Last Revised: May 2019

Content Collaboration: Single Sign-On Configuration Guide ADFS 3.0

LEGAL NOTICE This document is furnished "AS IS" without warranty of any kind. This document is not supported under any Citrix standard support program. Citrix Systems, Inc. disclaims all warranties regarding the contents of this document, including, but not limited to, implied warranties of merchantability and fitness for any particular purpose. This document may contain technical or other inaccuracies or typographical errors. Citrix Systems, Inc. reserves the right to revise the information in this document at any time without notice. This document and the software described in this document constitute confidential information of Citrix Systems, Inc. and its licensors, and are furnished under a license from Citrix Systems, Inc. This document and the software may be used and copied only as agreed upon by the Beta or Technical Preview Agreement. Copyright © 2019 Citrix Systems, Inc. All rights reserved. Citrix, Citrix Content Collaboration, and ShareFile are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.

ShareFile SSO with ADFS 3.0 - 3

Prerequisites to Installation In order to set up ShareFile to authenticate with Active Directory Federated Services, you need the following:

- Windows Server 2012 R2

- A publicly signed SSL Certificate from a CA. Self-signed and unsigned certificates are not accepted.

- An FQDN for your ADFS server

- Access to an administrator account within ShareFile with the ability to configure Single Sign On.

Please note: to provision users from your Active Directory to ShareFile, please reference the User Management Tool installation guide.

ShareFile SSO with ADFS 3.0 - 4

ADFS 3.0 (Role-based install)

ShareFile SSO with ADFS 3.0 - 5

3. Select the server for the install Click Next. Then select Active Directory Federation Services. Click Next.

ShareFile SSO with ADFS 3.0 - 6

4. Click Next through the Server Roles, AD FS and finally to the Confirmation screen. Check the box for Restart say yes to the pop screen and click Install.

5. Once AD FS is installed you will need to complete a post deployment activity if this is the first AD FS server in Active Directory. Please see or use your own configuration information for this step.

ShareFile SSO with ADFS 3.0 - 7

Setting up ADFS 3.0

Step Action 1. In the AD FS 3.0 management console, start the Configuration Wizard 2. When the Wizard starts, select Create a new Federation Service and click Next.

3.

ShareFile SSO with ADFS 3.0 - 8

4. Since we use a Wildcard Certificate, we must determine a Federation Service Name. If you are not using a wildcard SSL cert, you may not have to do this step. Then click Next to continue.

ShareFile SSO with ADFS 3.0 - 9

5. Click Next to configure.

6. Confirm that all the configurations were finished without error and click Close and exit the wizard.

ShareFile SSO with ADFS 3.0 - 10

7.

8. Expand the Service node in the Management Console. Select the Token Signing certificate and click

View Certificate in the right-hand column.

ShareFile SSO with ADFS 3.0 - 11

9. In the Certificate window, select the Details tab and then click Copy to File.

ShareFile SSO with ADFS 3.0 - 12

10. Click Next to continue

ShareFile SSO with ADFS 3.0 - 13

11. Select Base-64 encoded X.509 (.CER) as the export format for the certificate then click Next.

12. Save the certificate file and click Next.

ShareFile SSO with ADFS 3.0 - 14

13. Click Finish to save the file.

ShareFile SSO with ADFS 3.0 - 15

14. Browse to the folder where you exported the certificate and open it with Notepad

15. Select all the text inside the Notepad (CTRL + A) and copy (CTRL + C)

ShareFile SSO with ADFS 3.0 - 16

16. Open Internet Explorer and go to your ShareFile account (https://<yoursubdomain>.sharefile.com) Log on with your administrator account. Navigate to Admin Settings > Security > Login & Security Policy.

Find Single sign-on / SAML 2.0 Configuration.

17. Switch Enable SAML setting to Yes. -ShareFile Issuer / Entity ID: https://<subdomain>.sharefile.com/saml/info -Your IDP Issuer / Entity ID: https://<adfs>.yourdomain.com -X.509 Certificate: Paste contents of exported certificate from previous section -Login URL: https://<adfs>.yourdomain.com/adfs/ls

ShareFile SSO with ADFS 3.0 - 17

17. Switch Enable SAML setting to Yes. -ShareFile Issuer / Entity ID: https://<subdomain>.sharefile.com/saml/info -Your IDP Issuer / Entity ID: https://<adfs>.yourdomain.com -X.509 Certificate: Paste contents of exported certificate from previous section -Login URL: https://<adfs>.yourdomain.com/adfs/ls

ShareFile SSO with ADFS 3.0 - 18

18. In Optional Settings change the following values. -Enable Web Authentication: Yes (Check marked) -SP-Initiated Auth Context: User Name and Password – Minimum

ShareFile SSO with ADFS 3.0 - 19

19. Minimize Internet Explorer and return to the ADFS Management Console. Expand the Trust Relationships node and select Relying Party Trusts. Then click Add Relying Party Trust… from the right-hand side of the console. This will launch the Add Relying Trust Wizard.

ShareFile SSO with ADFS 3.0 - 20

20. Click Start to begin specifying a Relying Party Trust.

ShareFile SSO with ADFS 3.0 - 21

21. Retrieving the metadata from the ShareFile SAML site can configure the trust automatically for you. Use https://<yoursubdomain>.sharefile.com/saml/metadata as the Federation metadata address (host name or URL). Click Next.

22. Specify a Display Name. Typically you will keep this as <yoursubdomain>.sharefile.com, so you can

identify the different trusts from each other.

ShareFile SSO with ADFS 3.0 - 22

23.

24. Permit all users to access this relying party. Click Next.

ShareFile SSO with ADFS 3.0 - 23

25. Verify that the information is correct and click Next

26. Verify that the checkbox for Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is checked. Then click Close.

ShareFile SSO with ADFS 3.0 - 24

27. On the Issuance Transform Rules tab, click Add Rule

ShareFile SSO with ADFS 3.0 - 25

28. The first rule will be to Send LDAP Attributes as Claims

ShareFile SSO with ADFS 3.0 - 26

29. Users in the ShareFile platform are identified by their e-mail address. We send the claim as a UPN. Give a descriptive Claim rule name, such as E-mail Address to E-mail Address. Select Active Directory as the attribute store. Finally select E-Mail Address as the LDAP attribute and E-mail Address as the Outgoing Claim Type. Click Finish.

ShareFile SSO with ADFS 3.0 - 27

30. Create a second rule. This rule will be used to Transform an Incoming Claim. Click Next

31. The incoming claim type will transform the incoming Email Address to an outgoing Name ID claim type in the email format. Give a descriptive name, such as Named ID to E-Mail Address. The Incoming claim type is Email Address, the Outgoing claim type Name ID. The Outgoing name I format is Email. Click Finish.

ShareFile SSO with ADFS 3.0 - 28

32. Verify that the claims are correct, then click OK.

33. Switch to any web browser and navigate to https://<yoursubdomain>.sharefile.com/saml/login. Notice that you will be redirected to your ADFS services. If your ShareFile’s login email is linked to a User on AD, then you will be able to authenticate with your AD Credentials.