Product Documentation

Configuring XenMobile and the ShareFile App for Single Sign-On Using SAML

Jun 19, 2015

You can configure XenMobile and ShareFile to use Security Assertion Markup Language (SAML) to provide single sign-on (SSO) access to ShareFile mobile apps that are wrapped with the MDX toolkit, as well as to non-wrapped ShareFile clients, such as the web site, Outlook plugin, or sync clients.

  • For wrapped ShareFile apps. Users who log on to ShareFile through the ShareFile mobile app are redirected to Worx Home for user authentication and to acquire a SAML token. After successful authentication, the ShareFile mobile app sends the SAML token to ShareFile. After the initial log on, users can access the ShareFile mobile app through SSO and can attach documents from ShareFile to WorxMail emails without logging on each time.
  • For non-wrapped ShareFile clients. Users who log on to ShareFile using a web browser or other ShareFile client are redirected to XenMobile for user authentication and to acquire a SAML token. After successful authentication, the SAML token is sent to ShareFile. After the initial log on, users can access ShareFile clients through SSO without logging on each time.

Prerequisites

You must complete the following prerequisites before you can configure SSO with XenMobile and ShareFile apps:

  • MDX Toolkit Version 9.0.4 or later (for ShareFile mobile apps)
  • ShareFile mobile apps as appropriate:
    • ShareFile for iPhone Version 3.0.x
    • ShareFile for iPad Version 2.2.x
    • ShareFile for Android Version 3.2.x
  • Worx Home 9.0 (for ShareFile mobile apps)

    Install iOS or Android version as appropriate.

  • ShareFile administrator account

Ensure that XenMobile and ShareFile are able to connect. For information about checking connectivity, see Conducting Connectivity Checks.

Configure ShareFile Access

Before configuring SAML for ShareFile, provide ShareFile access information as follows:

  1. In the XenMobile web console, click Configure > Settings. The Settings page appears.


    Select ShareFile

  2. Click More and then under ShareFile, click ShareFile. The ShareFile configuration page appears.


    ShareFile configuration page

  3. Configure the following settings:
    • Domain: Type your ShareFile subdomain name; for example example.sharefile.com.
    • Choose delivery groups: Select or search for the delivery groups that you want to be able to use SSO with ShareFile.
    • User name: Type the ShareFile administrator user name. This user must have administrator privileges.
    • Password: Type the ShareFile administrator password.
    • User account provisioning: Turn on this option if you want to enable user provisioning in XenMobile; leave it disabled if you plan to use the ShareFile User Management Tool for user provisioning.
      Note: If a user without a ShareFile account is included in the selected roles, XenMobile automatically provisions a ShareFile account for that user if you enable User account provisioning. Citrix recommends that you use a role with a small membership for testing the configuration. Doing so avoids the potential of a large number of users without ShareFile accounts.
  4. Click Save.

Configure SAML for Wrapped ShareFile MDX Apps

The following steps apply to iOS and Android apps and devices.

  1. With the MDX Toolkit, wrap the ShareFile mobile app. For more information about wrapping apps with the MDX Toolkit, see Wrapping Apps with the MDX Toolkit.
  2. In XenMobile, upload the wrapped ShareFile mobile app. For information about uploading MDX apps, see To add an MDX app to XenMobile.
  3. Verify the SAML settings by logging on to ShareFile with the administrator user name and password you configured in Configure ShareFile Access.
  4. Ensure that ShareFile and XenMobile are configured for the same time zone.
    Note: Different time zones can result in mismatched time stamps, leading to SSO failure.

Validate the ShareFile mobile app

  1. On the user device, if it has not already been done, install and configure Worx Home.
  2. From the Worx Store, download and install the ShareFile mobile app.
  3. Start the ShareFile mobile app.

    ShareFile starts without prompting for user name or password.

Validate with WorxMail

  1. On the user device, if it has not already been done, install and configure Worx Home.
  2. From the Worx Store, download, install, and configure WorxMail.
  3. Open a new email form and then tap Attach from ShareFile.

    Files available to attach to the email are shown without asking for user name or password.

Configure NetScaler Gateway for Other ShareFile Clients

If you want to configure access for non-wrapped ShareFile clients, such as the web site, Outlook plugin, or the sync clients, you must configure NetScaler Gateway to support the use of XenMobile as a SAML identity provider as follows:
  • Disable home page redirection.
  • Create a ShareFile session policy and profile.
  • Configure policies on the NetScaler Gateway virtual server.

Disable home page redirection

You must disable the default behavior for requests that come through the /cginfra path so that the user sees the original requested internal URL instead of the configured home page.
  1. Edit the settings for the NetScaler Gateway virtual server that is used for XenMobile logons. In NetScaler 10.5, go to Other Settings and then clear the check box labeled Redirect to Home Page.


    Redirect home page

  2. Under ShareFile, type your XenMobile internal server name and port number.
  3. Under AppController, type your XenMobile URL.

    This configuration authorizes requests to the URL you entered through the /cginfra path.

Create a ShareFile session policy and request profile

Configure the following settings to create a ShareFile session policy and request profile:
  1. In the NetScaler Gateway configuration utility, in the left-hand navigation pane, click NetScaler Gateway > Policies > Session.
  2. Create a new session policy. On the Policies tab, click Add .
  3. In the Name field, type ShareFile_Policy.
  4. Create a new action by clicking the + button.

    The Create NetScaler Gateway Session Profile screen appears. Configure the following settings:


    Configure NetScaler Gateway session policy - client experience

    1. Name: Type ShareFile_Profile.
    2. Click the Client Experience tab and then configure the following settings:
      1. Home Page: Type none.
      2. Session Time-out (mins): Type 1.
      3. Single Sign-on to Web Applications: Select this setting.
      4. Credential Index: In the list, click PRIMARY.
    3. Click the Published Applications tab and then configure the following settings:


      Configure NetScaler Gateway session profile - published applications

      1. ICA Proxy: In the list, select ON.
      2. Web Interface Address: Type your XenMobile server URL.
      3. Single Sign-on Domain: Type your Active Directory domain name.
        Note: When configuring the NetScaler Gateway Session Profile, the domain suffix for Single Sign-on Domain must match the XenMobile domain alias defined in LDAP.
  5. Click Create to define the session profile.
  6. Click Expression Editor and then configure the following settings:


    Configure NetScaler Gateway session profile - add expression

    1. Value: Type NSC_FSRD.
    2. Header Name: Type COOKIE.
    3. Click Done.
  7. Click Create and then click Close.



Configure policies on the NetScaler Gateway virtual server

Configure the following settings on the NetScaler Gateway virtual server.

  1. In the NetScaler Gateway configuration utility, in the left-hand navigation pane, click NetScaler Gateway > Virtual Servers.
  2. In the Details pane, click your NetScaler Gateway virtual server.
  3. Click Edit.
  4. Click Configured policies > Session policies and then click Add binding.
  5. Select ShareFile_Policy.
  6. Edit the auto-generated Priority number for the selected policy so that it has the highest priority (the smallest number) in relation to any other policies listed, as shown in the following figure.


    Add binding to NetScaler Gateway virtual server

  7. Click Done and then save the running NetScaler configuration.

Configure SAML for non-MDX ShareFile apps

Use the following steps to find the internal app name for your ShareFile configuration.

  1. Log on to the XenMobile admin tool using the URL https://<XenMobile server>:4443/OCA/admin/. Be sure to enter "OCA" in uppercase letters.
  2. In the View list, click Configuration.


    Log on to XenMobile configuration tool

  3. Click Applications > Applications and note the Application Name for the app with the Display Name "ShareFile".


    Find ShareFile app name

Modify the ShareFile.com SSO settings

  1. Log on to your ShareFIle account (https://<subdomain>.sharefile.com) as a ShareFile administrator.
  2. In the ShareFile web interface, click Admin and then select Configure Single Sign-on.
  3. Edit the Login URL as follows:

    The Login URL should look similar to: https://xms.citrix.lab/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML_SP&reqtype=1.


    Edit Login URL

    1. Insert the NetScaler Gateway virtual server external FQDN plus "/cginfra/https/" in front of the XenMobile server FQDN and then add "8443" after the XenMobile FQDN.

      The URL should now look similar to this: https://nsgateway.acme.com/cginfra/https/xms.citrix.lab:8443/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML_SP&reqtype=1

    2. Change the parameter &app=ShareFile_SAML_SP to the internal ShareFile application name from step 3 in Configure SAML for non-MDX ShareFile apps. The internal name is ShareFile_SAML by default; however, every time you change your configuration, a number is appended to the internal name (ShareFile_SAML_2, ShareFile_SAML_3, and so on).

      The URL should now look similar to this: https://nsgateway.acme.com/cginfra/https/xms.citrix.lab:8443/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML&reqtype=1

    3. Add "&nssso=true" to the end of the URL.

      The modified URL should now look similar to: https://nsgateway.acme.com/cginfra/https/xms.citrix.lab:8443/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML&reqtype=1&nssso=true.

      Important: Each time you edit or recreate the ShareFIle app or change the ShareFile settings in the XenMobile console, a new number is appended the internal application name, which means you must also update the Login URL in the ShareFile web site to reflect the updated app name.
  4. Under Optional Settings, select the Enable Web Authentication check box.


    Optional settings

  5. Click Save.

Validate the configuration

Do the following to validate the configuration.

  1. Point your browser to https://<subdomain>sharefile.com/saml/login.

    You are redirected to the NetScaler Gateway log on form. If you are not redirected, verify the preceding configuration settings.

  2. Enter the user name and password for the NetScaler Gateway and XenMobile environment you configured.

    Your ShareFile folders at <subdomain>.sharefile.com appear. If you do not see your ShareFile folders, ensure you entered the proper logon credentials.