In the last few years I have mostly implemented ShareFile Enterprise as part of the XenMobile Enterprise edition and therefor configured the XenMobile server as a SAML identity provider for ShareFile SSON. In the last few months I also see some companies that were only interested in the Citrix ShareFile solution without XenMobile. In this case there are some alternative ways to provide users single sign-on (SSON) to ShareFile, for example ADFS.
Another very good alternative is to provide SSON with Microsoft Azure AD. Most companies already have an Azure AD up and running these days if they use products like Microsoft Office 365 or the Microsoft Enterprise + Security suite. And in addition, it is pretty easy to configure as I will show you in this blog.
Microsoft Azure AD
Before you can configure Citrix ShareFile SSON with Microsoft Azure AD you need to make sure Azure AD is configured correctly. This means that the domain name used for the end users email address is added to the list of domains. I highly recommend to configure directory integration to automatically synchronize on-premise user accounts to Azure AD with the Azure AD Connect tool. For instructions how to configure Azure AD directory integration see : Integrating your on-premises identities with Azure Active Directory
For this blog I use my own test environment. I have an on-premise Domain Controller on which I have created a ShareFile security group and two test users which are member of that ShareFile security group.
Note: Make sure that all users have a valid E-mail address.
I have configured directory integration with Azure AD so the test users and the ShareFile security group is synchronized to Azure AD.
Configuring the ShareFile User Management Tool
For user synchronization between you on-premise domain and the ShareFile Control Plane install the Citrix ShareFile User Management Tool (UMT). The installation is straight forward (next, next, finish). The configuration steps are specified below.
Open the ShareFile User Management Tool and login with the ShareFile superuser / admin account
Login with your on-premise domain administrator account and click Connect
Click on Groups
Search for the ShareFile AD Group and click Add Rule
In the Edit Users Rule dialog, make sure that How will your employees log in? is set to AD-Integrated. Configure the other settings like Storage Zone and user rights and click on Save and Close.
Click on Commit Now. The users and group are now created in the ShareFile Control Plane. It’s also recommended to Schedule this task so users will be automatically provisioned at a scheduled time.
As you can see, the uses are now created in the Citrix ShareFile Control Plane.
Configure ShareFile Single Sing-on with Azure AD
Open a web browser and navigate to the classic Microsoft Azure portal : http://manage.windowsazure.com
Navigate to Active Directory > <Your Directory> > Applications
On the bottom of the screen, click on Add
Click on Add an application from the gallery
Search for the ShareFile app and click on the checkmark
Click on Configure single sign-on
Select Microsoft Azure AD Single Sign-On and click the next button.
Select the option Show advanced settings and fill in the following information;
SIGN ON URL : https://<account name>.sharefile.com/saml/login
IDENTIFIER : https://<account name>.sharefile.com/saml/info
REPLY URL : https://<account name>.sharefile.com/saml/acs
Download the certificate, open it in notepad, select all the text and copy it (CTRL+C)
Open a second tab (do not close the first one) in your webbrowser and navigate to the Citrix ShareFile Admin Plane (https://<account name>.sharefile.com). Login with the administrator account, and go to: Admin > Configure Single Sign-On
By X.509 Certificate click Import or Change and past all the text from the certificate file
Fill in the following information;
Your IDS Issuer / Entity ID : copy/past the ENTITY ID URL from the Configure SSON Azure AD browser tab
ShareFile Issuer / Entity ID : https://<account name>.sharefile.com/saml/info
Login URL : copy/past the REMOTE LOGIN URL from the Configure SSON Azure AD browser tab
Logout URL : copy/past the REMOTE LOGOUT URL from the Configure SSON Azure AD browser tab
Scroll down and configure the following;
Require SSO Login: Enabled
SP-Initiated SSO certificate : HTTP Redirect with no signature
Enable Web Authentication : Enabled
SO-Initiated Auth Context : Unspecified – Exact
Go back to the first browser tab and select Confirm that you have configured single sign-on as described above and click the next button.
Check if the Notification E-Mail address is correct and click on the checkmark
Click on Assign accounts
Search for the ShareFile group, select it and click on Assign
Test if ShareFile SSON with Azure AD is working
The final step is to test the configuration.
Open a browser and navigate to https://myapps.microsoft.com and login with a test user / test account
If everything is correct the Citrix ShareFile application is displayed in the Microsoft My Apps portal.
Click on Citrix ShareFile
The user will automatically login to the ShareFile portal within the need to re-enter his account credentials.