If you're thinking about ShareFile, Citrix's secure file sharing solution, you should give thought to user account authentication and management. Planning for this now will save you trouble in the future as your ShareFile needs and user base grows. This is where Azure Active Directory can help.
If your organization is using Office 365, you're already using Azure Active Directory (AD). Azure AD is a cost effective, reliable, and easy to use single sign-on (SSO) solution. With Azure AD It's simple to extend its use to SaaS applications like ShareFile. Once Azure AD has been setup you can connect it to your on-premise Active Directory in minutes. Microsoft offers different options for Azure AD based on your needs.
When you integrate ShareFile with Azure AD you'll be able to centrally manage who has access to through the Azure portal. Because of Azure's SSO capabilities, you'll also be able to enable users to automatically sign onto ShareFile with their Azure AD accounts.
You can try Citrix ShareFile and Azure AD for free by signing up at their portals:
Now, let's run through the process of configuring ShareFile to work with Azure AD. For this demonstration, I've already configured Azure AD, enabled Azure Active Directory Connect, and completed the initial configuration of my ShareFile site.
Configure Azure AD
Once in the Enterprise Applications window click on New Application
From this window find the section Add From The Gallery and type in Citrix ShareFile or justShareFile
Once You’ve selected Citrix ShareFile, click Add
Choose Single Sign-on
Choose SAML Based Sign-On from the Single Sign-on Mode drop down list
In the Citrix ShareFile Domain and URLs section enter the following information:
- Sign on URL
- Reply URL
This information will be found in your ShareFile Administration console in the Login & Security Policy section
Lower on the page you will see the SAML Signing Certificate, download the certificate from the link named Certificate (Base64)
Logon to your Citrix ShareFile site and choose Security from Settings > Admin Settings
Choose Login & Security Policy
For Azure AD to work with Share File check Yes under Enable SAML, then fill out the following information:
- ShareFile Issuer/Entity ID
- Your IDP Issuer/Entity ID
- Upload the SAML certificate you downloaded earlier from Azure
- Login URL
- Logout URL
You will find the information needed above by logging into your Azure portal and going to Azure Active Directory > Enterprise Applications > All Applications > ShareFile and clicking on Configure Citrix ShareFile
Once Configure Citrix ShareFile opens, scroll down to the Quick Reference to find the IDP Issuer/Entity ID, SAML certificate (if needed), Login URL, and Logout URL.
To upload the certificate you downloaded you will need to open the file with a text editor such as Notepad and copy the contents so you can past it into window when prompted.
Finally you will need to click Yes under Require SSO Logon
Also, make sure you choose Exact and User Name and Password beneath the SP-Initiated Auth Context section. If this is not set, you will not be able to log in Azure AD credentials.
Azure AD User Creation and Authorization
Now that Azure AD and ShareFile configuration is complete, create a user account
In the Azure Portal go to your Azure Active Directory and click Add A User
Give the user a Name and Username
In this example I’m using firstname.lastname@example.org, siderbox.com is the name of my Azure AD
One the user account is created if will show in your Users and Groups list and will be replicated to your on-premise Active Directory if you’re using Azure AD Connect
Now that the account is created, we need to authorize it to use Azure AD in conjunction with ShareFile
Navigate to Azure Active Directory > Enterprise Applications > All Applications and click onCitrix ShareFile
Select Users and Groups and click Add User
You can choose individual accounts or groups, in this example I am picking a group
Once the user or group is selected you need to assign it a Role, select Employee
Once users and groups and roles are selected click Assign
ShareFile User Enablement
The final step we need to take is to Enable users in ShareFile
Login to your ShareFile site if needed and navigate to People > Manage Users Home and click Create Employee
Fill in the user’s First Name, Last Name, and Email Address.
The email address must be valid, the user will be sent a verification email from ShareFile
Users can be created in bulk by clicking “Need To Import Multiple Users With Excel?” This will allow you to download an Excel template which you can fill out and upload
Once the information is filled in, click Create & Continue
Make sure you’re completely logged out of ShareFile and navigate to your ShareFile page
You should see a new option: Company Employee Sign In, click Sign in
You should be sent to the Azure AD logon page
If your account is not already listed, click Use Another Account or type the address in and click Next
Type in your password when prompted and click Sign In
When successful, you’ll be logged into ShareFile with your Azure AD credentials!
Now you can add more accounts. Just follow the steps in the sections Azure AD User Creation and Authorization and ShareFile User Enablement above.
ShareFile is a great product, have fun and explore!
Notes and Thoughts
Other options, such as multi-factor authentication can be added to Azure AD. We’ll explore that option in a future post.
Thank you for your time, until next time!
Originally posted on Tuesday, December 12, 2017, by Matthew Carlton at http://www.siderbox.com