Citrix ShareFile is an enterprise class secure file sharing and storage system.
The Software, as a Service (SaaS) solution, allows businesses to create a custom-branded, password-protected area where large documents and files can be stored, synced and exchanged with employees and clients.
Motivation behind this post is to demonstrate ShareFile’s agility while deploying it either independently or with XenMobile. NetScaler front-ending both ShareFile and XenMobile allows us to leverage its features to achieve a split authentication technique to meet the use case described below, however, it can be altered to suit other requirements as well, where unique traffic management policies can be implemented to control access to ShareFile.
When dealing with corporate data, security is a top priority. ShareFile natively supports form-based authentication, where users are prompted to enter their email address and password to gain secure access to their ShareFile account. However, many enterprise customers prefer to use Active Directory integrated authentication with a SAML 2.0 compliant identity provider. This method provides enhanced security, a familiar user experience with a single set of credentials for the user to manage, and streamline user provisioning.
ShareFile SAML based Single Sign-On is supported with various identity providers such as XenMobile Server, ADFS, NetScaler, Okta, Ping Federate, OneLogin and other Citrix Ready Partners. You can find more information here.
XenMobile customers can use the XenMobile Server in combination with NetScaler Gateway as a SAML identity provider with ShareFile. In this configuration, a user logging into ShareFile authenticates at the NetScaler Gateway, and upon successful authentication, uses Single Sign-On to obtain a SAML token from the XenMobile Server. This token is then passed on to the ShareFile subdomain to complete user authentication. You can find more information on how to configure ShareFile Single Sign-On with XenMobile 10 here.
Typically ShareFile and XenMobile are configured with a single NetScaler Gateway server. To provide an additional layer of security with 2 factor authentication (2FA), ShareFile can instead be configured with a NetScaler Gateway vServer , which is bound to two separate authentication policies such as LDAP and RADIUS.
Note: In this scenario 2FA will only apply to the users accessing ShareFile from a web browser, Desktop Sync, Microsoft Outlook Plugin and native ShareFile mobile apps. 2FA won’t affect the MDX wrapped ShareFile apps because they leverage WorxHome for Single Sign-On, which automatically obtains the SAML token on behalf of the user. This means that 1 NetScaler Gateway vServer will be used for WorxHome authenticated applications and another NetScaler Gateway vServer will be used for ShareFile 2FA.
See the diagram below to better understand the traffic flow:
Below represent the configuration requirements:
- Admin access to ShareFile enterprise account
- Public FQDN for XenMobile
- Public FQDN for ShareFile
- XenMobile Server to be used as SAML IDP
- Authentication services such LDAP and RADIUS
Note: XenMobile Enterprise deployment will require an additional public FQDN for device enrollment. Public FQDN discussed here is for XenMobile MAM access via NetScaler Gateway.
High-level configuration steps:
- Configure XenMobile Server with ShareFile settings
- Create NetScaler Gateway vServer for ShareFile
- Configure ShareFile NetScaler Gateway vServer for 2FA
- Configure ShareFile NetScaler Gateway vServer to use XenMobile as a SAML identity provider.
- Disable home page redirection
- Create a ShareFile session policy and profile
- Bind the ShareFile session policy to the NetScaler Gateway vServer
- Configure ShareFile control plane with SAML login URL
- Locate the internal app name for ShareFile on XenMobile Server
- Modify the ShareFile.com single sign-on settings with the SAML URL
- Test ShareFile access from MDX and non-MDX apps
Note: The first NetScaler Gateway vServer should be preconfigured for XenMobile and working as intended.
***For detailed instructions watch the following video:
Any sample code, scripts, SQL queries, commands, or other such information (hereafter referred to as “code”) presented in this document is provided to you AS IS with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support of ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the code.