Single Sign On for ShareFile with NetScaler. Deployment Guide



Similar documents
Single Sign On for ZenDesk with NetScaler. Deployment Guide

Single Sign On for GoToMeeting with NetScaler

icrosoft TMG Replacement with NetScaler

Single Sign On for Google Apps with NetScaler. Deployment Guide

Deploying NetScaler Gateway in ICA Proxy Mode

This guide identifies two possible enterprise integration scenarios for NetScaler and Azure AD.

Using Vasco IDENTIKEY Server with NetScaler

How To Use Netscaler As An Afs Proxy

Microsoft Dynamics CRM 2015 with NetScaler for Global Server Load Balancing

Microsoft TMG Replacement with NetScaler

Single Sign On for Office 365 with NetScaler. Deployment Guide

Guide to Deploying Microsoft Exchange 2013 with Citrix NetScaler

Citrix NetScaler and Microsoft SharePoint 2013 Hybrid Deployment Guide

Securing Outlook Web Access (OWA) 2013 with NetScaler AppFirewall

Solutions Guide. Deploying Citrix NetScaler with Microsoft Exchange 2013 for GSLB. citrix.com

Microsoft SharePoint 2013 with Citrix NetScaler

Configuring Citrix NetScaler for IBM WebSphere Application Services

Deploying Microsoft Dynamics CRM 2015 with NetScaler

Deploying NetScaler with Microsoft Exchange 2016

Solutions Guide. Deploying Citrix NetScaler for Global Server Load Balancing of Microsoft Lync citrix.com

Citrix Workspace Cloud Apps and Desktop Service with an on-premises Resource Reference Architecture

Provisioning ShareFile on Microsoft Azure Storage

Powering Real-Time Mobile Access to Critical Information With Citrix ShareFile

Safeguard Protected Health Information With Citrix ShareFile

Powering real-time mobile access to critical information with ShareFile

Solution Guide. Optimizing Microsoft SharePoint 2013 with Citrix NetScaler. citrix.com

Citrix ShareFile Enterprise: a technical overview citrix.com

The Office Reinvented: Mobile Workspaces are the Future of Work

Solution Guide for Citrix NetScaler and Cisco APIC EM

Citrix ShareFile Enterprise technical overview

Citrix Lifecycle Management

Deployment Guide ICA Proxy for XenApp

Replacing Microsoft Forefront TMG with Citrix NetScaler for enterprise authentication

Mobilize with Enterprise-Grade Security and a Great Experience

Cisco and Citrix: Building Application Centric, ADC-enabled Data Centers

How To Install A Citrix Netscaler On A Pc Or Mac Or Ipad (For A Web Browser) With A Certificate Certificate (For An Ipad) On A Netscaler (For Windows) With An Ipro (For

Cisco and Citrix: Building Application Centric, ADC-enabled Data Centers

App Orchestration 2.5

Taking Windows Mobile on Any Device

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

Cloud Authentication. Getting Started Guide. Version

CA Nimsoft Service Desk

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Advanced Service Desk Security

Copyright 2012 Trend Micro Incorporated. All rights reserved.

ShareFile Enterprise technical overview

Microsoft Office 365 Using SAML Integration Guide

White Paper. Optimizing the video experience for XenApp and XenDesktop deployments with CloudBridge. citrix.com

Top Three Reasons to Deliver Web Apps with App Virtualization

Solution Brief. Deliver Production Grade OpenStack LBaaS with Citrix NetScaler. citrix.com

Comprehensive Enterprise Mobile Management for ios 8

Egnyte Single Sign-On (SSO) Installation for OneLogin

Citrix Virtual Classroom. Deliver file sharing and synchronization services using Citrix ShareFile. Self-paced exercise guide

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

White Paper. The Value Add of Citrix Enterprise Mobility Management over App Configuration for the Enterprise. citrix.com

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Configuring Salesforce

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

VMware Identity Manager Administration

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

WHITE PAPER Citrix Secure Gateway Startup Guide

App Orchestration 2.0

Enabling mobile workstyles with an end-to-end enterprise mobility management solution.

Connected Data. Connected Data requirements for SSO

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

SAML 2.0 SSO Deployment with Okta

SAM Context-Based Authentication Using Juniper SA Integration Guide

Secure Data Sharing in the Enterprise

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

The Always-on Enterprise: Business Continuity Scenarios that Work

Deployment Guide ICA Proxy for XenApp

How To Get Cloud Services To Work For You

Configuring SuccessFactors

McAfee Cloud Identity Manager

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Egnyte Single Sign-On (SSO) Installation for Okta

McAfee Cloud Identity Manager

Citrix Solutions. Overview

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

ShareFile for enterprises

Deploying XenApp on a Microsoft Azure cloud

Citrix desktop virtualization and Microsoft System Center 2012: better together

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

NetScaler: A comprehensive replacement for Microsoft Forefront Threat Management Gateway

Mobile Device Management Version 8. Last updated:

Secure SSL, Fast SSL

Comodo Mobile Device Manager Software Version 1.0

Virtual desktops in hospitals: streamlining clinical workflows

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Improving Microsoft Exchange 2013 performance with NetScaler Hands-on Lab Exercise Guide. Johnathan Campos

SAP NetWeaver AS Java

Design and deliver cloudbased apps and data for flexible, on-demand IT

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Authentication Methods

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Transcription:

Single Sign On for ShareFile with NetScaler Deployment Guide This deployment guide focuses on defining the process for enabling Single Sign On into Citrix ShareFile with Citrix NetScaler.

Table of Contents Introduction 3 Configuration details 4 NetScaler features to be enabled 4 Solution description 5 Step 1: Configure ShareFile 5 Step 2: Configure NetScaler 7 To configure domain authentication 8 To import the ShareFile SP-Certificate onto the NetScaler 10 To Configure the SAML IDP Policy and Profile 11 To Configure your AAA Virtual Server 13 Validate the configuration 15 Conclusion 15 2

The Citrix NetScaler application delivery controller (ADC) is a world-class product with the proven ability to load balance, accelerate, optimize, and secure enterprise applications. ShareFile is a cloud-based file sharing service that enables users to exchange documents easily and securely. ShareFile users can send large documents by email, securely handle document transfers to third parties, and access a collaboration space from desktops or mobile devices. ShareFile provides users with a variety of ways to work, including a web-based interface, mobile clients, desktop tools, and integration with Microsoft Outlook. Introduction This guide focuses on defining the guidelines for enabling Citrix ShareFile single sign on with Citrix NetScaler. ShareFile is offered under several business plans. ShareFile Enterprise provides enterprise-class service and includes StorageZones Controller and the User Management Tool. 3

Configuration Details The table below lists the minimum required software versions for this integration to work successfully. The integration process should also work with higher versions of the same. Product NetScaler Minimum Required Version 10.5 Build 55.8nc, Enterprise/Platinum License ShareFile Sync for Windows 3.2 ShareFile Plugin for Microsoft Outlook 3.3.3 ShareFile app for ipad 3.2.8 ShareFile app for iphone 3.2.8 ShareFile app for Android Tablet 3.6.4 ShareFile app for Android Phone 3.6.4 NetScaler features to be enabled The essential NetScaler features that need to be enabled are explained below. Please ensure these features are enabled in the NetScaler system. Load balancing AAA-TM Here is a quick explanation of how these features work. Load balancing NetScaler load balancing evenly distributes requests to backend servers. Multiple algorithms (for example, LEASTCONNECTION and ROUNDROBIN ) are supported to provide efficient load balancing logic for every application server. AAA-TM The AAA feature set controls NetScaler authentication, authorization, and auditing policies. These policies include definition and management of various authentication schemas. NetScaler supports a wide range of authentication protocols and a strong, policy-driven application firewall capability. 4

Solution description The process for enabling SSO into ShareFile with NetScaler consists of two parts configuration of the ShareFile portal and configuration of the NetScaler appliance. To begin with, you should complete the required configuration on the ShareFile portal in order for the ShareFile SP Certificate to be created. This should then be imported on the NetScaler and bound to the AAA Virtual Server that will host the SAML IDP (Identity Provider) policy. The following instructions assume that you have already created the appropriate external and/or internal DNS entries to route authentication requests to a NetScaler-monitored IP address, and that an SSL certificate has already been created and installed on the appliance for the SSL/HTTPS communication. Step 1: Configure ShareFile (Here, please replace the <subdomain> placeholder with your own ShareFile domain name.) In a web browser, log in to your ShareFile account at https://<subdomain>.sharefile.com with a user account that has admin rights Select the Admin link near the top of the page On the left side of the browser window, select the Configure Single Sign-On option Under Basic Settings, check the Enable SAML checkbox. In the ShareFile Issuer / Entity ID field enter: https://<subdomain>.sharefile.com/saml/info In the Your IDP Issuer / Entity ID field enter the FQDN (Fully Qualified Domain Name) of your AAA-TM Virtual server: example: https://aaavip.mycompany.com In the Login URL field enter the URL that users will be redirected to when using SAML. This is typically https://aaavip.mycompany.com/saml/login In the Logout URL field enter the logout URL that will end the user s session when the logout option is selected in the ShareFile Web UI. An example for NetScaler would be https://aaavip. mycompany.com/cgi/tmilogout (where aaavip.mycompany.com is the public FQDN for your NetScaler AAA vserver) 5

For the X.509 Certificate entry shown in the screenshot above, you need to export the SSL certificate from the NetScaler appliance that will receive and respond to your AAA traffic. In the example above, this appliance is specified by the aaavip.mycompany.com FQDN. Use the following procedure to export this certificate: 1. Login to your NetScaler appliance via the Configuration Utility. 2. Select Traffic Management > SSL 3. On the right, under Tools, select Manage Certificates / Keys/ CSR s 4. From the Manage Certificates window, browse to the certificate you will be using for your AAA Virtual Server. Select the certificate and choose the Download button. Save the certificate to a location of your choice. 5. From the downloaded location, right-click on the certificate and open it with a text editor such as Notepad. (**Hint: Open Notepad and drag the file into the blank space**). 6. Copy the entire contents of the certificate to your clipboard. 7. In your web browser, on the Single sign-on / SAML 2.0 Configuration page select the Change option for X.509 Certificate. 8. Paste the contents of the certificate you copied to your clipboard into the window. (screenshot on the next page) 6

10. Select Save. 11. Under Optional Settings, check the box to Require SSO Login if you want all Employee ShareFile users to be required to use their Active Directory (AD) credentials to log on to ShareFile. (This will not affect Client users) 12. From the drop-down list next to SP-Initiated SSO Certificate, select HTTP Post (2048 bit certificate) 13. Select the check box to Enable Web Authentication 14. Under the SP-Initiated Auth Context, choose Unspecified 15. Select the Save button at the bottom of the screen. Step 2: Configure NetScaler The following configuration is required on the NetScaler appliance for it to function as a SAML identity provider: LDAP authentication policy and server for domain authentication SSL certificate with external and internal DNS configured for the FQDN presented by the certificate (Wildcard certificates are supported) ShareFile Service Provider (SP) Certificate SAML IDP policy and profile AAA virtual server This guide only covers the LDAP configuration, the ShareFile SP certificate importation on the NetScaler, the SAML IDP settings, and the AAA virtual server configuration. The SSL certificate and DNS configurations should be in place prior to setup. 7

To configure domain authentication For domain users to be able to log on to the NetScaler appliance by using their corporate email addresses, you must configure an LDAP authentication server and policy on the appliance and bind it to your AAA VIP address. (Use of an existing LDAP configuration is also supported) 1. In the NetScaler configuration utility, in the navigation pane, select Security > AAA Application Traffic > Policies > Authentication > Basic Policies > LDAP. 2. To create a new LDAP policy: On the Policies tab click Add, and then enter ShareFile_ LDAP_SSO_Policy as the name. In the Server field, click the + icon to add a new server. The Authentication LDAP Server window appears. 3. In the Name field, enter ShareFile_SSO_LDAP_Server. 4. Select the bullet for Server IP. Enter the IP address of one of your Active Directory domain controllers. (You can also point to a virtual server IP for the purpose of redundancy if you are load balancing domain controllers) 5. Specify the port that the NetScaler will use to communicate with the domain controller. Use 389 for LDAP or 636 for Secure LDAP (LDAPS). 6. Under Connection Settings, enter the base domain name for the domain in which the user accounts reside within the Active Directory (AD) for which you want to a llow authentication. The example below uses OU=ShareFile,DC=domain,DC=com. 7. In the Administrator Bind DN field, add a domain account (using an email address for ease of configuration) that has rights to browse the AD tree. A service account is advisable, so that there will be no issues with logins if the account that is configured has a password expiration. 8. Check the box for Bind DN Password and enter the password twice. 9. Under Other Settings: Enter mail as the Server Logon Name Attribute. 10. In the SSO Name Attribute field, enter UserPrincipalName. 8

11. Click the Create button to complete the LDAP server settings. 9

12. For the LDAP Policy Configuration, select the newly created LDAP server from the Server dropdown list, and in the Expression field type, ns_true. This is the base expression that allows all traffic, but the end user can create very complex policies as well if necessary and utilize help from the frequently used expressions dropdown to build them. 13. Hit the Create button to complete the LDAP Policy and Server configuration. To import the ShareFile SP-Certificate onto the NetScaler Log in to your ShareFile account (which must have admin rights) at https://<subdomain>.sharefile. com. Select the Admin link near the top of the page. On the left side of the browser window, select the Configure Single Sign-On option. Under Optional Settings, next to SP-Initiated SSO Certificate, HTTP Post (2048 Bit Certificate) click View. Copy the entire certificate hash to your clipboard, and paste it into a text reader such as Notepad. Observe the formatting and remove any extra spaces or carriage returns at the end of the file, then save the text file as ShareFile_SAML.cer Return to the web browser and click Cancel to ensure no changes are made to the ShareFile SSO settings. Navigate to the NetScaler Configuration Utility. 10

Navigate to Traffic Management > SSL > Certificates Click Install In the Install Certificate window, enter a certificate-key pair name. For the Certificate File Name field, from the Browse drop-list, select Local and browse to the location at which you saved the ShareFile_SAML.cer file. Select the file and click Install. To Configure the SAML IDP Policy and Profile For your users to receive the SAML token for logging on to ShareFile, you must configure a SAML IDP policy and profile, and bind them to the AAA virtual server to which the users send their credentials. 11

Use the following procedure: 1. Open the NetScaler Configuration Utility and navigate to Security > AAA Application Traffic > Policies > Authentication > Basic Policies > SAML IDP 2. On the Policies Tab, select the Add button. 3. In the Create Authentication SAML IDP Policy Window, provide a name for your policy. (for example, ShareFile_SSO_Policy) 4. To the right of the Action field, click the + icon to add a new action. 5. Provide a name (for example, ShareFile_SSO_Profile) 6. In the Assertion Consumer Service URL field, enter your ShareFile account URL followed by /saml/acs. (for example, https://subdomain.sharefile.com/saml/acs) 7. In the SP Certificate Name field, select the dropdown and browse to the ShareFile SP certificate you imported earlier and added as a certificate on the NetScaler appliance. 8. In the IDP Certificate Name field, browse to the certificate installed on the NetScaler that is will be used to secure your AAA authentication Virtual Server. 9. In the Issuer Name field enter the URL for your AAA traffic (for example https://aaavip. mycompany.com) 10. In the Audience field, enter the URL for your ShareFile account (for example https://<subdomain>.sharefile.com) 12

11. Click Create to complete the SAML IDP profile configuration and return to the SAML IDP Policy creation window 12. In the Expression field, add the following expression: HTTP.REQ.URL.CONTAINS( saml ) 13. Click Create to complete the SAML IDP Configuration To Configure your AAA Virtual Server An employee trying to log in to ShareFile is redirected to a NetScaler AAA virtual server for evaluation of the employee s corporate credentials. This virtual server listens on port 443, which requires an SSL certificate, in addition to external and/or internal DNS resolution of the virtual server s IP address on the NetScaler appliance. The following steps require preexistence of the virtual server and assume that the DNS name resolution is already in place, and that the SSL certificate is already installed on your NetScaler appliance.. 1. In the NetScaler Configuration Utility navigate to Security > AAA Application Traffic > Virtual Servers and click the Add button 2. In the Authentication Virtual Server window, enter the virtual server s name and IP address. 3. Scroll down and make sure that the Authentication and State check boxes are selected. 13

Click Continue In the Certificates section, select No Server Certificate In the Server Cert Key window click Bind. Under SSL Certificates, choose your AAA SSL Certificate and select Insert. (Note This is NOT the ShareFile SP certificate.) Click Save, then click Continue. Click Continue again to bypass the Advanced Policy creation option, instead opting to add a Basic Authentication Policy by selecting the + icon on the right side of the window From the Choose Type window, from the Choose Policy dropdown list, select LDAP, leaving Primary as the type and select Continue Select Bind and from within the Policies window select the ShareFile_LDAP_SSO_Policy created earlier Click OK to return to the Authentication Virtual Server screen Under Basic Authentication Policies click the + icon on the right to add a second Basic Policy From the Choose Policy drop-down list, select SAMLIDP, leave Primary as the type, and click Continue Under Policies select Bind, select your ShareFile_SSO_Policy, and click Insert and OK. Click Continue and Done. After completing the AAA configuration above, this is how the Basic Settings screen of the AAA vserver will look: 14

Validate the configuration Point your browser to https://<subdomain>.sharefile.com/saml/login. You should be redirected to the NetScaler AAA logon form. Log in with user credentials that are valid for the NetScaler environment you just configured. Your ShareFile folders at <subdomain>.sharefile.com should appear. Conclusion NetScaler enables a secure and seamless experience with ShareFile by enabling single sign on into ShareFile accounts, thus avoiding the need for users to remember multiple passwords and user IDs, while reducing the administrative overhead involved in maintaining these deployments. Corporate Headquarters Fort Lauderdale, FL, USA India Development Center Bangalore, India Latin America Headquarters Coral Gables, FL, USA Silicon Valley Headquarters Santa Clara, CA, USA Online Division Headquarters Santa Barbara, CA, USA UK Development Center Chalfont, United Kingdom EMEA Headquarters Schaffhausen, Switzerland Pacific Headquarters Hong Kong, China About Citrix Citrix (NASDAQ:CTXS) is leading the transition to software-defining the workplace, uniting virtualization, mobility management, networking and SaaS solutions to enable new ways for businesses and people to work better. Citrix solutions power business mobility through secure, mobile workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. With annual revenue in 2014 of $3.14 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.. Copyright 2015 Citrix Systems, Inc. All rights reserved. Citrix and NetScaler are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies.. 1215/PDF 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information