As promised in my last blog about installing and configuring ShareFile StorageZone controller I will now go deeper in detail about the SAML configuration for Single Sign-On from XenMobile App Controller and how to configure the ShareFile Sync for Windows client and the ShareFile Outlook Plugin.
After you configured the Citrix NetScaler, StorageZone controller and the ShareFile integration within the XenMobile App Controller as described in my last blog you are not able to logon through the ShareFile webinterface (or Windows clients) with a synced user (you still can with the super user). For that you need to configure the App Controller as a SAML identity provider for ShareFile.
Let me show you the steps to configure SAML and how to logon with the ShareFile clients…
Create a Web & SaaS application on the AppController
The first step is to create a Web & SaaS ShareFile application on the AppController.
Go to the XenMobile App Controller console and logon.
Open the Apps & Docs tab and on the left side click Web & SaaS. Click on the Plus sign
Add the ShareFile_SAML_SP application
Fill in the following information:
App name: leave as is
Description: leave as is
Cookies Domain: subdomain.sharefile.com address
URL: subdomain.sharefile.com/saml/login
Click Next
Enter the ShareFile superuser account information and click Next
Leave everything default and click Next
Click Next
Click Save
Click on the application and write down the Internal name. This name is needed later in the ShareFile configuration.
Configure the Citrix NetScaler Gateway
Login to the Citrix NetScaler console.
Go to System > Diagnostics and click on Command line interface
Enter the following command to disable the default behavior for requests that come through the /cginfra path;
set vpn vserver netscaler-gateway-servename -cginfraHomePageRedirect DISABLED
Replace netscaler-gateway-servename with the NetScaler Gateway name used for the App Controller.
The next step is to create a ShareFile session policy and a ShareFile request profile. Go to NetScaler Gateway > Policies > Session and click Add on the Policy tab
Give it ShareFile_Policy as name and next to Request Profile click New
Give it ShareFile_Profile as name. Go to the Client Experience tab and configure the following settings;
Home Page: none
Session Time-out (mins): 1
Credential Index: PRIMARY
Single Sign-on to Web Applications: Enabled
Go to the Published Application tab and configure the following settings;
ICA Proxy: On
Web Interface Address: Your internal App Controller address
Single Sign-on Domain: Your domain name
Click Create
Click Add
Configure the Expression as follows;
Expression Type: General
Flow Type: REQ
Protocol: HTTP
Qualifier: HEADER
Operator: CONTAINS
Value: NSC_FSRD
Header Name: COOKIE
Click OK
Click Create
Go to NetScaler Gateway > Virtual Servers select the Gateway and click Open
Open the Policies tab and click Insert Policy
Add the ShareFile_Policy created in the previous steps and give it the lowest number as Priority
Go to the Advanced tab and fill in the AppController URL
Click OK and save the Citrix NetScaler configuration.
Configure Citrix ShareFile
The final step to configure XenMobile as SAML identity provider for ShareFile is to configure your ShareFile Account.
Login to your ShareFile account on https://subdomain.sharefile.com as superuser / administrator.
Go to Admin > Configure Single Sign-on and change the Login URL to:
https://appcontroller.robinhobo.com/cginfra/https/appcontroller.hobo.lan/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML_SP10&reqtype=1&nssso=true
– Change “appcontroller.robinhobo.com” with your external App Controller address
– Change “appcontroller.hobo.lan” with your internal App Controller address
– Change “ShareFile_SAML_SP10” with your internal name of the SAML app created in the first steps
Click Save
Now you can configure your Windows / Mac clients and logon with a browser using your Active Directory credentials.
Login with your synced user account with a browser
Open your browser and browse to https://subdomain/sharefile.com/saml/login. You will be redirected to the NetScaler Gateway login page.
Login with your Active Directory credentials, after that you will be redirected to your ShareFile page.
Installing and Configuring the ShareFile Outlook Plugin
The ShareFile Outlook Plugin 2.1 is compatible with the 32 and 64 bit version of Microsoft Outlook 2007, 2010 and 2013.
For SAML authentication first apply the following registry keys;
[HKEY_CURRENT_USER\Software\Citrix\ShareFile\SSO]
“Method”=”saml-forms”
“UserConfigurable”=dword:00000001
Login to ShareFile with a web browser (see previous step) and open the Apps tab to download the Outlook Plug-in
If open, close Microsoft Outlook and start the ShareFile Outlook Plugin installer, select Customize settings and click Next
Select what is applicable and click Next
Select I accept the terms of the license agreement and click Next
Click Done
Enter the e-mail address that is associated with your ShareFile user account and click Next
Enter your ShareFile Subdomain and click Next
Click Begin browser login
Enter your Active Directory credentials and click Log On
Click Next
Select what is applicable and click Next
Select what is applicable and click Finish
Now when composing a new email you have the ShareFile plugin abilities
Installing and Configuring ShareFile Sync for Windows
Before installing the ShareFile Sync for Windows client you must add some URL’s to your trusted sites and configure SAML as authentication method.
You can do this in two different ways, with policy settings and with registry settings.
Policies
If you want to configure it with group policies you can use the ShareFile admx file which is located after the installation in the following folder:
C:\Program Files\Citrix\ShareFile\Sync\Configuration\PolicyDefinitions
To make use of this policies copy the following files;
– ShareFileOn-demand.admx to %WinDir%\PolicyDefinitions
– ShareFileOn-demand.adml to %WinDir%\PolicyDefinitions\en-US
Create a new or edit an existing GPO object to configure the following policy setting for SAML authentication;
User Configuration > Policies > Administrative Templates > ShareFile > Enterprise Sync > Authentication Type
Enable the setting and select SAML Web Forms
For the trusted sites see the registry part, you must apply these registry settings with Group Policy Preferences.
Registry
For the SAML authentication apply the following registry key;
[HKEY_CURRENT_USER\Software\Policies\Citrix\ShareFile\EnterpriseSync] “AuthenticationType”=dword:00000002
For the trusted sites apply the following registry keys; (replace appcontroller.hobo.lan with your internal App Controller URL)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sharefile.com\*] “https”=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\sharefile.com\*] “https”=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\appcontroller.hobo.lan] “https”=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\appcontroller.hobo.lan] “https”=dword:00000002
After configuring this you can start with the installation of the ShareFile Sync for Windows Client.
Login to ShareFile with a web browser (see previous steps) and open the Apps tab to download Sync for Windows
Start the installation and click Install
Select I accept the terms in the License Agreement and click Install
Click Finish
Enter the e-mail address that is associated with your ShareFile user account and click Next
Enter your ShareFile Subdomain and click Next
Click Begin browser login
Enter your Active Directory credentials and click Log On
Click Next
Click Next
Click Next
Click Next
Click Next
Click Finish
Your ShareFile files will now be synchronized.
Hi Robin. I’ve tried this but in my implementation I get a message from AppContrlller (White screen with black text) saying ‘Subscription Required’. What am I missing?
Hi Dan, didn’t see that error before. is the Login url correct, including the internal AppName of the SAML app? Did you enable the web authentication?
the Subscript Required error is described in http://blogs.citrix.com/2014/09/08/demystifying-the-sharefile-user-provisioning-process-through-xenmobile-app-controller/. Has nothing to do with reconcile for me.
looks like when I use custom roles for the saml_sp rather than allusers role.
Thanx very much for this very helpfull guide.
It’s working! 🙂
Thanks, good to hear!
Worked perfectly for me.. Just one thing that needs to be verified, make sure timezone/time settings are consistent between Sharefile and App Controller.
[…] a previous post I described how to install and configure the ShareFile Windows Sync client and the ShareFile Outlook Plugin. In a few previous projects I needed to implement these clients into a Citrix XenApp / XenDesktop […]
I can’t get the the OLP to work with SSO. I am using XenMobile 10 with a Netscaler 10.5. When I click the Plugin Options button a login window comes up and SSO works in the fact that it authenticates, but it then displays the Sharefile website within the login window instead of the plugin logging into ShareFile. I have this same experience with the ShareFile Desktop application.
That is very strange, I did not see that before. Are you sure you have configured everything correct on the SSON page in the ShareFile Control plane? Like url and enabled “Enable Web Authentication” ?
Yes, I have that box checked. I also have the reg entries created. I am going to test from a different machine and see what the result is there. I wonder if the issue is that I am using the 64 bit version of MS Office.
I installed it on a different machine, but it does the same thing. I have gone back through and verified everything is set correctly and it appears to me that it is. I will probably have to open a ticket with Citrix, which I HATE doing because I have a hard time understanding them when they call because of their deep accent. It is a rarity to get someone who speaks English as their primary language.
David, Have you applied any policies for the plugins? If so, maybe you can test without these policies?
I have not applied any policies. I have only added the two registry entries (Method and UserConfigurable). I had initially had default OLP settings configured within ShareFile, but I removed those for troubleshooting.
Before opening a case with Citrix, I have posted on Citrix User Group Community to see if anyone there has thoughts on it. I posted with screenshots of my setup and what I am seeing when logging in using OLP.
Woo Hoo! It is fixed. The issue ended up being that the subdomain I had listed in XenMobile was not the same as our “Primary” subdomain. ShareFile allows for up to 3 subdomains and I was using the second one in the list. I switched them around multiple times to confirm that was the issue.
A colleage of mine actually stumbled upon a Citrix discussion, thanks to mistyping ShareFile in his Google search. This link is to the discussion.
Thanks for you help!
Oops, missed adding the link.
https://discussions.citrix.com/topic/371296-outlook-plugin-strange-issues-with-sso-login/
Hi there, I notice there isn’t much around the User Accounts
Create account automatically (Keep/Disable/Delete) Account elements. How are people managing the off-boarding? Would it be fair to say that most people are using UMT tool to clean up users?
Hi Anthony, it would be nice but no. You can disable users automatically when their account is locked / blocked. But removing the user is a manual step so far I know. Regards, Robin
Thanks Robin,
I can confirm after some extended conversation that you can de-provision automatically if you select the SAML SP app for Sharefile to delete when the user entitlement ends. The nervous thought to this is if you accidentally remove someone from AD or the group and still require the data it will be gone the next time syncing occurs between XAC and AD which will then be replicated to the control plane. So best option is to set to disable only which will at least present those users in a way you can check web gui and remove manually. it appears to be the only way to reclaim your licenses efficiently.
I also questioned whether this applies to accounts created via the Sharefile Admin account associated to XAC as opposed to manually created accounts. They have also confirmed that it will only impact the XAC generated accounts.
Nice, thanks for this update!