Configure Citrix Endpoint Management as SAML IDP for ShareFile

This article provides a overview information of how to configure ShareFile Single Sign-On (SSO) with Citrix Endpoint Management.

A working configuration of Citrix Gateway and Citrix Endpoint Management server can be leveraged for user authentication. Users signing into their ShareFile account using a web browser or Citrix Files clients will be redirected to the Citrix Gateway webpage for their credentials. After successful authentication by Citrix Endpoint Management server, the user receives a SAML token that is valid for sign-in to their Citrix ShareFile account.

As well, you can use the Citrix Endpoint Management server with Secure Hub to single sign-on (SSO) into Citrix Files MDX-wrapped applications. In this scenario, Secure Hub obtains a SAML token from the Citrix Endpoint Management server and automatically signs users into their Citrix ShareFile account without their entering credentials.

Related:

Database Access and Permission Model for XenDesktop

This article describes the SQL Server database access and permission model used by XenDesktop 5 and later.

Background

All runtime access to the central XenDesktop site database is performed by the services running on each controller. These services gain access to the database through their Active Directory machine accounts. This database access is sufficient to allow full day-to-day operation of the site including use of Desktop Studio, Desktop Director, and the service-specific SDKs.

The controller machine accounts and users in the database are granted only the minimum access to the XenDesktop database required for the services to operate.

The use of machine accounts for database access removes the need to securely store SQL logon (SQL authentication) passwords on the controller. It also ensures that only machines that have been configured with appropriate database access at the database server can act as XenDesktop controllers for a particular site.

Use of machine accounts provides a simple and secure model for protecting the critical data in the XenDesktop database. However, the creation and manipulation of the machine account logons at the database server is an inherently privileged operation that falls outside the scope of the permissions granted within the XenDesktop database itself. For this reason, certain key actions on the site are considered privileged administrative operations that require additional database server level permissions not granted to the XenDesktop services themselves; these operations cannot be performed except by a database user with elevated privileges.

The database access performed is summarized in the following diagram:

User-added image

The normal runtime permissions and administrative permissions used by the XenDesktop site are described separately in the following sections.

Note: Use of SQL logons (SQL authentication) in place of machine account logons for the XenDesktop services is not a supported configuration. The SQL scripts used by Desktop Studio and the SDKs are based on the use of machine account logons. In addition, attempting to use SQL logons (SQL authentication) might lead to the account passwords being trivially exposed through the SDKs.

Database Permission Model

Runtime Permissions

Each XenDesktop service gains access to the database through the local controller’s machine account. All routine Desktop Studio, Desktop Director, and SDK operations go through one of the XenDesktop services and thus no additional machine account logons are required for use of any of those components irrespective of the machine on which they run.

For a controller machine that is not on the same machine as the database server, the detailed database permissions are granted as:

  • The services gain access to the database server through their machine account logon (names of the form ‘DOMAINMACHINE$’). These logons do not need to be members of any server-level roles.

  • Within the XenDesktop database, the machine logons are mapped one-to-one with a dedicated per-machine user. Each such user has the same name as the logon to which it relates (in other words: ‘DOMAINMACHINE$’).

  • Each per-machine user is a member of the following XenDesktop-specific database-level roles:

Database Role Corresponding XenDesktop Service

ADIdentitySchema_ROLE

AD Identity Service

chr_Broker

chr_Controller

Broker Service

ConfigurationSchema_ROLE

Central Configuration Service

DesktopUpdateManagerSchema_ROLE

Desktop Update Manager Service

HostingUnitServiceSchema_ROLE

Hosting Management Service

MachinePersonalitySchema_ROLE

(This is no longer present on 7.x DBs)
NA
ConfigLoggingSchema_ROLE

(added in XenDesktop 7.0 and later)
Configuration Logging Service
ConfigLoggingSiteSchema_ROLE

(added in XenDesktop 7.0 and later)
Configuration Logging Service
DAS_ROLE

(added in XenDesktop 7.0 and later)
Delegated Admin service
MonitorData_ROLE

(added in XenDesktop 7.0 and later)
Monitor Service
StorefrontSchema_ROLE

(added in XenDesktop 7.0 and later)
StoreFront Service

Note: This is not the real StoreFront service which are web services in IIS and some other Windows services such as Credential Wallet and Configuration Replication. This is a XenDesktop integration service with StoreFront.
Analytics_ROLE

(added in XenDesktop 7.0 and later)
Analytics Service
AppLibrarySchema_ROLE App library service
EnvTestServiceSchema_ROLE Env Test service
Monitor_ROLE Monitor service
OrchestrationSchema_ROLE Orchestration service
TrustSchema_ROLE FMA trust service


Each one of the preceding roles has the minimum permissions granted to it to allow the corresponding service on the controller to function. These permissions are restricted to execute on stored procedures and read on some tables.

For a controller that is on the same machine as the database server, the model is as in the preceding diagram except that the logon and user relate to the local NetworkService account. In this case, both the logon and user names are ‘NT AUTHORITYNETWORK SERVICE’.

Notes

  • All server logons, database users, roles and permissions are created as required either by Desktop Studio, or through the scripts obtained directly from the service-specific SDKs. No further configuration is required.

  • It should never be necessary to manual modify the users, roles, or permissions created within the XenDesktop database.

Administrative Permissions

The permissions required to perform various administrative operations on a XenDesktop database are shown in the following table. Because it is envisaged that these are typically performed by a database administrator, no operation-specific database roles are provided, thus db_owner rights are usually required as shown.

All of these operations can be performed using Desktop Studio, if required. In these cases, a direct connection is made from Desktop Studio to the database server; thus, the Desktop Studio user must either have a database server account that is explicitly a member of the appropriate server roles or be able to provide credentials of an account that is. Such direct database access is only used for the following operations; all other operations go through the underlying XenDesktop services.

Operation

Purpose

Server Roles

Database Roles

Database Creation

Create suitable empty database for use by XenDesktop.

See note [4] below.

dbcreator

NA

Schema Creation

Create all service-specific database schemas and add first controller to site.

securityadmin

db_owner

Add Controller

Add controller (other than the first) to site.

securityadmin

db_owner

Add Controller (mirror server)

Add controller login to the database server currently in the mirror role of a mirrored XenDesktop database.

securityadmin

NA

Remove Controller

Remove controller from site.

See note [5] below.

db_owner

Schema Update

Apply schema updates/hotfixes.

NA

db_owner

Notes

  1. While technically more restrictive, in practice, the securityadmin server role should be treated as equivalent to the sysadmin server role.

  2. Where the preceding operations are performed using Desktop Studio, the user account must currently explicitly be a member of the sysadmin server role.

  3. The accounts used to perform the preceding administrative operations are never recorded by the XenDesktop site. An account that was previously used for an operation can subsequently be removed without impacting the site in any way.

  4. When an empty database is created using Desktop Studio, it is created with all default attributes except for the following:

    • The collation sequence is set to Latin1_General_CI_AS_KS. Where a database is created manually, any collation sequence can be used provided that it is case-insensitive, ascent-sensitive, and kanatype-sensitive (typically the collation sequence name ends with _CI_AS_KS).
    • The recovery model is set to Simple. For use as a mirrored database, this must be changed to Full.
  5. When a controller is removed from a site, either directly through Desktop Studio, or using the scripts generated by Desktop Studio or SDK, the controller logon to the database server is not removed. This is to avoid potentially removing a logon being used by non-XenDesktop services on the same machine. The logon must be removed manually if it is no longer required; this requires securityadmin server role membership.

Additional Resources

Citrix Documentation – System requirements for XenDesktop

Refer to the following for more information on Microsoft SQL Server roles:

Related:

How to Remove Files Remaining on System after Uninstalling Receiver for Mac

After uninstalling the Receiver and rebooting the system, ensure that the files or folders listed in this section have been removed from your system. If they still exist, remove them manually.

  1. /Applications-

    Citrix Receiver.app

  2. /Library

    – /Internet plug-ins/CitrixICAClientPlugIn.plugin

    – /LaunchAgents/com.citrix.AuthManager_Mac.plist

    – /LaunchAgents/com.citrix.ServiceRecords.plist

  3. /Users/Shared

    – /Citrix/Receiver Integration (entire folder)

  4. ~/Library

    – /Internet plug-ins/CitrixICAClientPlugIn.plugin

    – /Application Support/Citrix Receiver

    – CitrixID

    – Config

    – Module

    – /Preferences/com.citrix.receiver.nomas.plist

    – /Preferences/com.citrix.receiver.nomas.plist.lockfile

    – /Preferences/com.citrix.ReceiverFTU.AccountRecords.plist (added in 11.6)

    – /Preferences/com.citrix.ReceiverFTU.AccountRecords.plist.lockfile (added in 11.6)

  5. ~/Applications

    – Under this folder, you can delete any applications you previously added via the Receiver UI.

  6. /private/var/db/receipts

    – com.citrix.ICAClient.bom

    – com.citrix.ICAClient.plist

Important Notes

  • A tilde (~) placed at the beginning of a folder path refers to that folder’s location within the user profile. For example, ~/Library/Preferences/ refers to the Preferences folder within the user’s Library folder (e.g. /Users/<username>/Library/Preferences/). A path without a tilde refers to the system-wide version of that folder at the root of the system (e.g. /Library/Preferences/).

  • Note that certain folder mentioned in the list can be hidden directories on the system.

  • It is important to remember that certain items mentioned in this article might not exist on your system depending on the Receiver version(s) you previously installed.

Follow Me Data Notes

In version 11.6, the Follow Me Data feature is integrated into the Citrix Receiver for Mac. The files and folders that are compatible with this feature are listed.

You can remove the files that were not properly cleaned up by the uninstaller. You can also keep the user data that was previously synchronized on your system by Follow Me Data.

  1. The following locations should be cleaned up after running the uninstaller utility:

    – ~/Applications/Citrix/FollowMeData (this is a hidden folder that contains the application binary)

    – ~/Library/Application Support/ShareFile (contains user specific configurations)

    – /Library/PreferencePanes/FMDSysPrefPane.prefPane

  2. Installation information files that are okay to remove after uninstall:

    – /private/var/db/receipts/com.citrix.ShareFile.installer.plist

    – /private/var/db/receipts/com.citrix.ShareFile.installer.bom

File not cleaned up during uninstall that you may or may not want to delete depending on your needs:

– ~/ShareFile (contains the user data synchronized by Follow Me Data)

– /private/var/db/receipts

– com.citrix.ShareFile.installer.plist

– com.citrix.ShareFile.installer.bom


If you are Unable to find the Citrix WorkSpace App running on your MAC and if you want to forcefully quit

Press Cmd + Alt + Escape to see the Force Quit Applications menu.

This will show running apps, and lets you force-quit them if necessary – just highlight the Citrix WorkSpace App and click Force Quit.

Related:

Custom Theme Text Strings do not work with custom LoginSchemas

To resolve this behavior, you must copy any custom labels for schemas from “/var/netscaler/logon/LogonPoint/custom/strings.en.json” into “/var/netscaler/logon/themes/<custom_theme_name>/strings.en.json”

Note: For language localization, the filename strings.en.json refers to English strings, and there are other files for other locales, such as ‘de’. Hence, to fix this for other languages, one would need to follow the below but replace ‘en’ in “strings.en.json” with ‘de’ or other appropriate locale designation for the respective locale. For example: strings.de.json

Related:

App Layering Recipe for Java

Licensing Considerations

There are no licensing considerations with Java.

Layering Naming and Versioning

Unidesk recommends including the OS Type and OS bit level in the name, for Example Java Win7x32. For versions remember that when choosing a layer you can see the version name but not the version description. Use naming that will allow you to differentiate versions appropriately. Java is updated frequently so it is recommended to use a format of Date and Time for versions. For example while still in development/testing “2/6/2013 9:57AM QA ONLY”, but when ready for production “2/6/2013 9:57AM”.


Installation Steps

Java can easily be downloaded from http://www.java.com. You can also download the installer and install from a network share if desired.


Updates

Java, by default, will want to automatically update itself. If Java is allowed to do this, the updates will go into the personalization layer and thereby bloat the personalization with unnecessary updates. It is best to turn off automatic updates completely.

Unidesk recommends using Group Policy to disable automatic updates or you can manually set the flag in the registry when building the application layer. If you are using 32-bit Java on a 32-bit system or 64-bit Java on a 64-bit system the key is HKEY_LOCAL_MACHINESoftwareJavaSoftJava UpdatePolicy. The entry is called EnableJavaUpdate and is a DWORD value. Setting the value to 0 will disable automatic updates. If you are using 32-bit Java on a 64-bit system the key is a little different. It can be found at HKEY_LOCAL_MACHINESoftwareWoW6432NodeJavaSoftJava UpdatePolicy. The value is still the same as above.

There is also a java scheduled updater that gets added to the registry that needs to be removed or the updater will still run. It’s in HKLMSoftwareMicrosoftWindowsCurrentVersionRun it runs the jusched.exe file at startup and should be pulled for VDI images or any image that shouldn’t be auto updating.

So the scheduled tasks that sometimes get added would need to be disabled.


Considerations for Non-Persistent Desktops

None

Related: