the View, Create, Enable, Disable,<br />
Delete, Password Reset, Unlock Account, Group Management,<br />
Application Management, View Profile, Modify and Privileged Account<br />
Management functions for that administrator, and click Update. This sets<br />
the specified privileges for the application administrator and enables to<br />
perform only those operations on the applications for which s/he has access.<br />
4. Select the check box adjacent to the Application Management. This will<br />
enable the service administrator to perform the operation of batch<br />
processing. Batch processing is an operation of performing reconciliation<br />
function to multiple users at one go.
42 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
5. Select the check box adjacent to the Group Management. This will enable<br />
the service administrator to perform operations related to groups in the<br />
services managed by him/her.<br />
6. Select the check box adjacent to the Privileged Account Management:<br />
This will enable the service administrator to manage the privileged<br />
accounts in the enterprise.<br />
Fine-grained Authoritative List Privileges<br />
This section of the screen is related to setting up fine-grained privileges to various<br />
authoritative lists in the enterprise. This section presents two options which<br />
allows the administrator to configure fine-grained authoritative list privileges.<br />
1. Group Management: Select this check-box if you wish to configure finegrained<br />
privileges for the Administrator to perform group-related actions in<br />
the authoritative list. By selecting this option, the selected administrator<br />
will be enabled to perform group-related operations.<br />
2. Modify Employee Information: This option enables the application<br />
administrator with the privilege of modifying employee information in the<br />
authoritative list. Select Modify Employee Information and click Update.<br />
This sets the fine-grained privileges for the application administrator that<br />
enables to modify employee records in the authoritative list.<br />
3. Click Update.<br />
Associating the <strong>OpenCloud</strong> <strong>Access</strong> Administrator to an<br />
Employee<br />
To facilitate provisioning, the <strong>OpenCloud</strong> <strong>Access</strong> Administrator must be<br />
associated to an employee in the authoritative list.<br />
Associate the Administrator to an employee<br />
1. <strong>Access</strong> the <strong>OpenCloud</strong> <strong>Access</strong> using https://.<br />
2. Click Advanced Configuration.<br />
3. Enter your Administrator ID, Password, and click Login.<br />
4. Click the Configuration tab, and click the Administrators Setup link on<br />
the left pane.<br />
5. In the Administrator Setup pane, click the Edit link in the Actions<br />
section. The Edit <strong>OpenCloud</strong> <strong>Access</strong> Admin pop-up window appears.
Chapter 10 Provisioning SSO Applications 43<br />
6. Click Link to Employee. You are taken to the Authoritative List that<br />
shows a list of employees.<br />
7. Select the employee name that must be associated to the <strong>OpenCloud</strong> <strong>Access</strong><br />
Administrator by choosing the corresponding radio button.<br />
8. You are taken back to the Edit <strong>OpenCloud</strong> <strong>Access</strong> Admin screen. Click<br />
Save.<br />
Creating User Accounts<br />
1. <strong>Access</strong> the <strong>OpenCloud</strong> <strong>Access</strong> using .<br />
2. Click the User Management link.<br />
3. Enter your Administrator ID, Password, and click Login.<br />
4. Click the Search by Employee link<br />
5. Click on the name of the employee for whom a new user account must be<br />
created.<br />
6. Scroll to the Actions drop-down list at the bottom of the screen and select<br />
Create New User Account.<br />
7. Click Go. You are taken to the Select Services screen. Select the services<br />
for which a user accounts must be created.<br />
8. Click Go. You are taken to Enter User Details screen.<br />
9. Based on the user ID creation rule, the user account appears in the User ID<br />
field.<br />
10. Based on the password rules, user account password is auto-generated in<br />
the Password and Confirm Password fields.You may change the<br />
password if you choose to.<br />
11. Select the user account validity by clicking the date picker tool adjacent to<br />
Account Valid Until field.<br />
12. Click the Create link located at the bottom of the screen. A user account<br />
creation confirmation pop-up appears, click OK.<br />
13. You are taken to the User Account Create Status screen. Click the Done<br />
link.<br />
Deleting User Accounts<br />
To delete the user account, logon to the User Management portal and follow the<br />
steps below:
44 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong><br />
1. Click the Search by Employee link<br />
2. Click on the name of the employee for whom a user account must be<br />
deleted.<br />
3. Click the user account that you want to delete. You are taken to User<br />
Account screen.<br />
4. Scroll to the Actions drop-down list at the bottom of the screen and select<br />
Delete option.<br />
5. Click Go. You are taken to User Account Delete screen.<br />
6. Click the Delete link located at the bottom of the screen. A deletion<br />
confirmation pop-up appears, click OK.<br />
7. You are taken to the User Account Delete Status screen. Click the Done<br />
link.<br />
Enabling User Accounts<br />
To enable the user account, logon to the User Management portal and follow the<br />
steps below:<br />
1. Click the Search by Employee link<br />
2. Click on the name of the employee for whom a user account must be<br />
enabled.<br />
3. Click user account that you want to enable. You are taken to User Account<br />
screen.<br />
4. Scroll to the Actions drop-down list at the bottom of the screen and select<br />
Enable option.<br />
5. Click Go. You are taken to User Account Enable screen.<br />
6. Click the Enable link located at the bottom of the screen. A user account<br />
enable confirmation pop-up appears, click OK.<br />
7. You are taken to the User Account Enable Status screen. Click the Done<br />
link.<br />
Disabling User Accounts<br />
To disable the user account, logon to the User Management portal and follow the<br />
steps below:<br />
1. Click the Search by Employee link
Chapter 10 Provisioning SSO Applications 45<br />
2. Click on the name of the employee for whom a user account must be<br />
disabled.<br />
3. Click user account that you want to disable. You are taken to User Account<br />
screen.<br />
4. Scroll to the Actions drop-down list at the bottom of the screen and select<br />
Disable option.<br />
5. Click Go. You are taken to User Account Disable screen.<br />
6. Click the Disable link located at the bottom of the screen. A user account<br />
disable confirmation pop-up appears, click OK.<br />
7. You are taken to the User Account Disable Status screen. Click the Done<br />
link.
46 <strong>OpenCloud</strong> <strong>Access</strong> <strong>Administration</strong> <strong>Guide</strong>