Configure ShareFile Single Sign-On with ADFS - ShareFile

Find an Answer

Search ShareFile articles, videos and user guides   Your search term must have 2 or more characters.

Browse Articles

Configure ShareFile Single Sign-On with ADFS

You can integrate your ShareFile account with Active Directory (AD) to enable single sign-on for users with AD credentials. ShareFile supports Security Assertion Markup Language (SAML) for single sign-on. You configure ShareFile to communicate with a SAML-based federation tool running in your network. User logon requests are then redirected to Active Directory. You can use the same SAML Identity Provider that you use for other web applications.

Documented and tested using:

  • Active Directory Federation Services (ADFS) 2.0 for Windows Server 2008 and Windows Server 2008 R2
  • ADFS 3.0 for Windows Server 2012 R2


ShareFile tests and supports using SHA-1 and SHA-256 certificates.

ShareFile Single Sign-On with ADFS does not support the use of self-signed certificates.



A SAML 2.0-based federation tool is configured as follows:

Specify the ShareFile subdomain: or, in Europe,

Specify the SAML authentication URL:

Specify the relying party identifier:

Allow all users to access that relying party.

Define the content of the SAML token generated by the federation service and submitted to requires a Name ID in Email format. You can use the Active Directory User Principal Name (UPN) as the attribute source and convert it into the Name ID and Email attributes. If the UPN does not match your company email address, you can use the Active Directory Email attribute instead.

For example, the ADFS claims rule settings to send LDAP attributes as claims are:

  • Attribute store: Active Directory
  • LDAP Attribute: Email
  • Outgoing Claim: UPN

The ADFS claims rule settings to transform the incoming claim are:

  • Incoming claim type: UPN
  • Outgoing claim type: Name ID
  • Outgoing name ID: Email

Set the signature format for your relying party ( to SHA-1.

Create a DNS entry for the federation server service identity, pointing to the federation server or to a network load balancer.

For information about using proxies in the DMZ and using multiple federation servers for high availability, refer to the documentation for your federation tool.

To configure your ShareFile account to accept the SAML tokens

Export the security certificate from your federation tool:

  • In the management console for your federation tool, export the base-64 encoded X.509 security certificate.
  • Open the certificate file in a text editor. You will copy the contents of the certificate later in these steps.

In the ShareFile web interface, click Admin and then click Configure Single Sign-On.

Select the Enable SAML check box.

Enter the issuer or entity ID for the ShareFile service and verify the default value for your Identity Provider (IDP).

Enter the security certificate:

  • In the text editor you opened in Step 1, copy the contents of the security certificate.
  • In the ShareFile interface beside X.509 Certificate, click Change and then paste the contents of the certificate into the dialog box.

Enter the Login URL provided by your SAML Identity Provider. This is the address web clients will be redirected to when accessing SAML logon page. For example, for ADFS it is

Choose an authentication context:

  • To enable Kerberos authentication to your federation server, click the SP-Initiated Auth Context menu and click Minimum.
  • To enable password-only authentication to your federation server, click the SP-Initiated Auth Context menu and click Exact.

To test single sign-on: Open a web browser and open the URL If you are using Integrated Windows Authentication, you will be silently logged on to ShareFile. Otherwise, you will be redirected to the logon page of the federation server. If you have issues with Integrated Windows Authentication, check the Internet Explorer security settings.


Configure ShareFile Single Sign-On with XenMobile