OpenCloud Access Administration Guide - Citrix Knowledge Center

OpenCloud Access 

Administration Guide 

Citrix® OpenCloud Access® 1.0

Copyright and Trademark Notice 

Copyright and Trademark Notice 

© CITRIX SYSTEMS, INC., 2010. ALL RIGHTS RESERVED. NO PART OF THIS DOCUMENT MAY BE 

REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK 

(SUCH AS TRANSLATION, TRANSFORMATION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN 

PERMISSION OF CITRIX SYSTEMS, INC. 

ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE ACCURATE, IT IS 

PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE ALL 

RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL. 

CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE 

USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS 

DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. COMPANIES, NAMES, AND DATA USED IN 

EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED. 

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to 

comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to 

provide reasonable protection against harmful interference when the equipment is operated in a commercial 

environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in 

accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this 

equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the 

interference at their own expense. 

Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC 

requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC 

regulations, and you may be required to correct any interference to radio or television communications at your own 

expense. 

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was 

probably caused by the NetScaler Request Switch 9000 Series equipment. If the NetScaler equipment causes 

interference, try to correct the interference by using one or more of the following measures: 

Move the NetScaler equipment to one side or the other of your equipment. 

Move the NetScaler equipment farther away from your equipment. 

Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler 

equipment and your equipment are on circuits controlled by different circuit breakers or fuses.) 

Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your 

authority to operate the product.

BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScaler Request Switch 

are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus Torvalds. Internet Explorer, Microsoft, 

PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of 

the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a 

trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other 

brand and product names may be registered trademarks or trademarks of their respective holders. 

Software covered by the following third party copyrights may be included with this product and will also be subject to the 

software license agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L. 

Mills 1993, 1994. Copyright © 1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler. 

Copyright © 1999, 2000 by Jef Poskanzer. All rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos, 

Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright © 1982, 1985, 1986, 

1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright © 1995 Tatu Ylonen, Espoo, 

Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V Murray. Copyright 

1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston 

Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, 

Inc. Copyright © 1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights 

reserved. Copyright © 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 

Networks Associates Technology, Inc. Copyright 1999-2001© The Open LDAP Foundation. All Rights Reserved. 

Copyright © 1999 Andrzej Bialecki. All rights reserved. Copyright © 2000 The Apache Software Foundation. All rights 

reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 

University of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. 

All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. 

All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik 

Lindergren. 

All rights reserved. 

Last Updated: October 2010

CONTENTS 

Contents 

Preface 

Chapter 1 

Chapter 2 

Chapter 3 

Chapter 4 

Chapter 5 

Chapter 6 

Chapter 7 

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i 

Formatting Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii 

Getting Service and Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii 

Knowledge Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii 

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii 

OpenCloud Access High Availability 

How OpenCloud Access High Availability Works . . . . . . . . . . . . . . . . . . . . . . . . . .1 

Configuring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 

Configuring Kerberos on Active Directory 

User Creation for OpenCloud Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 

Keytab File Generation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 

Testing Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 

Activating SSO Applications 

Activating an Application for SSO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 

Viewing an SSO Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 

View User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 

Removing an SSO Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 

Configuring Responder Policies on NetScaler 

Viewing Users 

Configuring a DNS Server entry for OpenCloud Access 

OpenCloud Access Reporting

Contents 

v 

Built-in Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 

License Utilization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 

Inactive Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 

Concurrent Logins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 

Failed Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 

Custom Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 

Chapter 8 

Chapter 9 

Chapter 10 

Installing Connector Updates 

OpenCloud Access SSO Connector Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 

Service Packs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 

Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 

Installing Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 

Hot Fixes and Bug Fixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 

Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 

Installing Bug Fixes and Hot Fixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 

Connector Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 

Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 

Installing Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 

Upgrading OpenCloud Access 

Provisioning SSO Applications 

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 

Adding Active Directory as an Authoritative List . . . . . . . . . . . . . . . . . . . . . . . . . .35 

Adding Active Directory as an Authentication Server . . . . . . . . . . . . . . . . . . . . . .37 

Adding an SSO Web Application as a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 

Creating Active Directory Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 

Fine-grained Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 

Fine-grained Authoritative List Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42 

Associating the OpenCloud Access Administrator to an Employee . . . . . . . . . . . .42 

Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 

Deleting User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 

Enabling User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 

Disabling User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

PREFACE 

Preface 

About This Guide 

Before you begin to manage and monitor Citrix OpenCloud Access, take a few 

minutes to review this chapter and learn about related documentation, other 

support options, and ways to send us feedback. 

In This Preface 

About This Guide 

Formatting Conventions 

Getting Service and Support 

Documentation Feedback 

The Citrix OpenCloud Access Administration Guide provides a conceptual 

reference and instructions for configuring and managing Citrix® OpenCloud 

Access®. 

The guide provides the following information: 

• Chapter 1, “OpenCloud Access High Availability.” Learn about 

OpenCloud Access High Availability and how to configure it. 

• Chapter 2, “Configuring Kerberos.” Configure Kerberos 

Authentication on Active Directory for OpenCloud Access. 

• Chapter 3, “Activating SSO Applications.” Activate and configure 

new applications for SSO by using OpenCloud Access. Also, learn 

how to view and remove activated applications. 

• Chapter 4, “Configuring Responder Policies on NetScaler.” Learn 

how to configure responder policies on NetScaler. 

• Chapter 4, “Viewing Users.” View details of the enterprise users, in 

OpenCloud Access. 

• Chapter 5, “Configuring a DNS Server entry for OpenCloud Access.” 

Learn how to configure a DNS entry for OpenCloud Access.

ii 

OpenCloud Access Administration Guide 

Formatting Conventions 

• Chapter 6, “OpenCloud Access Reporting.” Learn how to use 

OpenCloud Access to display single sign-on usage as reports with 

graphs. 

• Chapter 7, “Uploading Connector Library.” Learn about different 

types of periodic updates and fixes provided by Citrix. This also 

includes the procedure to upload and install them on OpenCloud 

Access. 

• Chapter 8, “Upgrading OpenCloud Access.” Learn how to upgrade 

OpenCloud Access to the latest build. 

• Chapter 9, “Provisioning for SSO Applications.” Learn how to enable 

provisioning for single sign-on applications activated in OpenCloud 

Access. 

This documentation uses the following formatting conventions. 

Table 1: Formatting Conventions 

Convention 

Boldface 

Monospace 

 

Meaning 

In text paragraphs or steps in a procedure, 

information that you type exactly as shown (user 

input), or an element in the user interface. 

Text that appears in a command-line interface. 

Used for examples of command-line procedures. 

Also used to distinguish interface terms, such as 

names of directories and files, from ordinary text. 

A term enclosed in angle brackets is a variable 

placeholder, to be replaced with an appropriate 

value. Do not enter the angle brackets. 

Getting Service and Support 

Citrix provides technical support primarily through the Citrix Solutions Network 

(CSN). Our CSN partners are trained and authorized to provide a high level of 

support to our customers. Contact your supplier for first-line support, or check for 

your nearest CSN partner at http://support.citrix.com/. 

You can also get support from Citrix Customer Service at http://citrix.com/. On 

the Support menu, click Customer Service.

Preface iii 

Knowledge Center 

The Knowledge Center offers a variety of self-service, Web-based technical 

support tools at http://support.citrix.com. 

Knowledge Center features include: 

• A knowledge base containing thousands of technical solutions to support 

your Citrix environment. 

• An online product documentation library. 

• Interactive support forums for every Citrix product. 

• Access to the latest hotfixes and service packs. 

• Knowledge Center Alerts that notify you when a topic is updated. 

Note: To set up an alert, sign in at http://support.citrix.com/ and, under 

Products, select a specific product. In the upper-right section of the screen, 

under Tools, click Add to your Hotfix Alerts. To remove an alert, go to the 

Knowledge Center product and, under Tools, click Remove from your 

Hotfix Alerts. 

• Security bulletins. 

• Online problem reporting and tracking (for organizations with valid support 

contracts). 

Documentation Feedback 

You are encouraged to provide feedback and suggestions so that we can enhance 

the documentation. You can send email to the following alias or aliases, as 

appropriate. In the subject line, specify “Documentation Feedback.” Be sure to 

include the document name, page number, and product release version. 

• For OpenCloud Access documentation, send email to 

nsdocs_feedback@citrix.com.

iv 

OpenCloud Access Administration Guide

CHAPTER 1 

OpenCloud Access High Availability 

OpenCloud Access high availability (HA) refers to an implementation in which 

two OpenCloud Access VMs are installed on different hardware platforms and 

are configured such that if one system fails for any reason, the other is available 

to provide the services OpenCloud Access. The two VMs work in an activepassive 

configuration, in which only one device is active, at any given time. 

The active VM listens for requests, serves clients, and synchronizes its data with 

the data on the passive VM. Each VM has its own individual IP address. The VM 

pair is also assigned with a well known IP Address, which is used by the VM that 

is active. Clients access the active VM by using a fully qualified domain name 

that resolves to the well known IP address. 

System-setting data is synchronized by a client-server mechanism. A client on the 

active OpenCloud Access pushes the necessary information to a virtual server on 

the passive VM as a series of requests. The virtual server parses the requests and 

performs the necessary action. 

How OpenCloud Access High Availability Works 

The OpenCloud Access VM on which the high availability configuration is 

initiated is termed the primary VM, and the other is termed the secondary. The 

names primary and secondary are static.The names with the respective VMs does 

not change over time. Both the devices will be aware as to which device among 

the two is primary device and which device is secondary. 

Both VMs retain these identities even if the secondary becomes active and the 

primary passive. 

If the primary VM or its host hardware fails, the secondary VM immediately 

assumes the tasks of serving user requests and providing single sign-on 

functionality. As the active VM, it also inherits the role of synchronizing system 

and database information.

2 OpenCloud Access Administration Guide 

Each VM in an OpenCloud Access high availability pair generates a heartbeat 

request once each minute. A diagnostics script on each VM generates healthstatus 

information, and the heartbeat service running on the two VMs monitors 

the health of each OpenCloud Access system and the health of the HA pair. 

If the passive VM does not respond to a heartbeat request or reports a failure, the 

active VM marks the passive as failed and sends an email message notifying the 

administrator. If the active VM does not respond or reports a failure, the passive 

VM acquires the well known IP address, becomes active, and sends an email 

message notifying the administrator. 

When the failed VM comes back online, the active VM updates it with 

differential data and updates its status from failed to passive. 

Configuring High Availability 

Before configuring a high availability pair, make sure that the two OpenCloud 

Access VMs are running the same build version. If you have installed any 

hotfixes or bug fixes on one of the VMs, the same set of fixes should be installed 

on the other VM as well. OpenCloud Access currently supports high availability 

within the same subnet only. Make sure that the IP addresses assigned to the 

primary and secondary VMs are in the same subnet. 

When you configure high availability the Primary device IP address is 

automatically be assigned as the well known IP address for the pair. You must set 

aside one more IP address to assign to the Primary VM. 

Configure high availability settings 

1. Log on to OpenCloud Access Management interface. 

2. In the navigation pane, expand Settings, and then click HA. 

3. Click Add link in the High Availability details screen. The Create High 

Availability Configuration dialog box appears. 

4. Configure the following HA parameters: 

• Primary IP Address 

• Secondary IP Address 

• Well Known IP Address, Subnet Mask and Default Gateway 

automatically acquire default settings. Edit these as required. 

• Heartbeat Tolerance Level: The heartbeat periodically checks the 

availability of an HA node. Specify the interval at which the active 

VM must communicate with the passive VM. The default value is 3.

Chapter 1 OpenCloud Access High Availability 3 

Note: Subnet Masks and Default Gateways of Primary and 

Secondary IP Address are populated by default. 

5. Click Next. 

6. Click OK, unless you want to modify settings. 

After a few minutes, the primary and secondary OpenCloud Access VMs reboot.

4 OpenCloud Access Administration Guide

CHAPTER 2 

Configuring Kerberos on Active 

Directory 

Kerberos is a secure computer network authentication protocol that Citrix® 

OpenCloud Access® uses to identify the users of client computers 

communicating over a network. OpenCloud Access uses Kerberos over HTTP as 

an authentication mechanism to identify a domain client workstation user. 

As part of the identification process, OpenCloud Access uses a keytab file. A 

keytab file contains pairs of Kerberos principles and encrypted keys. The keytab 

file is used in the authentication process. 

Once OpenCloud Access has determined the identity of the user, it stores this 

identity and provides a transparent mapping between users, network IDs, and 

their various single sign-on application IDs. 

User Creation for OpenCloud Access 

The first step in setting up the Kerberos environment for OpenCloud Access is to 

set up a user account on Active Directory. This user account is used to generate a 

keytab file. 

Set up a user account 

1. Create a user account in Active Directory for OpenCloud Access 

(Example: cloudaccess). 

2. Set the password expiry of the user to Password Never Expires. 

Note: The password for this account should not be reset once the keytab 

file is generated.


Keytab File Generation 

The keytab file contains the OpenCloud Access fully qualified domain name, key, 

and key encryption type. To generate the keytab file, you have to make use of the 

ktpass tool on the Active Directory Windows server. 

1. Create a keytab file with the following command from the Active Directory 

server command prompt: 

ktpass –princ HTTP/@ - 

ptype KRB5_NT_PRINCIPAL –mapuser -mapop set –pass -out 

(Example: ktpass -princ HTTP/ 

cloudaccess.example.com@EXAMPLE.COM -ptype 

KRB5_NT_PRINCIPAL -mapuser cloudaccess@EXAMPLE.COM - 

mapop set -pass Passwd123 -out CloudAccesSSOkey) 

Note: ktpass is not part of Active Directory by default. It is part of Windows 

Server 2003 Service Pack 1 Windows Support Tools. You can download the 

Support Tools from the following Web site: 

http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1- 

4E81-B3BE-4E7AC4F0912D. 

For Windows 2000 server, the ktpass command selects the DES encryption 

option by default. DES encryption should be selected in Windows 2000 for 

Kerberos to work. 

(For Windows 2000 server, Download the Windows 2000 Support Tools.) 

2. Once the keytab file is generated, the OpenCloud Access user properties in 

AD appear as follows: HTTP/< OpenCloud Access FQDN> (Example: 

HTTP/cloudaccess.example.com). 

3. Copy the keytab file and keep it in a safe location. You will need it when 

you set up User Authentication. 

Note: OpenCloud Access and Active Directory clock must be in sync for 

Kerberos authentication over HTTP to work, as required. 

Testing Kerberos 

Once you have uploaded the keytab file to OpenCloud Access, to test whether the 

environment is working properly:

Chapter 2 Configuring Kerberos on Active Directory 7 

1. Log on to the domain using a client workstation. 

2. Open a Web browser and access the following URL: 

https:///kerbsso/index.jsp 

3. If the Kerberos environment is working as it should be, a test Web page 

loads. The message “AD Authentication Test ... username@domain.com” 

appears. 

Example: If Mark Taylor uses his Active Directory username (mark.taylor) 

and password to log into the domain example.com, when he accesses the 

URL shown in Step 2, the message "AD Authentication Test.... 

mark.taylor@example.com" appears.


CHAPTER 3 

Activating SSO Applications 

With Citrix® OpenCloud Access®, you can provide enterprise users with single 

sign-on (SSO) to your enterprise and SaaS Web applications. To enable this 

facility you use, the OpenCloud Access connector library. The connector library 

consists a set of Web application SSO connectors with which you can enable 

single sign-on for corresponding applications. These applications are referred to 

as SSO Applications. 

This chapter provides a detailed description of how to activate SSO for an 

application by using one of the existing SSO connectors from the library, using 

OpenCloud Access. 

If you want an SSO connector for an application that is not part of the list of SSO 

connectors available in the OpenCloud Access connector library, please contact 

Citrix support. 

Activating an Application for SSO 

To activate a new application in OpenCloud Access for SSO, do the following: 

1. Access the OpenCloud Access Management Interface by using the 

following URL: https:///. This brings up the Login 

screen. Enter your OpenCloud Access administrator credentials and click 

Login. 

2. Once you are logged on to OpenCloud Access, use the navigation tree in 

the left pane to access the Applications section. This option is available 

under the Users & Applications menu. 

3. Upon clicking Applications, you see a set of applications that have been 

activated for SSO, in the right pane. At the bottom of this screen, click Add 

to use one of the available connectors for SSO. 

A new window appears displaying a list of pre-packaged connectors, which 

are not activated for SSO. From the list of available connectors, select one 

and click Add. This launches a two-step process. 

During the process, you are prompted to enter the following information:


• Name 

This is the name of the application. 

• Description 

This field is meant to provide basic details about the application. The 

page has a pre-filled description. If you wish to edit this description, 

click the text field and edit the description. 

• URL 

In this field, enter the URL used to access the Web application. 

• # of Licenses 

This is the subscription limit of user licenses that you purchased for 

the selected application. 

• Max Threshold 

This is used to monitor your license usage for the application you are 

activating. Specify a maximum threshold, as a numeric value. 

• Min Threshold 


activating. Specify a minimum threshold, as a numeric value. 

Using the OpenCloud Access License Utilization report, you are 

able to determine whether you can increase or decrease the number of 

licenses that you purchased, based on the minimum and maximum 

thresholds that you set. This helps you maximize your ROI. 

• CRD Policy Configuration 

This check box is enabled only if the connector has autoconfiguration 

capabilities. However, this feature is not available in 

OpenCloud Access release 1.0. 

You have to manually create responder policies for the application on 

the Citrix® NetScaler® appliance. 

4. Click Next to move forward to the SSO properties page. 

5. If you are activating an application using a Native SSO Type connector, 

you will have to add a redirection URL in the DNS server. 

6. Click Next to continue to the Summary Details page.This Summary 

Details page contains a summary of the details you entered on the first 

page. 

7. To confirm and save your settings, click Create.

Viewing an SSO Application 

Chapter 3 Activating SSO Applications 11 

At any time after activating an application for SSO, you might want to update 

some of the application details, such as the description, the access URL, or the 

license utilization thresholds that were previously entered. 

Once you are logged on to OpenCloud Access, use the navigation tree in the left 

pane to access the Users & Applications section. When you click Applications, 

the right pane displays set of applications that are activated for SSO. Highlight an 

application by clicking it, and then click the Open button at the bottom of the 

screen. You can then edit the application details. 

The application details dialog box displays the following details: 

• Description: The page has a pre-filled description. If you wish to edit 

this description, click the text field and edit the content. 

• URL 

In this field, you can enter the URL that was used to access the Web 

application. 

• # of Licenses 

This is the subscription limit of user licenses that you purchased for 

the selected application. 

• Max Threshold 


activating. Specify a maximum threshold, as a numeric value. 

• Min Threshold 


activating. Specify a minimum threshold, as a numeric value. 

Using the OpenCloud Access License Utilization report, you will be 

able to determine whether you can increase or decrease the number of 

licenses that you purchased, based on the minimum and maximum 

thresholds that you set. This helps you maximize your ROI. 

• CRD Policy Configuration 

This check box is enabled only if the connector has autoconfiguration 

capabilities. However, this feature is not available in 

OpenCloud Access release 1.0. 

1. Click Next to move forward to the SSO properties page.


View User Accounts 

2. Click Next to continue to the Summary Details page.This Summary 

Details page contains a summary of the details that are entered on the first 

page. 

3. To confirm and save your settings, click OK, or click Close to exit without 

saving. 

Once you are logged on to OpenCloud Access, use the navigation tree in the left 

pane to access the Users & Applications section. When you click Applications, 

right pane displays a set of applications managed for SSO. You can select an 

application and click the View User Accounts button to view the user accounts 

that are using SSO for this application. 

This brings up a new window. The window contains a table that lists the user 

accounts. Each row in the table contains the following fields: 

• User ID: This is the user ID that OpenCloud Access captured the first time 

a user’s application credentials were captured for single sign-on. 

• Account Status: This field is blank if the application is used only for SSO. 

If the OpenCloud Access Identity Management feature is turned on for the 

application being viewed, the user account status is displayed indicating 

whether the user account is Active or Disabled. 

• State: This field is blank if the application is used only for SSO. If the 

OpenCloud Access Identity Management feature is turned on for the 

application being viewed, the user account state is displayed indicating 

whether the user account is Assigned to a user or is Unreconciled. 

Removing an SSO Application 

Once you are logged on to OpenCloudAccess, use the navigation tree in the left 

pane to access the Users & Applications section. Click Applications, to display 

the set of applications that OpenCloud Access is managing for SSO. 

To remove a managed SSO application from OpenCloud Access: 

1. Highlight the application that you would like to remove and, at the bottom 

of the screen, click Remove. 

2. At the prompt confirm that you want to remove the application. 

3. Once you confirm your decision, OpenCloud Access stops performing SSO 

for the application removed. This connector then reappears in the connector 

list section.

Chapter 3 Activating SSO Applications 13


CHAPTER 4 

Configuring Responder Policies on 

NetScaler 

Create a Responder Action by using the configuration utility 

1. In the navigation pane, expand Responder, and then select Actions. 

2. In the details pane, click Add. 

3. In the Name field, enter the name for the new responder action. 

4. From Type drop-down, select Redirect. 

5. In the Target field enter the expression by substituting the OpenCloud 

Access host name and application name, enclosed in double quotes in the 

following string. 

“https:/// 

webssouser/websso.do?action=authenticateUser&app=&reqtype=1” 

For Example: “https://oca.enterprise.com/webssouser/ 

websso.do?action=authenticateUser&app=example&reqtype=1” 

Note: In the above example, the top-level domain (TLD) “.com” is used. 

However, the following TLDs are also accepted, in place of “.com”: 

.org, .net, .edu, .mil, etc. 

6. Click Create. 

7. Click Close. 

Create a Responder Policy by using the configuration utility 

The responder policies created here reference the action created in the previous 

step. 

1. In the navigation pane, expand Responder, and then select Policies. 

2. In the details pane, click Add. 

3. In the Name field, enter the name for the new responder policy.


4. In Action drop-down list, select the responder action that you previously 

created. 

5. In the Expression field, enter HTTP.REQ.HOSTNAME.EQ(“”). 

If there are more than one URL used to logon to an application, this must be 

repeated for each of the URLs. 

For Example: HTTP.REQ.HOSTNAME.EQ("logon.example.com") 

6. Click Create. 


Activate the Responder Policy by using the Policy Manager 

Here, we use the Policy Manager to bind the responder policies in order for the 

responder policies to take effect. 

1. In the navigation pane, expand Responder, and then select Policies. 

2. In the Responder Policies pane, click Policy Manager. 

3. In the Responder Policy Manager window, click Default Global in the 

left pane. 

4. Click Insert Policy. 

5. In Policy Name drop-down list, select the responder policy that you 

previously created. 

6. Click Apply Changes. 


8. Save the configuration and click Refresh All.

CHAPTER 5 

Viewing Users 

The Users section in Citrix® OpenCloud Access® displays a list of all the current 

users in your enterprise. Typically, this is the list of existing users in your 

enterprise Active Directory server. Users and their details appear in the Users 

section only if the user list is retrieved from the enterprise Active Directory.The 

list captures various details about the users, such as their first name, last name, 

employee number, physical address, and so on. 

Users listed here are a combination of the users who have signed up for SSO and 

those who have not yet signed up for SSO but are eligible to use the SSO service 

for your enterprise or SaaS applications. 

Select Users & Applications in the left pane and click Users to access the user 

list. The list of users appears in the right pane; this section has a read-only view. 

You can drill down on any of the users listed to find out more details about the 

user. 

Display more details about a user 

1. Click the record corresponding to the user whose details you want to find 

out about. 

2. Click Open. 

3. After viewing the user details, click Close to close the window. 

For information about how to add a user list in OpenCloud Access, see 

Add Active Directory As an Authoritative List in the “Provisioning for 

SSO Applications” Chapter of the OpenCloud Access Administration 

Guide.


CHAPTER 6 

Configuring a DNS Server entry for 

OpenCloud Access 

You first have to configure a DNS entry for OpenCloud Access; this is a one-time 

effort. 

Following are the prerequisites for creating host entries in the DNS server: 

• A DNS server 

• OpenCloud Access 

• SaaS application information from OpenCloud Access 

Configure a DNS entry for OpenCloud Access 

1. Log on to the Windows server hosting your DNS server. 

2. Navigate to Start > Programs > Admin Tools > DNS. 

3. Navigate to the Forward Look Up Zone in the DNS and expand Forward 

Look Up Zone. 

4. Right-click your enterprise domain and select New Host. 

5. On the New Host screen, enter the following information. This step must 

be performed only once. 

• Name: The Name should be the same as the Active Directory user 

account name. 

• IP Address: OpenCloud Access IP address. 

(Example: opencloudaccess as the name and 192.168.70.200 as the IP 

address. Here, 192.168.70.200 is the IP address of the OpenCloud Access 

VM.) 

6. Click Done.


Chapter 6 Configuring a DNS Server entry for OpenCloud Access 21


CHAPTER 7 

OpenCloud Access Reporting 

Citrix® OpenCloud Access® maintains user account details for each application. 

These details are gathered as part of the SSO learning process. When a user 

attempts to log on to a managed application for the first time, OpenCloud Access 

captures the user account credentials. The user account entered is associated with 

the application to build the users per application report. 

OpenCloud Access also captures SSO events per application. OpenCloud Access 

works in conjunction with Citrix® NetScaler® appliance to gather details about 

when (specifically, the date and time) SSO was performed for which user 

account; this data is maintained by OpenCloud Access in its database. With this 

information, OpenCloud Access can show high-level reports of SSO frequency 

per application. You can drill down and view the actual SSO events of interest by 

clicking the application of choice. 

The list of user accounts present in OpenCloud Access consists of users who have 

signed up with OpenCloud Access during the SSO process. Utilization reports 

reflect user accounts that have been used for SSO. 

In addition to using the built-in reports, you can create custom reports that have 

been used for SSO. 

Built-in Reports 

To access the built-in reports, click the Reports link in the left pane in 

OpenCloud Access. The tree view expands. Next, highlight Built-in Reports. 

You are then presented with the following set of reports. When you click any of 

these links in the left pane, the actual report appears in the right pane. 

License Utilization 

The License Utilization report provides you with information about the SSO 

utilization for each application. 

1. The right pane shows a bar graph where x-axis represents the applications 

and the y-axis represents the percentage of license utilization based on the 

application user licenses available. The graph depicts three types of license


utilization percentages, namely Over Utilization, Effective Utilization 

and Under Utilization. 

2. Each application is represented by a single bar in the graph. You can click 

the utilization bar corresponding to an application to drill down and see the 

user account details. 

3. Clicking a bar in the graph brings up a new window. The window lists the 

user accounts in a table. Each row in the table contains the following fields: 

• User ID: This is the application user ID that OpenCloud Access 

captured the first time a user’s application credentials were captured 

for single sign-on. 

• Account Status: This field is blank if the application is used only for 

SSO. If the Identity Management feature is turned on in OpenCloud 

Access, for the application being viewed, the user account status is 

also displayed. This field captures whether the user account is Active 

or Disabled. 

• User Name: This field contains the user’s first and last name, 

retrieved from the user list. 

• State: This field is blank if the application is used only for SSO. If the 

Identity Management feature is turned on in OpenCloud Access, for 

the application being viewed, the user account status is also 

displayed. This field contains information about whether the user 

account is Assigned to a user in the user list or is Orphaned. 

Inactive Accounts 

The Inactive Accounts report displays information about the user accounts that 

have signed up for SSO with OpenCloud Access but have not been used for a 

period of time. 

1. The right pane shows summary views for SSO usage per application for the 

following four time periods: 

• Last month 

• Last quarter 

• Last half year 

• Last year 

2. The summary view shows a bar graph, where the x-axis represents the 

applications and the y-axis represents the number of user accounts in each 

of the applications.

Chapter 7 OpenCloud Access Reporting 25 

Concurrent Logins 

The Concurrent Logins report displays details about the users currently logged 

on to the various SSO applications managed in OpenCloud Access. 

1. The report in the right pane shows summary views for current concurrent 

SSO usage per application, in the form of a bar graph. The x-axis represents 

the applications and the y-axis represents the number of users currently 

logged on to the applications. 

2. You can then click an application to drill down and see the list of user 

accounts that are currently logged on to the application. 

3. Clicking a bar in the graph brings up a new window. The window contains 

the user accounts presented in a table. Each row in the table contains the 

following fields: 

• User ID: This is the user’s network ID that OpenCloud Access 

captured after identifying the user. 

• Domain Name: This field contains the domain name associated with 

the application for which single sign-on was performed. 

• Login Name: This field contains the user’s application login name. 

• SSO Application Name: This field contains the name of the 

application for which single sign-on was performed. 

• Login Time: The time that the user was logged on to the application 

by using OpenCloud Access. 

Failed Logins 

The Failed Logins report contains information about the failed single sign-on 

attempts by OpenCloud Access. 

1. The right pane shows summary views of authentication failures per 

application. The report appears in the form of a bar graph, where the x-axis 

represents the applications and the y-axis represents the number of failed 

login attempts. 

2. You can then click a bar in the graph to drill down and see the list of 

authentication failures for each application. The window lists the user 

accounts in a table. Each row in the table contains the following fields: 

• Access Type: This field provides information about whether 

OpenCloud access was attempting to sign in a local user, that is, a 

user was logged on to the domain or if OpenCloud Access was 

attempting to sign on a remote user.


Custom Reports 

• First Name: This field contains the first name of the user. It is 

populated only if the user account is Assigned to a user record in the 

user list. 

• Last Name: This field contains the last name of the user. It is 


user list. 

• Middle Name: This field contains the middle name of the user. It is 


user list. 

• Application Name: The name of the application for which 

OpenCloud Access attempted to sign in. 

• User ID: This is the user’s network ID that OpenCloud Access 

captured after identifying the user. 

• Domain Name: This field contains the domain name associated with 

the application for which single sign-on was performed. 

• Login Time: The time that OpenCloud Access attempted to sign in a 

user to the application. 

In addition to the standard built-in reports, you can also request for custom 

reports generated from the data stored in the OpenCloud Access database. You 

can build reports to display specific information in the format of your choice. 

Contact Citrix support to learn more about or submit a request for custom reports.

CHAPTER 8 

Installing Connector Updates 

Citrix® OpenCloud Access® ships with a standard set of SSO connectors. These 

SSO connectors are packaged into a single SSO connector library. 

SSO connectors for new applications are first released as Formfill connectors and 

released later as Native connectors. 

SSO connectors with auto-configuration capabilities are not available in 

OpenCloud Access release 1.0. In a future release, you will be able to use these 

connectors to automatically push responder policies to NetScaler. 

OpenCloud Access SSO Connector Library 

In addition to the standard set of connectors that are delivered as part of 

OpenCloud Access, connector library updates are available in the form of 

monthly service packs. 

Connector library upgrades containing new SSO connectors are released every 

month. 

Service Packs 

At the end of every quarter, a consolidated set of connector updates, in the form 

of a connector library, and connector bug or hot fixes if applicable, is made 

available on the Citrix Web site. This service pack might also includes 

generalized bug or hot fixes that have been released earlier to resolve specific 

customer issues. If OpenCloud Access already has these fixes installed, they are 

skipped at installation time. 

A set of release notes is also included to keep you aware of what is being released 

as part of each service pack. 

Availability 

To download the latest service pack, please visit the Citrix Web site. 

Installing Service Packs 

Once you have saved the file on your computer,


To install a Service Pack: 

1. Open a Web browser and access the OpenCloud Access landing page at the 

following URL: https://. The OpenCloud 

Access landing page appears. Click Advanced Configuration. 

2. The System Login page appears. Enter the administrator username and 

password and click Login. 

3. Click the Troubleshoot tab. 

4. Click the Click Here For Debug Window link. 

5. The Troubleshoot Login page appears. Enter the administrator username 

and password and click Login. 

6. Navigate to the Patch Management link in the left pane. 

7. In the right pane, click Upload Patch. 

8. Click Browse, to locate the hotfix on your local workstation, and click 

Open. 

9. Click the Upload button. This uploads the hotfix to OpenCloud Access and 

displays the result. 

10. Click Done. The hotfix will appear in the Patch Management page with 

details of PatchID, Patch State and Action. The patch state appears as “Un 

installed” and the Action displays an Install link. 

11. Click Install to install the patch. Do not refresh the page. 

12. Once the patch is installed, click Done. The patch state will then change to 

Installed to reflect the new state. 

13. Click Logout in the left pane. 

Note: Upon completion, the Web service restarts. Wait for a minute before 

accessing the OpenCloud Access Web interface. 

Hot Fixes and Bug Fixes 

If an issue with one of the SSO connectors is reported and it is determined to be a 

bug, Citrix releases a Hot Fix. 

If a critical issue is found with any of the connectors during the regular Quality 

Assurance cycles, a Bug Fix is released immediately.

Chapter 8 Installing Connector Updates 29 

Availability 

Both hot fixes and bug fixes are made available with Citrix support. 

Installing Bug Fixes and Hot Fixes 

To install a bug fix/hot fix: 

1. Open a Web browser and access the OpenCloud Access landing page at the 

following URL: https://. The OpenCloud 

Access landing page appears. Click Advanced Configuration. 

2. The System Login page appears. Enter the administrator username and 

password and click Login. 

3. Click the Troubleshoot tab. 

4. Click the Click Here For Debug Window link. 

5. The Troubleshoot Login page appears. Enter the administrator username 

and password and click Login. 

6. Navigate to the Patch Management link in the left pane. 

7. In the right pane, click Upload Patch. 

8. Click Browse, to locate the hotfix on your local workstation, and click 

Open. 

9. Click the Upload button. This uploads the hotfix to OpenCloud Access and 

displays the result. 

10. Click Done. The hotfix will appear in the Patch Management page with 

details of PatchID, Patch State and Action. The patch state appears as “not 

installed” and the Action displays an Install link. 

11. Click Install to install the patch. Do not refresh the page. 

12. Once the patch is installed, click Done. The patch state will then change to 

Installed to reflect the new state. 

Note: The procedure from step 7 to 12 can be repeated in case you have to 

install multiple hot fixes. 

13. Click Logout in the left pane.


Connector Upgrades 

SSO connectors for new applications are constantly added to the connector 

library. These connectors are part of the connector library made available in 

quarterly (or semiannual) releases, on the Citrix Web site. 

These SSO connectors are first released as Formfill SSO connectors, and once 

they are released as Native connectors, a corresponding SSO connector is added 

to the monthly connector service pack or connector library upgrade, whichever is 

released first. 

Availability 

Connector upgrades are available with Citrix support. 

Installing Upgrades 

To install a connector: 

1. Log on to OpenCloud Access using your administrator credentials. 

2. Use the navigation tree in the left pane to access the Users & Applications 

section. 

3. Click Applications. 

4. Click the Add button in the right pane. 

5. In the pop-up window, click the Upload Connector(s) button. 

6. In the Upgrade Wizard dialog box, click Next. 

7. Click Browse, to locate the upgrade file on your local workstation, and 

click Next. 

8. The Readme displays information about the number of connectors 

enclosed within the connector library that you are uploading. Click Next. 

9. The Change Log displays information about the changes since the previous 

connector library release. Click Next. 

10. Click Finish on the Summary screen. 

Upon completion, the Web service restarts, and you are taken to the OpenCloud 

Access login page.

Chapter 8 Installing Connector Updates 31 

Note: The Connectors’ list upload process takes between 5 and 10 minutes to 

complete, depending on your server configuration. 

If there are multiple versions of an enterprise SSO application, the corresponding 

supported versions appear in the OpenCloud Access interface. One version does 

not interfere with the other.


CHAPTER 9 

Upgrading OpenCloud Access 

When enhancements and bug fixes, become available for Citrix® OpenCloud 

Access®, a new build is released. You can download new builds from the Citrix 

Web site at http://www.citrix.com/site/SS/downloads/index.asp. New builds can 

be downloaded and installed on your OpenCloud Access virtual appliance. 

These builds must be installed through the OpenCloud Access Management 

Interface. Refer to the release notes before proceeding with the upgrade. 

If you upgrade a high availability pair, upgrade the active VM first. 

Upgrade OpenCloud Access to the latest build 

1. Log on to OpenCloud Access. 

2. Click the OpenCloud Access link in the left pane. 

3. On the System Overview page, click Upgrade Wizard located at the 

bottom of the System Overview page in the right pane. 

4. In the Upgrade Wizard dialog box, click Next. 

5. Click Browse, to locate the upgrade file on your local computer, and click 

Next. 

6. This uploads the file into OpenCloud Access. Upon successful completion 

of the file upload, a summary displays the details of the OpenCloud Access 

Upgrade. 

7. Click Finish to complete upgrade process. 

Note: The upgrade process takes between 5 and 10 minutes to complete, 

depending on your server configuration. Upon completion, the Web service 

restarts, and you are taken to the OpenCloud Access login page.


CHAPTER 10 

Provisioning SSO Applications 

Prerequisites 

Citrix® OpenCloud Access® uses its provisioning connector framework to 

seamlessly provision user accounts in SSO applications. Using the enterprise 

Active Directory group mapping, OpenCloud Access provisions a new user 

account for users added to the existing or new application group in the Active 

Directory. 

Before attempting to enable provisioning for an SSO application that is currently 

active in the OpenCloud Access VM, make sure that you are accompanied by 

someone who is well versed with the enterprise Active Directory. 

As an alternative, gather the following information: 

1. Active Directory IP Address: The IP address of the enterprise Active 

Directory server. 

2. Active Directory Port Number: The port number that is used to 

communicate over LDAP with the enterprise Active Directory server. 

Typically, the port number used to communicate with Active Directory is 

389. 

3. Service Account: A user name and password with the required privileges 

to retrieve user account information from Active Directory. 

4. Domain Name: The enterprise domain that Active Directory is managing. 

5. Base DN Information: The base DN is the starting point in the Active 

Directory hierarchy from which the user account retrieval begins. An 

example of a base DN is ou=cloudusers,dc=cloud,dc=com. 

Adding Active Directory as an Authoritative List 

Your first task in provisioning new accounts in SSO applications is to add Active 

Directory as an Authoritative List in OpenCloud Access. You can do so at the 

following URL: https://.


At the landing page, click Advanced Configuration. This takes you to a login 

page. Use your OpenCloud Access administrator credentials to log on. 

Once you are logged on to the Advanced Configuration portal, click the ID 

Consolidation & Reconciliation tab. The first option that appears is 

Authoritative List. Click Load Authoritative List. A new window 

appears.Then: 

1. Select activedirectory from the Connector Type drop-down list. 

2. Provide an Authoritative List with a name. (for example: Domain User list). 

3. Enter the IP Address and Port number used to access Active Directory 

over LDAP. 

4. Enter the username@domain.com, identifier and password in the 

appropriate fields. 

5. Once you have entered this information, move to the Connector Attribute 

Mapping section. In this section, you are presented with a set of 

OpenCloud Access attributes (on the left side) and the place holders for 

the corresponding Active Directory attributes (on the right side). 

• Mandatory: Make sure that the First Name, Last Name, Email 

Address, and Employee ID OpenCloud Access attributes have the 

corresponding LDAP attribute entries. 

• Leave the fd1, fd2 and, fd3 fields blank. 

6. Skip the following check boxes: 

• Employee State Transition Required 

• Automatic Provisioning Required 

• Miscellaneous 

• Cloud Integration 

7. Move to the Employee Synchronization section. Select Daily from the 

Periodicity drop-down list. 

8. Leave the Week Days Only check box unchecked, and select a time of day 

at which you would like OpenCloud Access to synchronize with Active 

Directory. 

Note: Synchronization retrieves new account information and synchronizes any 

existing user account information, that has been updated.

Chapter 10 Provisioning SSO Applications 37 

9. Once you have entered all the details, click Load in the bottom right corner 

of the page. This commences the retrieval of user account information from 

Active Directory to OpenCloud Access. 

Upon successful completion of the retrieval process, the window closes and you 

are taken back to the ID Consolidation & Reconciliation page you first arrived 

at. 

Adding Active Directory as an Authentication Server 

After adding Active Directory as an authoritative list, you configure management 

of Active Directory as an authentication server. Navigate to the Discovery tab. 

You are presented with three options. Select the Auth Server Domains option. 

1. Click Manual in the right pane. This opens a new pop-up window. 

2. Enter the following information in the sequence below: 

• Name: Active Directory. 

• IP Address: IP Address of Active Directory. 

• Domain Name: Active Directory Domain Name. 

• Port Number: 389. 

• Protocol: TCP. 

• The Location and Organization drop-down lists are blank. Scroll to 

the bottom of the page and click Create Category. A pop-up appears: 

• Type in a location name in the Category Name text box. 

Location refers to the physical location of your office. 

(for example: San Jose). 

• Select Location from the Category Type drop-down list, and 

click Done. 

• Repeat this process for Organization. Organization refers to 

the name of your organization. Example: Citrix Inc. 

• You are returned to the previous page. 

• Select the location and organization in the appropriate drop-down 

lists. 

• Choose AD from the Type drop-down list. 

3. Leave the remaining fields blank and click Done.


Next, go back to the ID Consolidation & Reconciliation tab. This time, 

click Network Users. You see Active Directory in the right pane. To the 

extreme right side, you see three hyperlinks; click Fetch Users. This opens 

a new window. 

4. Select activedirectory from the Connector Type drop-down list. 

5. In the Select User List list box, select the Authoritative List you created 

earlier. 

6. Enter the username@domain.com, identifier and password to retrieve the 

user account list. 

7. Once you have entered this information, move to the Connector Info for 

Identities section. In this section, you are presented with four fields to enter 

Base DNs. Enter the DN information gathered in the first section. You can 

enter one to four DNs. 

8. Next, move to the Connector Attribute Mapping section. In this section, 

you are presented with a set of OpenCloud Access attributes (on the left 

side) and the place holders for the corresponding Active Directory 

attributes (on the right side). 

• Leave the page as is and click Next in the bottom right corner. 

• On the User ID Creation tab, in the User ID Creation Rule field, 

enter the rule used to create Active Directory accounts on Active 

Directory. Enter the same rule in the Reconciliation Rule field. 

9. Next, move to the Password Rule section. In this section add a minimum 

and maximum number in the Min Length and Max Length fields. This 

represents the minimum and maximum characters in a password. 

10. Click Last to skip the remaining tabs and go directly to the ID 

Synchronization page. On the page, select Daily from the Periodicity 

drop-down list. Leave the Week Days Only check box unchecked and 

select a time of the day at which you want OpenCloud Access to 

synchronize with Active Directory. 

11. Once you have entered all the details, click Fetch. This commences the 

retrieval of user account information from Active Directory. 

12. Upon successful completion of the retrieval process, click Reconciliation 

in the left pane. 

13. Click the Reconcile Users link in the right pane. This opens a new window 

and starts the reconciliation process. 

14. When the Close button appears, click it.


Note: Synchronization retrieves new account information and synchronizes any 

existing user account information, if updated. 

Adding an SSO Web Application as a Service 

After configuring Active Directory, you can manage an SSO application as an 

application server in OpenCloud Access. 

If the application is already managed for single sign-on from the OpenCloud 

Access Management interface, skip steps 1, 2, and 3. 

If the application is not managed for single sign-on from the OpenCloud Access 

Management interface, navigate to the Discovery tab. You are presented with 

three options. Select the Applications option. 

1. Click Manual in the right pane. This displays a pop-up window. 

2. Enter the following information in the sequence below: 

• Name: Application Name. 

• IP Address: 127.0.0.1. 

• Domain Name: Active Directory Domain Name. 

• Port Number: 22. 

• Protocol: TCP. 

• Select the Location and Organization in the appropriate drop-down 

lists. 

• Choose WEBAPP from the Type drop-down list. 

3. Leave the remaining fields blank and click Done. 

4. Click the ID Consolidation & Reconciliation tab and then, click 

Application Users. You see the new Web application in the right pane. To 

the extreme right, you see three hyperlinks; click Fetch Users. 

This opens a new window. 

5. Select the application connector from the Connector Type drop-down list. 

6. In the Select User List list box, select the Authoritative List you created 

earlier. 

7. Enter the user name and password to retrieve the user account list.


8. Enter the application Fully Qualified Domain Name in the IP Address 

field, if the IP Address field is available. 

9. Leave the page as is and click Next in the bottom right corner. In the User 

ID Creation tab and, in the User ID Creation Rule field enter the rule that 

was used to create new user accounts from OpenCloud Access. Enter the 

same rule in the Reconciliation Rule field. 

10. Next, move to the Password Rule section. In this section add a minimum 

and maximum number in the Min Length and Max Length fields. This 

represents the minimum and maximum characters in a password. 

11. Click Last to skip the remaining tabs and go directly to the ID 

Synchronization page. 

12. Select Daily from the Periodicity drop-down list. Leave the Week Days 

Only check box unchecked and select a time at which you would like 

OpenCloud Access to synchronize with Active Directory. 

13. Once you have entered all the details, click Fetch. This migrates SSO 

accounts to the Identity Management section in OpenCloud Access. 

14. Upon successful completion of the retrieval process, navigate to the 

reconciliation section by clicking Reconciliation in the left pane. 

15. Click the Reconcile Users link in the right pane. This opens a new window 

and starts the reconciliation process. 

16. When the Close button appears, click it. 

Note: Synchronization migrates new SSO accounts to the Identity Management 

section. 

Creating Active Directory Groups 

After adding SSO applications, you need to decide whether to use existing Active 

Directory groups or create new groups. The users added to a group are 

provisioned on a corresponding SSO application, so make sure that you use a 

relevant name. 

OpenCloud Access bases the provision of a new user account for any user added 

to an Active Directory group on an application-to-group mapping. Similarly, 

when a user account is removed from the Active Directory group, the user 

account is de-provisioned from the application, on the basis of group to 

application mapping.


For example, if an Active Directory group Sales is mapped to the application 

MySalesApplication, when an Active Directory user account is added to the 

Sales group in AD, OpenCloud Access detects this event at the next scheduled 

synchronization and provisions a user account on MySalesApplication. 

Similarly, when the Active Directory user account Sales group membership is 

removed, the MySalesApplication user account is de-provisioned. 

To enter this mapping information: 

1. Use your OpenCloud Access administrator credentials to log in. 

2. Use the navigation tree in the left pane to access the Applications section. 

3. Expand the System option and select AD Group Mapping in the left pane. 

4. Enter the Active Directory group name in the AD Group Name field. 

5. Enter the application name as managed in the OpenCloud Access Identity 

Management Administrator section, in the Application Name field. 

6. Click Create to save your settings. 

Fine-grained Privileges 

Fine-grained Privileges enables the OpenCloud Access Administrator to exercise 

complete control over the operations performed on application user accounts, by 

application administrators. This feature ensures that administrators have only 

those privileges that are needed for the specific tasks allotted to them. 

To set fine-grained privileges to various Application Administrators 

1. Click the Admin Setup link in the configuration section and navigate into 

the OpenCloud Access Administrators. 

2. Click the Fine-grained Privileges link adjacent to the name of the 

Administrator for whom fine-grained privileges need to be set. This 

displays the Fine-grained privileges screen which lists various applications 

managed by the Administrator. 

3. Select the check box adjacent to the View, Create, Enable, Disable, 

Delete, Password Reset, Unlock Account, Group Management, 

Application Management, View Profile, Modify and Privileged Account 

Management functions for that administrator, and click Update. This sets 

the specified privileges for the application administrator and enables to 

perform only those operations on the applications for which s/he has access. 

4. Select the check box adjacent to the Application Management. This will 

enable the service administrator to perform the operation of batch 

processing. Batch processing is an operation of performing reconciliation 

function to multiple users at one go.


5. Select the check box adjacent to the Group Management. This will enable 

the service administrator to perform operations related to groups in the 

services managed by him/her. 

6. Select the check box adjacent to the Privileged Account Management: 

This will enable the service administrator to manage the privileged 

accounts in the enterprise. 

Fine-grained Authoritative List Privileges 

This section of the screen is related to setting up fine-grained privileges to various 

authoritative lists in the enterprise. This section presents two options which 

allows the administrator to configure fine-grained authoritative list privileges. 

1. Group Management: Select this check-box if you wish to configure finegrained 

privileges for the Administrator to perform group-related actions in 

the authoritative list. By selecting this option, the selected administrator 

will be enabled to perform group-related operations. 

2. Modify Employee Information: This option enables the application 

administrator with the privilege of modifying employee information in the 

authoritative list. Select Modify Employee Information and click Update. 

This sets the fine-grained privileges for the application administrator that 

enables to modify employee records in the authoritative list. 

3. Click Update. 

Associating the OpenCloud Access Administrator to an 

Employee 

To facilitate provisioning, the OpenCloud Access Administrator must be 

associated to an employee in the authoritative list. 

Associate the Administrator to an employee 

1. Access the OpenCloud Access using https://. 

2. Click Advanced Configuration. 

3. Enter your Administrator ID, Password, and click Login. 

4. Click the Configuration tab, and click the Administrators Setup link on 

the left pane. 

5. In the Administrator Setup pane, click the Edit link in the Actions 

section. The Edit OpenCloud Access Admin pop-up window appears.


6. Click Link to Employee. You are taken to the Authoritative List that 

shows a list of employees. 

7. Select the employee name that must be associated to the OpenCloud Access 

Administrator by choosing the corresponding radio button. 

8. You are taken back to the Edit OpenCloud Access Admin screen. Click 

Save. 

Creating User Accounts 

1. Access the OpenCloud Access using . 

2. Click the User Management link. 

3. Enter your Administrator ID, Password, and click Login. 

4. Click the Search by Employee link 

5. Click on the name of the employee for whom a new user account must be 

created. 

6. Scroll to the Actions drop-down list at the bottom of the screen and select 

Create New User Account. 

7. Click Go. You are taken to the Select Services screen. Select the services 

for which a user accounts must be created. 

8. Click Go. You are taken to Enter User Details screen. 

9. Based on the user ID creation rule, the user account appears in the User ID 

field. 

10. Based on the password rules, user account password is auto-generated in 

the Password and Confirm Password fields.You may change the 

password if you choose to. 

11. Select the user account validity by clicking the date picker tool adjacent to 

Account Valid Until field. 

12. Click the Create link located at the bottom of the screen. A user account 

creation confirmation pop-up appears, click OK. 

13. You are taken to the User Account Create Status screen. Click the Done 

link. 

Deleting User Accounts 

To delete the user account, logon to the User Management portal and follow the 

steps below:



2. Click on the name of the employee for whom a user account must be 

deleted. 

3. Click the user account that you want to delete. You are taken to User 

Account screen. 


Delete option. 

5. Click Go. You are taken to User Account Delete screen. 

6. Click the Delete link located at the bottom of the screen. A deletion 

confirmation pop-up appears, click OK. 

7. You are taken to the User Account Delete Status screen. Click the Done 

link. 

Enabling User Accounts 

To enable the user account, logon to the User Management portal and follow the 

steps below: 



enabled. 

3. Click user account that you want to enable. You are taken to User Account 

screen. 


Enable option. 

5. Click Go. You are taken to User Account Enable screen. 

6. Click the Enable link located at the bottom of the screen. A user account 

enable confirmation pop-up appears, click OK. 

7. You are taken to the User Account Enable Status screen. Click the Done 

link. 

Disabling User Accounts 

To disable the user account, logon to the User Management portal and follow the 

steps below: 

1. Click the Search by Employee link



disabled. 

3. Click user account that you want to disable. You are taken to User Account 

screen. 


Disable option. 

5. Click Go. You are taken to User Account Disable screen. 

6. Click the Disable link located at the bottom of the screen. A user account 

disable confirmation pop-up appears, click OK. 

7. You are taken to the User Account Disable Status screen. Click the Done 

link.

OpenCloud Access Administration Guide - Citrix Knowledge Center

Create successful ePaper yourself

Delete template?

Save as template?