In October this year, virtualization.info covered the expected features for Citrix XenDesktop 5.0, which was released beginning this month. In the expected features article the new platform client, called Citrix Receiver was covered and the fact that it will use a new Single Sign On (SSO) technology, called OpenCloud Access, allowing a corporate user to access on-premise and cloud-based applications. How this new SSO was going to work and its limitation weren’t clear at that time though.
Now Simon Crosby, Chief Technical Officer at Citrix has detailed the capabilities for Citrix OpenCloud Access in a blog post on the Citrix blog.
With XenDesktop 5.0 end-users will be presented with a fully integrated Receiver and self-service Enterprise Dazzle application store. Single authentication using OpenCloud Access will allow users to pick any application, have it provisioned immediately to their virtual desktop using the appropriate delivery technology and then be able to use it immediately. SSO in this case will work seamlessly across Windows Desktop applications, applications used by administrators to manage the infrastructure, enterprise web applications and applications coming from a Software as a Service (SaaS) provider.
Besides this OpenCloud Access also builds a SAML-based Identity Management Fabric, which permits federation of enterprise Identity and Access Management (IAM) systems and applications with IAM systems and applications of 3rd party providers. It also offers connectors for a wide range of legacy applications and supports OpenID.
By providing an authoritative DNS with NetScaler, used by the receiver which gives users access to applications, it can be ensured that all the user’s traffic goes through the OpenCloud Access system and user do not access applications directly.
In a nutshell:
• The request to access any application or desktop is redirected to or transparently intercepted by OpenCloud Access based on its position in the network
• The user’s identity is validated and privileges are established using records of preference (typically located in an enterprise directory)
• The corresponding AppConnector signs the user in to the requested application without the user ever seeing the associated logon screen
• For applications using SAML or other federated authentication technologies, all that is required is to configure them to point to OpenCloud Access as the authoritative source for identity information
• Once the logon process is complete, OpenCloud Access allows direct communication between user and application.