Configure Single Sign-on for SAML-Based Federation - ShareFile

Find an Answer

Search ShareFile articles, videos and user guides   Your search term must have 2 or more characters.

Browse Articles

Configure Single Sign-on for SAML-Based Federation

You can integrate your ShareFile account with Active Directory (AD) to enable single sign-on for users with AD credentials. ShareFile supports Security Assertion Markup Language (SAML) for single sign-on. You configure ShareFile to communicate with a SAML-based federation tool running in your network. User logon requests are then redirected to Active Directory. You can use the same SAML Identity Provider that you use for other web applications.

Prerequisites

A SAML 2.0-based federation tool configured as follows:

Note: ShareFile supports any SAML 2.0-based federation tool using basic or integrated authentication, such as Microsoft Active Directory Federation Services (ADFS) 2.0 for Windows Server 2008 and Windows Server 2008 R2. ADFS 2.0 is not included with Windows Server 2008 and is available for download from the Microsoft site. For information about other SAML 2.0 federation providers, contact your ShareFile account manager.

Specify the ShareFile subdomain: mysubdomain.sharefile.com or, in Europe, mysubdomain.sharefile.eu

Specify the SAML authentication URL: https://mysubdomain.sharefile.com/saml/acs

Specify the relying party identifier: mysubdomain.sharefile.com

Allow all users to access that relying party.

Define the content of the SAML token generated by the federation service and submitted to sharefile.com.

Sharefile.com requires a Name ID in Email format. You can use the Active Directory User Principal Name (UPN) as the attribute source and convert it into the Name ID and Email attributes. If the UPN does not match your company email address, you can use the Active Directory Email attribute instead.

For example, the ADFS claims rule settings to send LDAP attributes as claims are:

  • Attribute store: Active Directory
  • LDAP Attribute: Email
  • Outgoing Claim: UPN

The ADFS claims rule settings to transform the incoming claim are:

  • Incoming claim type: UPN
  • Outgoing claim type: Name ID
  • Outgoing name ID: Email

Set the signature format for your relying party (mysubdomain.sharefile.com) to SHA-1.

Create a DNS entry for the federation server service identity, pointing to the federation server or to a network load balancer.

For information about using proxies in the DMZ and using multiple federation servers for high availability, refer to the documentation for your federation tool.

To configure your ShareFile account to accept the SAML tokens

Export the security certificate from your federation tool:

  • In the management console for your federation tool, export the base-64 encoded X.509 security certificate.
  • Open the certificate file in a text editor. You will copy the contents of the certificate later in these steps.

In the ShareFile web interface, click Admin and then click Configure Single Sign-On.

Select the Enable SAML check box.

Enter the issuer or entity ID for the ShareFile service and verify the default value for your Identity Provider (IDP).

Enter the security certificate:

  • In the text editor you opened in Step 1, copy the contents of the security certificate.
  • In the ShareFile interface beside X.509 Certificate, click Change and then paste the contents of the certificate into the dialog box.

Enter the Login URL provided by your SAML Identity Provider. This is the address web clients will be redirected to when accessing SAML logon page. For example, for ADFS it is https://adfs.mysubdomain.com/adfs/ls/.

Choose an authentication context:

  • To enable Kerberos authentication to your federation server, click the SP-Initiated Auth Context menu and click Minimum.
  • To enable password-only authentication to your federation server, click the SP-Initiated Auth Context menu and click Exact.

To test single sign-on: Open a web browser and open the URL https://mysubdomain.sharefile.com/saml/login. If you are using Integrated Windows Authentication, you will be silently logged on to ShareFile. Otherwise, you will be redirected to the logon page of the federation server. If you have issues with Integrated Windows Authentication, check the Internet Explorer security settings.

Related

Configure XenMobile as a SAML Identity Provider for ShareFile

Did this article answer your question?
Yes
No
Why?