Configure XenMobile as a SAML Identity Provider for ShareFile integration and configuring Clients

As promised in my last blog about installing and configuring ShareFile StorageZone controller I will now go deeper in detail about the SAML configuration for Single Sign-On from XenMobile App Controller and how to configure the ShareFile Sync for Windows client and the ShareFile Outlook Plugin.

After you configured the Citrix NetScaler, StorageZone controller and the ShareFile integration within the XenMobile App Controller as described in my last blog you are not able to logon through the ShareFile webinterface (or Windows clients) with a synced user (you still can with the super user).  For that you need to configure the App Controller as a SAML identity provider for ShareFile.

Let me show you the steps to configure SAML and how to logon with the ShareFile clients…

Create a Web & SaaS application on the AppController

The first step is to create a Web & SaaS ShareFile application on the AppController.
Go to the XenMobile App Controller console and logon.

Open the Apps & Docs tab and on the left side click Web & SaaS. Click on the Plus sign

Add the ShareFile_SAML_SP application

Fill in the following information:

App name: leave as is
Description: leave as is
Cookies Domain: address

 Click Next

Enter the ShareFile superuser account information and click Next

Leave everything default and click Next

Click Next

Click Save

Click on the application and write down the Internal name. This name is needed later in the ShareFile configuration.

Configure the Citrix NetScaler Gateway

Login to the Citrix NetScaler console.

Go to System > Diagnostics  and click on Command line interface

Enter the following command to disable the default behavior for requests that come through the /cginfra path;

set vpn vserver netscaler-gateway-servename -cginfraHomePageRedirect DISABLED

Replace netscaler-gateway-servename with the NetScaler Gateway name used for the App Controller.

The next step is to create a ShareFile session policy and a ShareFile request profile. Go to NetScaler Gateway > Policies > Session and click Add on the Policy tab

Give it ShareFile_Policy as name and next to Request Profile click New

Give it ShareFile_Profile as name. Go to the Client Experience tab and configure the following settings;

Home Page: none
Session Time-out (mins):  1
Credential Index: PRIMARY
Single Sign-on to Web Applications: Enabled

Go to the Published Application tab and configure the following settings;

ICA Proxy: On
Web Interface Address: Your internal App Controller address
Single Sign-on Domain: Your domain name

Click Create

Click Add

Configure the Expression as follows;

Expression Type: General
Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: CONTAINS
Header Name: COOKIE

Click OK

Click Create

Go to NetScaler Gateway > Virtual Servers select the Gateway and click Open

Open the Policies tab and click Insert Policy

Add the ShareFile_Policy created in the previous steps and give it the lowest number as Priority

Go to the Advanced tab and fill in the AppController URL

Click OK and save the Citrix NetScaler configuration.

Configure Citrix ShareFile

The final step to configure XenMobile as SAML identity provider for ShareFile is to configure your ShareFile Account.

Login to your ShareFile account on as superuser / administrator.

Go to Admin > Configure Single Sign-on and change the Login URL to:

– Change “” with your external App Controller address
– Change “appcontroller.hobo.lan” with your internal App Controller address
– Change “ShareFile_SAML_SP10” with your internal name of the SAML app created in the first steps

Click Save

Now you can configure your Windows / Mac clients and logon with a browser using your Active Directory credentials.

Login with your synced user account with a browser

Open your browser and browse to https://subdomain/ You will be redirected to the NetScaler Gateway login page.
Login with your Active Directory credentials, after that you will be redirected to your ShareFile page.

Installing and Configuring the ShareFile Outlook Plugin

The ShareFile Outlook Plugin 2.1 is compatible with the 32 and 64 bit version of Microsoft Outlook 2007, 2010 and 2013.
For SAML authentication first apply the following registry keys;

[HKEY_CURRENT_USER\Software\Citrix\ShareFile\SSO] “Method”=”saml-forms”

Login to ShareFile with a web browser (see previous step) and open the Apps tab to download the Outlook Plug-in

If open, close Microsoft Outlook and start the ShareFile Outlook Plugin installer, select Customize settings and click Next

Select what is applicable and click Next

Select I accept the terms of the license agreement and click Next

Click Done

Enter the e-mail address that is associated with your ShareFile user account and click Next


Enter your ShareFile Subdomain and click Next

Click Begin browser login

Enter your Active Directory credentials and click Log On

Click Next

Select what is applicable and click Next

Select what is applicable and click Finish

Now when composing a new email you have the ShareFile plugin abilities

Installing and Configuring ShareFile Sync for Windows

Before installing the ShareFile Sync for Windows client you must add some URL’s to your trusted sites and configure SAML as authentication method.
You can do this in two different ways, with policy settings and with registry settings.


If you want to configure it with group policies you can use the ShareFile admx file which is located after the installation in the following folder:

C:\Program Files\Citrix\ShareFile\Sync\Configuration\PolicyDefinitions

To make use of this policies copy the following files;

– ShareFileOn-demand.admx to %WinDir%\PolicyDefinitions
– ShareFileOn-demand.adml to %WinDir%\PolicyDefinitions\en-US

Create a new or edit an existing GPO object to configure the following policy setting for SAML authentication;

User Configuration > Policies > Administrative Templates > ShareFile > Enterprise Sync > Authentication Type

Enable the setting and select SAML Web Forms

For the trusted sites see the registry part, you must apply these registry settings with Group Policy Preferences.


For the SAML authentication apply the following registry key;

[HKEY_CURRENT_USER\Software\Policies\Citrix\ShareFile\EnterpriseSync] “AuthenticationType”=dword:00000002

For the trusted sites apply the following registry keys; (replace appcontroller.hobo.lan with your internal App Controller URL)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\*] “https”=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\\*] “https”=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\appcontroller.hobo.lan] “https”=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\appcontroller.hobo.lan] “https”=dword:00000002

After configuring this you can start with the installation of the ShareFile Sync for Windows Client.

Login to ShareFile with a web browser (see previous steps) and open the Apps tab to download Sync for Windows

Start the installation and click Install

Select I accept the terms in the License Agreement and click Install

Click Finish

Enter the e-mail address that is associated with your ShareFile user account and click Next

Enter your ShareFile Subdomain and click Next

Click Begin browser login

Enter your Active Directory credentials and click Log On

Click Next

Click Next

Click Next

Click Next

Click Next

Click Finish

Your ShareFile files will now be synchronized.


  • Hi Robin. I’ve tried this but in my implementation I get a message from AppContrlller (White screen with black text) saying ‘Subscription Required’. What am I missing?

  • Worked perfectly for me.. Just one thing that needs to be verified, make sure timezone/time settings are consistent between Sharefile and App Controller.

  • I can’t get the the OLP to work with SSO. I am using XenMobile 10 with a Netscaler 10.5. When I click the Plugin Options button a login window comes up and SSO works in the fact that it authenticates, but it then displays the Sharefile website within the login window instead of the plugin logging into ShareFile. I have this same experience with the ShareFile Desktop application.

    • That is very strange, I did not see that before. Are you sure you have configured everything correct on the SSON page in the ShareFile Control plane? Like url and enabled “Enable Web Authentication” ?

      • Yes, I have that box checked. I also have the reg entries created. I am going to test from a different machine and see what the result is there. I wonder if the issue is that I am using the 64 bit version of MS Office.

        • I installed it on a different machine, but it does the same thing. I have gone back through and verified everything is set correctly and it appears to me that it is. I will probably have to open a ticket with Citrix, which I HATE doing because I have a hard time understanding them when they call because of their deep accent. It is a rarity to get someone who speaks English as their primary language.

  • I have not applied any policies. I have only added the two registry entries (Method and UserConfigurable). I had initially had default OLP settings configured within ShareFile, but I removed those for troubleshooting.

    • Before opening a case with Citrix, I have posted on Citrix User Group Community to see if anyone there has thoughts on it. I posted with screenshots of my setup and what I am seeing when logging in using OLP.

  • Hi there, I notice there isn’t much around the User Accounts
    Create account automatically (Keep/Disable/Delete) Account elements. How are people managing the off-boarding? Would it be fair to say that most people are using UMT tool to clean up users?

    • Hi Anthony, it would be nice but no. You can disable users automatically when their account is locked / blocked. But removing the user is a manual step so far I know. Regards, Robin

      • Thanks Robin,
        I can confirm after some extended conversation that you can de-provision automatically if you select the SAML SP app for Sharefile to delete when the user entitlement ends. The nervous thought to this is if you accidentally remove someone from AD or the group and still require the data it will be gone the next time syncing occurs between XAC and AD which will then be replicated to the control plane. So best option is to set to disable only which will at least present those users in a way you can check web gui and remove manually. it appears to be the only way to reclaim your licenses efficiently.
        I also questioned whether this applies to accounts created via the Sharefile Admin account associated to XAC as opposed to manually created accounts. They have also confirmed that it will only impact the XAC generated accounts.

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.