Citrix ShareFile SAML Single Sign-On (SSO)

This section contains the following topics:

Citrix ShareFile single sign-on configuration overview

  1. Prepare ShareFile for single sign-on: Set up your user accounts in ShareFile.

  2. Configure ShareFile for SSO with SAML. For details, see Configure ShareFile for SSO.

  3. Configure the application settings in the Identity Administration portal: Configure the ShareFile web application in the Identity Administration portal. Here you specify some of the settings you specified in the web application directly. For details, see Configure ShareFile in the Identity Administration portal.

Requirements

  • A signed certificate. You can either download one from the Identity Administration portal or use your organization’s trusted certificate.

Set up the certificates for SSO

To establish a trusted connection between the web application and CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Identity Administration portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Identity Administration portal. You also upload the public key certificate in a .cer or .pem file to the web application.

Configure ShareFile for SSO

You need administrator privileges in ShareFile to perform these steps.

It can be useful to open the web application and the Identity Administration portal simultaneously and have them both open, perhaps side by side. As part of the SSO configuration process, you’ll need to copy and paste settings between the two browser windows.

  1. In your web browser, go to the administration login URL for ShareFile.

    The URL has the following format: https://<customName>.ShareFile.com where customName is most likely your company name.and log in with your administrator user name and password.

  2. Go to Settings > Admin Settings > Security > Login & Security Policy.

    Use this page to configure the application for single sign-on from the user portal.

  3. In the Basic Settings section, select Enable SAML.

  4. Specify the following for the Basic Settings:

    Option

    Required or optional

    Set it to

    Description

    ShareFile Issuer / Entity ID

    Required

     

    Copy the ShareFile Issuer / Entity ID from the ShareFile Application Settings in the Identity Administration portal and paste the contents here.

    Your IDP Issuer / Entity ID

     

     

    CyberArk Identity doesn’t use this value.

    x.509 Certificate

     

     

    Upload the certificate here. Use either one that you download from the Identity Administration portal or use your organization’s trusted certificate -- whichever one that you use in the Identity Administration portal.

    Login URL

     

     

    Copy the Login URL from the ShareFile Application Settings in the Identity Administration portal and paste the contents here.

    When a user goes to the ShareFile login site directly, ShareFile redirects users to this URL for log in to the user portal. (SP-initiated SSO)

    Logout URL

     

     

    Copy the Logout URL from the ShareFile Application Settings in the Identity Administration portal and paste the contents here.

    When a user logs out of ShareFile, ShareFile redirects users to this URL for log in to the user portal. (SP-initiated SSO)

  5. Specify the following for the Optional Settings:

    6. Option

    Required or optional

    Set it to

    Description

    Require SSO Login

    Optional

     

    If you want to force users to log in with SSO, select this option.

    If you don’t select this option, users can log in with their user name and password or SSO.

    SSO IP Range

    Optional

     

    If you want to force users from a specific range of IP addresses to use SSO, you can do that by specifying the IP range. Users outside the IP range can log in with their user name and password or SSO.

    This option only affects SP-initiated SSO.

    SP-Initiated SSO Certificate

    Required

    HTTP Redirect with no signature

     

    Enable Web Authentication

     

     

    CyberArk Identity doesn’t support this setting.

    Active Profile Cookies

     

     

    CyberArk Identity doesn’t support this setting.

  6. Click Save.

  7. Log out of your ShareFile account.

SSO on ShareFile mobile apps

ShareFile offers a family of mobile ShareFile apps. When you enable SSO for ShareFile, all users signing in through the iOS and Android apps do so through SSO. They may no longer sign in through those apps with user name and password.

Configure ShareFile in the Identity Administration portal

  1. In the Identity Administration portal, click Apps, then click Add Web Apps.

    The Add Web Apps screen appears.

  2. On the Search tab, enter the partial or full application name in the Search field and click the search icon.

  3. Next to the application, click Add.

  4. In the Add Web App screen, click Yes to confirm.

    Identity Administration portal adds the application.

  5. Click Close to exit the Application Catalog.

    The application that you just added opens to the Application Settings page.

    The description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a certificate file for the latest information.

  6. Select the Citrix ShareFile SAML application and click Add App.

    The application opens to the Application Settings screen.

  7. Specify the following:

    Option

    Required or optional

    Set it to

    Description

    Assertion Consumer Service (ACS) URL

    Required

    [paste the URL from the ShareFile here]

     

    ShareFile provides this URL. CyberArk Identity sends the SAML response to this URL.

    ShareFile Issuer / Entity ID

    Required

    https://cloud.Idaptive.com/SAML/ShareFile

    CyberArk Identity automatically generates this value for you, and you can change it if you want to. However, it must be the same value that you specify as the Entity ID on the ShareFile web site.

    Login URL

     

    [this field is not editable]

    CyberArk Identity automatically generates the content of this field.

    Copy this URL and paste into ShareFile directly.

    Logout URL

     

    [this field is not editable]

    CyberArk Identity automatically generates the content of this field.

    Copy this URL and paste into ShareFile directly.

  8. (Optional) On the Application Settings page, click Enable Derived Credentials for this app on enrolled devices (opens in built-in browser) to use derived credentials on enrolled mobile devices to authenticate with this application.

    See CyberArk-issued derived credentials for more information.

  9. On the Application Settings page, expand the Additional Options section and specify the following settings:

    Option

    Description

    Application ID

    Configure this field if you are deploying a mobile application that uses the CyberArk mobile SDK. CyberArk Identity uses the Application ID to provide single sign-on to mobile applications. Note the following:

    The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

    There can only be one SAML application deployed with the name used by the mobile application.

    The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.

    Show in User app list

    Select Show in User app list to display this web application in the user portal. (This option is selected by default.)

    If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.

    Security Certificate

    These settings specify the signing certificate used for secure SSO authentication between CyberArk Identity and the web application. Just be sure to use a matching certificate both in the application settings in the Identity Administration portal and in the application itself. Select an option to change the signing certificate.

    Use existing certificate

    When selected the certificate currently in use is displayed. It’s not necessary to select this option—it’s present to display the current certificate in use.

    Use the default tenant signing certificate

    Select this option to use CyberArk Identity standard certificate. This is the default setting.

    Use a certificate with a private key (pfx file) from your local storage

    Select this option to use your organization’s own certificate. To use your own certificate, you must click Browse to upload an archive file (.p12 or .pfx extension) that contains the certificate along with its private key. If the file has a password, you must enter it when prompted.

    Upload the certificate from your local storage prior to downloading the IdP metadata or the Signing Certificate from the Applications Settings page. If the IdP metadata is available from a URL, be sure to upload the certificate prior to providing the URL to your service provider.

  10. (Optional) On the Description page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified.

    The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

  11. On the User Access page, select the role(s) that represent the users and groups that have access to the application.

    When assigning an application to a role, select either Automatic Install or Optional Install:

    • Select Automatic Install for applications that you want to appear automatically for users.

    • If you select Optional Install, the application doesn’t automatically appear in the user portal and users have the option to add the application.

  12. (Optional) On the Policy page, specify additional authentication controls for this application.

    1. Click Add Rule.

      The Authentication Rule window displays.

    2. Click Add Filter on the Authentication Rule window.

    3. Define the filter and condition using the drop-down boxes. For example, you can create a rule that requires a specific authentication method when users access CyberArk Identity from an IP address that is outside of your corporate IP range. Supported filters are:

      Filter

      Description

      IP Address

      The authentication factor is the computer’s IP address when the user logs in. This option requires that you have configured the IP address range in Settings, Network, Secure Zones.
       

      The authentication factor is the cookie that is embedded in the current browser by CyberArk Identity after the user has successfully logged in.

      Day of Week

      The authentication factor is the specific days of the week (Sunday through Saturday) when the user logs in.

      Date

      The authentication factor is a date before or after which the user logs in that triggers the specified authentication requirement.

      Date Range

      The authentication factor is a specific date range.

      Time Range

      The authentication factor is a specific time range in hours and minutes.

      Device OS

      The authentication factor is the device operating system.

      Browser

      The authentication factor is the browser used for opening CyberArk Identity user portal.

      Country

      The authentication factor is the country based on the IP address of the user computer.

      Risk Level

      The authentication factor is the risk level of the user logging on to user portal. For example, a user attempting to log in to CyberArk Identity from an unfamiliar location can be prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter, requires additional licenses. If you do not see this filter, contact CyberArk Identity support. The supported risk levels are:

      Non Detected -- No unexpected activities are detected.

      Low -- Some aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup.

      Medium -- Many aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup.

      High -- Strong indicators that the requested identity activity is anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced.

      Unknown -- Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected.

      Managed Devices

      The authentication factor is the designation of the device as “managed” or not. A device is considered “managed” if it is managed by CyberArk Identity, or if it has a trusted certificate authority (CA has been uploaded to tenant).

      For the Day/Date/Time related conditions, you can choose between the user’s local time and Universal Time Coordinated (UTC) time.

    4. Click the Add button associated with the filter and condition.

    5. Select the profile you want applied if all filters/conditions are met in the Authentication Profile drop-down.

      The authentication profile is where you define the authentication methods. If you have not created the necessary authentication profile, select the Add New Profile option. See Create authentication profiles.

    6. Click OK.

  13. (Optional) In the Default Profile (used if no conditions matched) drop-down, you can select a default profile to be applied if a user does not match any of the configured conditions.

    If you have no authentication rules configured and you select Not Allowed in the Default Profile dropdown, users will not be able to log in to the service.

  14. Click Save. If you have more than one authentication rule, you can prioritize them on the Policy page. You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Application access policies with JavaScript.

    If you left the Apps section of the Identity Administration portal to specify additional authentication control, you will need to return to the Apps section before continuing by clicking Apps at the top of the page in the Identity Administration portal.

  15. On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.

    The options are as follows:

    • Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the CyberArk Cloud Directory.

    • Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.

    • Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script:

      LoginUser.Username = LoginUser.Get('mail')+'.ad';

      The above script instructs CyberArk Identity to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is Adele.Darwin@acme.com then CyberArk Identity uses Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting.

  16. (Optional) On the Advanced page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don’t need to edit this script. For more information, see the SAML application scripting.

  17. (Optional) On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made.

  18. (Optional) Click Workflow to set up a request and approval work flow for this application.

    See Manage application access requests for more information.

  19. Click Save.

Citrix ShareFile provisioning

Before configuring the Citrix ShareFile application for provisioning, you must install, configure, and deploy the app.

For Citrix ShareFile, the overall workflow of configuring provisioning is as follows.

  1. You prepare your Citrix ShareFile demo account for provisioning:

  2. In the Identity Administration portal, you configure the Citrix ShareFile application for automatic user provisioning:

    1. In the Citrix ShareFile application in the Identity Administration portal, you enable provisioning.

    2. You add the Citrix ShareFile administrator and other credentials.

    3. You add the role mappings and specify how to handle updates to existing Citrix ShareFile user accounts.

    4. Make sure that provisioning is working as desired.

      Run preview synchronizations in the Identity Administration portal, review the synchronization reports, and review the list of users in Citrix ShareFile. Make changes as needed to get the desired provisioning results.

    5. Continue with Prepare your Citrix ShareFile account for provisioning.

Prepare your Citrix ShareFile account for provisioning

You need to request an API key from http://api.sharefile.com/rest. After a few days, Citrix ShareFile support provides you the OAuth key information. The OAuth key includes a client ID and a client secret. You’ll use these to configure provisioning.

Understanding how CyberArk Identity provisions Citrix ShareFile users

CyberArk Identity maps users to permission groups, instead of roles. When you assign role mappings, you can assign anywhere from no permission groups up to the three provided permission groups.

In Citrix ShareFile, these permission groups correspond to the following three permissions:

Role mapping permission group

Citrix ShareFile permissions

CanCreateFolders

Create root-level folders

CanSelectFolderZone

Select storage zone for root-level folders

CanUseFileBox

Use personal File Box

CanManageUsers

Manage client users

AdminSharedAddressBook

Edit the shared address book

CanChangePassword

Change their own password

CanManageMySettings

View the “My Settings” link in the top navigation bar

Configure Citrix ShareFile in the Identity Administration portal for automatic provisioning

  1. Click the Provisioning tab.

  2. Select Enable provisioning for this application.

  3. Select either Preview Mode or Live Mode.

    • Preview Mode: Use Preview Mode when you’re initially testing the application provisioning or making configuration changes. The identity platform does a test run to show you what changes it would make but the changes aren’t saved.

    • Live Mode: Use Live mode when you want to use application provisioning in your production system. The identity platform does the provisioning run and saves the changes to both the identity platform and the application’s account information.

  4. Enter the following information for the main provisioning details:

    Field

    Description

    Account Name

    Enter your Citrix ShareFile account name.

    For example, if your Citrix ShareFile domain is something like https://acme.sharefile.com, then your account name is acme.

    Admin Email

    Enter your Citrix ShareFile Administrator user name. This user can either be a member of the Administrator role in Citrix ShareFile, or have the required permissions.

    Admin Password

    Enter the password for the Citrix ShareFile administrator.

    Client ID

    Enter the Client ID that you received from Citrix ShareFile support, based on your OAuth key request.

    Client Secret

    Enter the Client Secret that you received from Citrix ShareFile support, based on your OAuth key request.

  5. Click Verify to have CyberArk Identity verify the connection and save the provisioning details.

Provision users for Citrix ShareFile based on roles

Here you specify an Identity Administration portal role and specify that users in that role will be matched to existing or new accounts in Citrix ShareFile with the roles that you specify.

When you change any role mappings, CyberArk Identity synchronizes any user account or role mapping changes immediately.

How CyberArk Identity determines duplicate user accounts:
If the user accounts in CyberArk Identity and the target application match for the fields that make a Citrix ShareFile user unique, then CyberArk Identity handles the user account updates according to your instructions. In many applications, the user’s email address or Active Directory userPrincipalName is the primary field used to identify a user—and in many cases, the userPrincipalName is the email address. You can look at the application’s provisioning script to see the fields that CyberArk Identity uses to match user accounts.

  1. First, make sure that you’ve entered and verified the provisioning credentials.

    On the Provisioning page, scroll down to Sync Options. 

  2. Specify how CyberArk Identity handles situations when it determines that the user already has an account in the target application.

    • Sync (overwrite): Updates account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from CyberArk Identity).

    • Do not sync (no overwrite): Keeps the target user account as it is; CyberArk Identity skips and does not update duplicate user accounts in the target application.

    • Do not de-provision (deactivate or delete): The user's account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.

    • Select Deprovision users in this application when they are disabled in source directory to enable the feature.

      If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.

  3. Scroll to the Role Mappings section.

  4. To add role mappings and specify which users get provisioned to this application, click Add.

    The Role Mapping dialog box opens.

  5. To map user accounts in the Identity Administration portal to Citrix ShareFile user accounts, select a Role (the ones in the Identity Administration portal) and a Destination group (the ones in Citrix ShareFile).

    For Citrix ShareFile, the Destination group is a set of permissions that CyberArk Identity sets for the provisioned users. You can assign a role to any, all, or none of the destination groups.

    For best results, assign roles where users are only in one role.
    For Citrix ShareFile user provisioning, CyberArk Identity maps user accounts to sets of permissions that match those set in the default permission profiles. Those sets have the same names as the default permission profiles.

  6. Click Done to save the role mapping and return to the Provisioning page.

  7. Continue adding role mappings, as desired.

    • To change a mapping, select the role mapping and click Modify.

    • To remove a mapping, select the role mapping and click Delete.

    • To change the order of the role mappings, select the role mapping that you want to move higher in the list and click Move Up.

    Provisioning assigns users access and assignments based on the top-most role mapping. The order in which the roles display in the Role Mappings section matters. The role at the top of the list has priority when provisioning users. For instance, if a user is in multiple roles that you’ve mapped for provisioning, CyberArk Identity provisions the user based on the role nearer the top of the list.
    For best results, assign roles where users are only in one role. If users are in multiple roles, rearrange the order of role mappings as desired. For more details, see Set up app-specific provisioning.
    The provisioning script is intended for advanced users who are familiar with editing server-side JavaScript code.

  8. When you’re done, click Save to save the provisioning details.

    Anytime that you make changes to the provisioning role mapping, CyberArk Identity runs a synchronization automatically. You can also run a preview synchronization or a real synchronization, if desired.