ShareFile supports single sign-on when part of a XenMobile solution in addition to supporting single sign-on using other Identity Providers (IdP’s) such as ADFS, Ping Identity, Okta, etc.
When ShareFile is deployed with XenMobile and uses App Controller as the SAML IdP the sign-on experience is completely seamless and users are not prompted for any account configuration information.
This is the process that I follow to enable single sign-on for ShareFile when being deployed with XenMobile:
1. Create an Active Directory group for users that will be using ShareFile and assign users into that group
2. Create a Role within App Controller, under ShareFile Configuration choose a StorageZone for the Role (do not leave it Unassigned). Use the Active Directory group you created from Step 1.
3. On the App & Docs tab of App Controller select Docs > ShareFile. Edit the configuration and enter the information about your account. Use the Role you created in the previous step. When you click Save it will upload the SAML signing certificate specified and overwrite the Login URL specified under Admin > Configure SSO on your ShareFile account. It will do this every time you Edit and Save the configuration on App Controller. Clicking Sync does not overwrite the information on the ShareFile account.
4. Refer to this article for guidelines on how App Controller provisions users into ShareFile and the timing for this on App Controller. Verify the users have been created by logging in to your ShareFile account (subdomain.sharefile.com > Manage Users). While waiting for this process you can move on to the next steps.
5. Configure NetScaler Gateway as documented in Step 3 of this article. Note: In recent releases of NetScaler you no longer need to use the command-line interface to disable home page redirection if you don’t want to as there is now a checkbox for this.
- In NetScaler 10.1 this checkbox is under the Advanced tab of the NetScaler Gateway Virtual Server
- In NetScaler 10.5 this checkbox is located under Other Settings of the NetScaler Virtual Server. This is the same area where you will specify the ShareFile URL (Step 7 of Step 3 in the article)
6. Configure the SSO Login URL on your ShareFile account as documented in Step 4 of this article however instead of using ShareFile_SAML_SP use ShareFile_SAML as we did not create a separate Web & SaaS application (ShareFile_SAML_SP) as part of this configuration.
Now test SSO using your web browser, it’s the easiest to troubleshoot if something is misconfigured. https://subdomain.sharefile.com/saml/login
Note: You may want to first verify the users have been created as documented in step 4. If you receive an error check this blog post on common errors and how to resolve them.
As a best practice I also usually manually reconcile the users by clicking the Sync link under Docs > ShareFile on the App Controller. This is important during PoC’s if the account I am testing SSO with was already an Employee in ShareFile as it will not be automatically created by App Controller and it won’t be until 2 AM that the App Controller will automatically reconcile this user. Using the Sync link forces a reconciliation to happen immediately. The previous link in step 4 of this guide has all of the details of the how and why this works this way.