SAML for single sign-on with ShareFile

You can configure Endpoint Management and ShareFile to use Security Assertion Markup Language (SAML) to provide single sign-on (SSO) access to ShareFile mobile apps. This functionality includes ShareFile apps that are wrapped with the MDX Service or MDX Toolkit and non-wrapped ShareFile clients, such as the website, Outlook plug-in, or sync clients.

  • For wrapped ShareFile apps. Users who log on to ShareFile through the ShareFile mobile app are redirected to Secure Hub for user authentication and to acquire a SAML token. After successful authentication, the ShareFile mobile app sends the SAML token to ShareFile. After the initial logon, users can access the ShareFile mobile app through SSO. They can also attach documents from ShareFile to Secure Mail mails without logging on each time.
  • For non-wrapped ShareFile clients. Users who log on to ShareFile using a web browser or other ShareFile client are redirected to Endpoint Management. Endpoint Management authenticates the users, who then acquire a SAML token which is sent to ShareFile. After the initial logon, users can access ShareFile clients through SSO without logging on each time.

To use Endpoint Management as a SAML identity provider (IdP) to ShareFile, you must configure Endpoint Management to use ShareFile Enterprise, as described in this article. Alternatively, you can configure Endpoint Management to work only with StorageZone Connectors. For more information, see ShareFile use with Endpoint Management.

For a detailed reference architecture diagram, see Architecture.

Prerequisites

Complete the following prerequisites before you can configure SSO with Endpoint Management and ShareFile apps:

  • The MDX Service or a compatible version of the MDX Toolkit (for ShareFile mobile apps).

    For more information, see Endpoint Management compatibility.

  • A compatible version of ShareFile mobile apps and Secure Hub.
  • ShareFile administrator account.
  • Connectivity verified between Endpoint Management and ShareFile.

Configure ShareFile access

Before setting up SAML for ShareFile, provide ShareFile access information as follows:

  1. In the Endpoint Management web console, click Configure > ShareFile. The ShareFile configuration page appears.

    Image of ShareFile configuration screen

  2. Configure these settings:

    • Domain: Type your ShareFile subdomain name. For example: example.sharefile.com.
    • Assign to delivery groups: Select or search for the delivery groups that you want to be able to use SSO with ShareFile.
    • ShareFile Administrator Account Logon
    • User name: Type the ShareFile administrator user name. This user must have administrator privileges.
    • Password: Type the ShareFile administrator password.
    • User account provisioning: To enable user provisioning in Endpoint Management, enable this setting. To use the ShareFile User Management Tool for user provisioning, leave this setting disabled.

    Note:

    If a user without a ShareFile account is included in the selected roles and you enable User account provisioning: Endpoint Management automatically provisions a ShareFile account for that user. Citrix recommends that you use a role with a small membership for testing the configuration. Doing so avoids the potential of many users without ShareFile accounts.

  3. Click Test Connection to verify that the user name and password for the ShareFile administrator account authenticate to the specified ShareFile account.

  4. Click Save. Endpoint Management syncs with ShareFile and updates the ShareFile settings ShareFile Issuer/Entity ID and Login URL.

Set up SAML for Wrapped ShareFile MDX Apps

The following steps apply to iOS and Android apps and devices.

  1. Wrap the ShareFile mobile app with MDX. For details, see Endpoint Management MDX Service.

  2. In the Endpoint Management console, upload the wrapped ShareFile mobile app. For information about uploading MDX apps, see To add an MDX app to Endpoint Management.

  3. Verify the SAML settings: Log on to ShareFile with the administrator user name and password you configured above.

  4. Verify that ShareFile and Endpoint Management are configured for the same time zone. Ensure that Endpoint Management shows the correct time for the configured time zone. If not, SSO might fail.

Validate the ShareFile mobile app

  1. On the user device, install and configure Secure Hub.

  2. From the app store, download and install the ShareFile mobile app.

  3. Start the ShareFile mobile app. ShareFile starts without prompting for user name or password.

Validate with Secure Mail

  1. On the user device, if it has not already been done, install and configure Secure Hub.

  2. From the app store, download, install, and set up Secure Mail.

  3. Open a new email form and then tap Attach from ShareFile. Files available to attach to the email are shown without asking for user name or password.

Configure the NetScaler Gateway for Other ShareFile Clients

To configure access for non-wrapped ShareFile clients, such as the website, Outlook plug-in, or the sync clients: Configure NetScaler Gateway to support the use of Endpoint Management as a SAML identity provider as follows.

  • Disable home page redirection.
  • Create a ShareFile session policy and profile.
  • Configure policies on the NetScaler Gateway virtual server.

Disable home page redirection

Disable the default behavior for requests that come through the /cginfra path. That action enables users to see the original requested internal URL instead of the configured home page.

  1. Edit the settings for the NetScaler Gateway virtual server that is used for Endpoint Management logons. In NetScaler, go to Other Settings and then clear the check box labeled Redirect to Home Page.

    Image of NetScaler screen

  2. Under ShareFile, type your Endpoint Management internal server name and port number.

  3. Under AppController, type your Endpoint Management URL.

    This configuration authorizes requests to the URL you entered through the /cginfra path.

Create a ShareFile session policy and request profile

Configure these settings to create a ShareFile session policy and request profile:

  1. In the NetScaler Gateway configuration utility, in the left-hand navigation pane, click NetScaler Gateway > Policies > Session.

  2. Create a session policy. On the Policies tab, click Add.

  3. In the Name field, type ShareFile_Policy.

  4. Create an action by clicking the + button. The Create NetScaler Gateway Session Profile page appears.

    Image of NetScaler Gateway Session Profile screen

    Configure these settings:

    • Name: Type ShareFile_Profile.
    • Click the Client Experience tab and then configure these settings:
      • Home Page: Type none.
      • Session Time-out (mins): Type **1.
      • Single Sign-on to Web Applications: Select this setting.
      • Credential Index: Click PRIMARY.
    • Click the Published Applications tab.

    Image of NetScaler Gateway Session Profile screen

    Configure these settings:

    • ICA Proxy: Click ON.
    • Web Interface Address: Type your Endpoint Management server URL.
    • Single Sign-on Domain: Type your Active Directory domain name.

      When configuring the NetScaler Gateway Session Profile, the domain suffix for Single Sign-on Domain must match the Endpoint Management domain alias defined in LDAP.

  5. Click Create to define the session profile.

  6. Click Expression Editor.

    Image of NetScaler Gateway Session Profile screen

    Configure these settings:

    • Value: Type NSC_FSRD.
    • Header Name: Type COOKIE.
  7. Click Create and then click Close.

    Image of NetScaler Gateway Session Profile screen

Configure policies on the NetScaler Gateway virtual server

Configure these settings on the NetScaler Gateway virtual server.

  1. In the NetScaler Gateway configuration utility, in the left navigation pane, click NetScaler Gateway > Virtual Servers.

  2. In the Details pane, click your NetScaler Gateway virtual server.

  3. Click Edit.

  4. Click Configured policies > Session policies and then click Add binding.

  5. Select ShareFile_Policy.

  6. Edit the auto-generated Priority number for the selected policy so that it has the highest priority (the smallest number) in relation to any other policies listed. For example:

    Image of VPN Virtual Server Session Policy Binding screen

  7. Click Done and then save the running NetScaler configuration.

Modify the ShareFile.com SSO settings

Make the following changes for both MDX and non-MDX ShareFile apps.

Important:

Each time you edit or recreate the ShareFile app or change the ShareFile settings in Endpoint Management, a new number is appended the internal application name. As a result, you must also update the Login URL in the ShareFile website to reflect the updated app name.

  1. Log on to your ShareFile account (https://<subdomain>.sharefile.com) as a ShareFile administrator.

  2. In the ShareFile web interface, click Admin and then select Configure Single Sign-on.

  3. Edit the Login URL as follows:

    Here’s a sample Login URL before the edits: https://xms.citrix.lab/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML_SP&reqtype=1.

    Image of sample Login URL

    • Insert the NetScaler Gateway virtual server external FQDN plus /cginfra/https/ in front of the Endpoint Management server FQDN and then add 8443 after the Endpoint Management FQDN.

      Here’s a sample of an edited URL: https://nsgateway.acme.com/cginfra/https/xms.citrix.lab:8443/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML_SP&reqtype=1

    • Change the parameter &app=ShareFile_SAML_SP to the internal ShareFile application name. The internal name is ShareFile_SAML by default. However, every time you change your configuration, a number is appended to the internal name (ShareFile_SAML_2, ShareFile_SAML_3, and so on).

      Here’s a sample of an edited URL: https://nsgateway.acme.com/cginfra/https/xms.citrix.lab:8443/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML&reqtype=1

    • Add &nssso=true to the end of the URL.

      Here’s a sample of the final URL: https://nsgateway.acme.com/cginfra/https/xms.citrix.lab:8443/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML&reqtype=1&nssso=true.

  4. Under Optional Settings, select the Enable Web Authentication check box.

    Image of Optional Settings screen

Validate the configuration

Do the following to validate the configuration.

  1. Point your browser to https://<subdomain>sharefile.com/saml/login.

    You are redirected to the NetScaler Gateway logon form. If you are not redirected, verify the preceding configuration settings.

  2. Enter the user name and password for the NetScaler Gateway and Endpoint Management environment you configured.

    Your ShareFile folders at <subdomain>.sharefile.com appear. If you do not see your ShareFile folders, ensure that you entered the proper logon credentials.