When ShareFile single sign-on fails you will likely need to capture the SAML token passed from the Identity Provider (IdP) to the ShareFile hosted application tier for troubleshooting. The easiest way to to capture a SAML token is by using Google Chrome. Below I will outline the steps to capture and analyze the ShareFile SAML token.
Start by adding the Developer Tools to your Chrome session
Select the Network tab and check the box for Preserve Log
Now test SSO https://subdomain.sharefile.com /saml/login. I’m authenticating to NetScaler / App Controller in this example
After the SSO fails you should end up back at the ShareFile login page. If you receive errors from the NetScaler login, XenMobile Server, or ADFS/Ping/etc server then this troubleshooting to capture a SAML token won’t help you as it’s not getting that far in the process.
Look through the traffic in the developer tools and find the acs path
Select the header and find the SAMLResponse under the Form Data. Copy the content of the SAMLResponse to your clipboard.
Using your web browser go to https://www.samltool.com/decode.php. Paste the SAMLResponse you captured into the Deflated and Encoded XML and press Decode and Inflate XML
- x509 certificate in the SAML token doesn’t match the x509 certificate configured on the ShareFile account (Admin > Configure Single Sign-on > x509 Certificate)
- The email address in the NameID field doesn’t exist: <saml2:NameID Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>email@example.com</saml2:NameID> This field might be empty if the user account in Active Directory is missing the email address field.
- XenMobile Server or your IdP is not using a NTP server and the time is off. Check the AuthnInstant time in the SAML token. You can also look at the Conditions which specifies a NotBefore and NotOnorAfter time.