In this post we look into how to provide Single Sign On to ShareFile, by Integrating with XenMobile and NetScaler.
ShareFile can basically be run as MDX (XenMobile App) or Non-MDX (ShareFile Web, Sync Tool, Drive Mapper, Plugin).
This post will cover both scenarios.
Table of Contents
Pre-reqs and assumptions
Following steps has already been implemented :
- ShareFile Control Plane (EU or COM)
- NetScaler ADC Enterprise Edt. (For AAA Authentication on Connector access)
- ShareFile NS Configuration is done via ShareFile LB Wizard
- XenMobile 10.x is set up
- SSL Server Certificate on NetScaler and XenMobile (Wildcard can be used)
- SSL SAML Certificate imported to XenMobile keystore
- Selfsigned, private or public signed can be used (Does NOT need to be trusted on Clients)
- Firewall Rules are implemented (See Overview section)
- It´s very important that Time settings on ShareFile Control Plane, XenMobile and NetScaler is in sync, if time is out of sync this will break SAML SSO.
Overview
Following diagram shows ShareFile integrated with NetScaler and XenMobile.
Fig. 1 – Overview
Enable XenMobile as SAML iDP
Configure ShareFile in XenMobile – do NOT set XenMobile to User Account Provisioning, this is being managed by ShareFile User Management Tool.
After configuration, save and select XenMobile SAML certificate which has been imported prior to configuration.
This configuration step is enabling SSO in ShareFile control plane.
Enable NetScaler to use XenMobile as SAML iDP
External users need to be redirected to NetScaler Gateway for authentication, 2-factor recommended.
Configure NetScaler Gateway settings as following:
Furthermore implement following ShareFile Session Policy and bind to NetScaler Gateway:
1 2 3 |
add vpn sessionAction ses-prof-sharefile-web -sessTimeout 5 -defaultAuthorizationAction ALLOW -ssoCredential PRIMARY -windowsAutoLogon ON -wihome "https://mdm.xyz.com:8443" -ntDomain DOMAIN add vpn sessionPolicy ses-pol-sharefile-web "REQ.HTTP.HEADER Cookie CONTAINS NSC_FSRD" ses-prof-sharefile-web |
Internal users who already has a Kerberos or NTLM token need to Single Sign On into ShareFile. Therefore configure Negotiate Authentication Policy on internal NetScaler Gateway for ShareFile and XenMobile SAML iDP.
This post will be updated with configuration steps required in order to setup Kerberos Constrained Delegation (KCD Account) to facilitate SSO for internal use case.
Configure SSO Settings on ShareFile Control Plane
Login to Control Plane, Go to Admin and Login & Security settings.
Verify SSO settings:
(SAML Settings are set by XenMobile)
Login URL needs to be changed to following for redirection to NetScaler Gateway for authentication and SAML from XenMobile.
1 |
https://nsgateway.xxx.com/cginfra/https/mdm.xyz.com:8443/samlsp/websso.do?action=authenticateUser&app=ShareFile_SAML&reqtype=1&nssso=true |
Note that everytime a change to ShareFile configuration occurs in XenMobile – Login URL resets to default XenMobile URL and ShareFile App name changes after update of ShareFile App!
Verify app name from OCA url :
1 |
https://mdm.xyz.com:4443/OCA/admin/ |
Test
Initiate functional tests.
- Enroll device and test ShareFile MDX App
- Login in to ShareFile Web UI externally, verify successful access to ShareFile after authentication
- Login in to ShareFile Web UI from Internal domain managed PC, verify SSO connectivity
Ref. on Citrix Docs:
CTX208557
Note there is currently an issue with SSO being broken when running ShareFile MDX:
CTX225084
Basically this CLI needs to be implemented and bound to NetScaler Gateway handling the MAM traffic:
1 2 |
add vpn trafficAction bearer_sso_off_profile http -SSO OFF add vpn trafficPolicy bearer_sso_off_policy "REQ.HTTP.HEADER Authorization CONTAINS Bearer" bearer_sso_off_profile |