Citrix ShareFile SAML Single Sign-On (SSO)

This section contains the following topics:

Citrix ShareFile single sign-on configuration overview


  • A signed certificate. You can either download one from the Identity Administration portal or use your organization’s trusted certificate.

Set up the certificates for SSO

To establish a trusted connection between the web application and CyberArk Identity, you need to have the same signing certificate in both the application and the application settings in the Identity Administration portal.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in the Identity Administration portal. You also upload the public key certificate in a .cer or .pem file to the web application.

Configure ShareFile for SSO

You need administrator privileges in ShareFile to perform these steps.

It can be useful to open the web application and the Identity Administration portal simultaneously and have them both open, perhaps side by side. As part of the SSO configuration process, you’ll need to copy and paste settings between the two browser windows.

SSO on ShareFile mobile apps

ShareFile offers a family of mobile ShareFile apps. When you enable SSO for ShareFile, all users signing in through the iOS and Android apps do so through SSO. They may no longer sign in through those apps with user name and password.

Configure ShareFile in the Identity Administration portal

Citrix ShareFile provisioning

Before configuring the Citrix ShareFile application for provisioning, you must install, configure, and deploy the app.

For Citrix ShareFile, the overall workflow of configuring provisioning is as follows.

Prepare your Citrix ShareFile account for provisioning

You need to request an API key from After a few days, Citrix ShareFile support provides you the OAuth key information. The OAuth key includes a client ID and a client secret. You’ll use these to configure provisioning.

Understanding how CyberArk Identity provisions Citrix ShareFile users

CyberArk Identity maps users to permission groups, instead of roles. When you assign role mappings, you can assign anywhere from no permission groups up to the three provided permission groups.

In Citrix ShareFile, these permission groups correspond to the following three permissions:

Role mapping permission group

Citrix ShareFile permissions


Create root-level folders


Select storage zone for root-level folders


Use personal File Box


Manage client users


Edit the shared address book


Change their own password


View the “My Settings” link in the top navigation bar

Configure Citrix ShareFile in the Identity Administration portal for automatic provisioning

Provision users for Citrix ShareFile based on roles

Here you specify an Identity Administration portal role and specify that users in that role will be matched to existing or new accounts in Citrix ShareFile with the roles that you specify.

When you change any role mappings, CyberArk Identity synchronizes any user account or role mapping changes immediately.

How CyberArk Identity determines duplicate user accounts:
If the user accounts in CyberArk Identity and the target application match for the fields that make a Citrix ShareFile user unique, then CyberArk Identity handles the user account updates according to your instructions. In many applications, the user’s email address or Active Directory userPrincipalName is the primary field used to identify a user—and in many cases, the userPrincipalName is the email address. You can look at the application’s provisioning script to see the fields that CyberArk Identity uses to match user accounts.