Product documentation
ShareFile
View PDF

Citrix Content Collaboration single sign-on configuration guide for Citrix Gateway

June 7, 2023
Contributed by:
J C

You can configure Citrix Gateway ADC using the Citrix ADC AAA feature to function as a SAML identity provider.

In this configuration, a user signing in to Citrix Content Collaboration using a web browser or other Citrix Files clients is redirected to a virtual server on Citrix Gateway with a SAML IP policy enabled for user authentication. After successful authentication using Citrix Gateway, the user receives a SAML token that is valid to sign in to their Citrix Content Collaboration account.

The configuration is required for the SP certificate to be created so it can be imported on Citrix Gateway and bind it to your Citrix ADC AAA virtual server. It is assumed for the purposes of this document that you have already created the appropriate external and internal DNS entries to route authentication requests that Citrix Gateway listens on, and that an SSL certificate has already been created and installed on Citrix Gateway for the SSL/HTTPS communication.

Configure Citrix Content Collaboration

  1. Sign in to your account athttps://subdomain.sharefile.comwith a user account that has admin rights.
  2. SelectSettings > Admin Settings
  3. SelectSecurity > Login & Security Policy, scroll down and select theSingle Sign-On Configurationoption.
  4. UnderBasic Settings, checkEnable SAML
  5. In theShareFile Issuer / Entity IDfield enter:https://subdomain.sharefile.com/saml/acs
  6. In theLogin URLfield, enter the URL that users are redirected to when using SAML. Example:https://aaavip.mycompany.com/saml/login
  7. In theLogout URL的注销URL字段中,输入用户到期’ session upon selecting the logout option in the web UI. Example:https://aaavip.mycompany.com/cgi/tmlogout
  8. For theX.509 Certificate, you must export the SSL certificate from your Citrix Gateway appliance that is going to be answering for your Citrix ADC AAA traffic. In the example above, this is referenced as being assigned the following FQDN:aaavip.mycompany.com

Follow the below steps to export this certificate.

  1. Sign in to your Citrix Gateway appliance using the Configuration Utility.
  2. SelectTraffic Management > SSL

  3. On the right, underneathTools, selectManage Certificates / Keys/ CSRs

    gateway image 1

  4. From theManage Certificateswindow, browse to the certificate you are using for your Citrix ADC AAA virtual server. Select the certificate and choose theDownloadbutton. Save the certificate to a location of your choice.
  5. From the downloaded location, right-click on the certificate and open it with a text editor such as Notepad.
  6. Copy the entire contents of the certificate to your clipboard.
  7. Navigate back to your Citrix Content Collaboration account using the web browser.

  8. For theX.509 Certificate, selectChange。Paste the contents of the certificate you copied to your clipboard into the window.

    gateway image 2

  9. SelectSave

  10. UnderOptional Settings, switchRequire SSO Loginto yes if you want all employee users to be required to use their AD credentials to sign in.
  11. Select the list next toSP-Initiated SSO Certificate。From the list, selectHTTP Post (2048 bit certificate)
  12. CheckYesto force the SP-Initiated SSO Certificate to regenerate.
  13. CheckYestoEnable Web Authentication

  14. UnderSP-Initiated Auth Context, chooseUnspecified

    gateway image 3

  15. Select theSavebutton at the bottom of the screen.

Configure Citrix Gateway

The following configuration is required for support as a SAML identity provider:

  • LDAP Authentication Policy and Server for domain authentication
  • SSL Certificate with External / Internal DNS configured accordingly to the FQDN being presented by the certificate (Wildcard certificates are supported)
  • ShareFile SP Certificate
  • SAML IdP Policy and Profile
  • Citrix ADC AAA Virtual Server

For the purposes of this material, we cover the LDAP configuration, the ShareFile SP Certificate importation on Citrix Gateway, theSAML IDPsettings, and the Citrix ADC AAA Virtual Server configuration. The SSL Certificate and DNS configurations must be in place prior to setup.

To configure domain authentication

For domain users to be able to sign in using their corporate email address, you must configure an LDAP Authentication Server and Policy on Citrix Gateway and bind it to your Citrix ADC AAA VIP. Use of an existing LDAP configuration is also supported.

  1. In the configuration utility, selectSecurity > AAA – Application Traffic > Policies > Authentication > Basic Policies > Policy > LDAPin the left navigation pane.
  2. To create an LDAP policy, on thePoliciestab, clickAdd…and then enterShareFile_LDAP_SSO_Policyas the name. In theAction Type, selectLDAP
  3. In theActionfield, click+to add a server. TheCreate Authentication LDAP Serverwindow appears.
    • In theNamefield, enterShareFile_LDAP_SSO_Server
    • Select the bullet forServer IP。Enter the IP address of one of your AD domain controllers. You can also point to a virtual server IP for redundancy if you are load-balancing DCs.
    • Specify the port that the NSIP uses to communicate with the domain controller. Use389for LDAP or636for Secure LDAP.
    • UnderConnection Settings, enter theBase DNwhere the user accounts reside in AD that you would like to allow authentication.Ex. OU=ShareFile,DC=domain,DC=com
    • In theAdministrator Bind DNfield, add a domain account (using an email address for ease of configuration) that has rights to browse the AD tree. A service account is advisable such that there are no issues with sign-ins if the account that is configured has a password expiration.
    • Check the box forBind DN Passwordand supply the password twice.
    • UnderOther Settings, entersAMAccountNameas theServer Logon Name Attribute
    • Under theGroup Attributefield, entermemberof
    • Under theSub Attributefield, enterCN
    • ClickMore
    • Scroll down and in theAttribute Fields, Attribute 1, entermail

    gateway image 4

    • Click theCreatebutton to complete the LDAP server settings.
    • For theLDAP Policy Configuration, select the newly created LDAP server from the server menu, and in theExpressionfield, typetrue

    gateway image 5

ClickCreateto complete the LDAP policy and server configuration.

To import the SP-Certificate onto Citrix Gateway

  1. Sign in to your account athttps://subdomain.sharefile.comwith a user account that has admin rights.
  2. Select theSettings > Admin Settingslink near the left/center of the page. SelectSecurity > Logon & Security Policy, then scroll down toSingle Sign-On Configuration
  3. UnderOptional Settings, next toSP-Initiated SSO Certificate,HTTP Post (2048 Bit Certificate)clickView
  4. Copy the entire certificate hash to your clipboard and paste it into a text reader such as Notepad.
  5. Observe the formatting and remove any extra spaces or carriage returns at the end of the file, then save the text file asShareFile_SAML.cer
  6. Navigate to the Citrix Gateway configuration utility.
  7. SelectTraffic Management > SSL > Certificates > CA Certificates
  8. ClickInstall
  9. From theInstall Certificatewindow, provide aCertificate-Key Pair Name
  10. Under theCertificate File Namesection, select the menu next toBrowseand selectLocal。Browse to the location you saved theShareFile_SAML.cerfile.
  11. Once the file is chosen, selectInstall

To configure the SAML IdP policy and profile

For your users to receive the SAML token to sign in to Citrix Content Collaboration, you must configure a SAML IdP policy and profile, which is bound to the Citrix ADC AAA virtual server that the users are providing their credentials to.

The following steps outline this process:

  1. Open the Citrix Gateway configuration utility and navigate toSecurity > AAA – Application Traffic > Policies > Authentication > Advanced Policies > SAML IDP
  2. Under thePoliciestab, select theAddbutton.
  3. From theCreate Authentication SAML IDP Policywindow, provide a name for your policy, such asShareFile_SSO_Policy
  4. To the right of theActionfield, select the+sign toAdd a new Action/Profile
  5. Provide a name such asShareFile_SSO_Profileand remove the check box forImport Metadata。If you are running an older version of NetScaler, this check box might not exist.
  6. In theAssertion Consumer Service URLfield, enter your Citrix Content Collaboration account URL followed by /saml/acs:Ex. https://subdomain.sharefile.com/saml/acs
  7. In theIDP Certificate Namefield, browse to the certificate installed on Citrix Gateway that is used to secure your Citrix ADC AAA authentication virtual server.
  8. In theSP Certificate Namefield, select the menu and browse to the SP certificate you imported earlier and added as a CA certificate.
  9. ForSign Assertion, leaveASSERTION
  10. ClearSend Password
  11. In theIssuer Namefield, enter the URL for your Citrix ADC AAA traffic. Example –https://aaavip.mycompany.com
  12. LeaveService Provider ID空白。
  13. ClearReject Unsigned Requests
  14. Signature Algorithm,RSA-SHA256
  15. Digest Method,SHA256
  16. ForSAML Binding, selectPOST
  17. ClickMore
  18. Under theAudiencefield provide the URL for your Citrix Content Collaboration account.
  19. ForSkew Time, enter5。这允许一个differenc 5分钟时间e between the client, Citrix Gateway, and Citrix Content Collaboration.
  20. ForName ID Format, selectTransient

  21. In theName ID Expressionfield, type the following:aaa.user.attribute(1)。If using NetScaler 11.x, typehttp.req.user.attribute(1)

    gateway image 6

  22. ClickCreateto complete the SAML IdP profile configuration and return to the SAML IdP Policy creation window.
  23. In theExpressionfield, add the following expression:HTTP.REQ.URL.CONTAINS(“saml”)

  24. ClickCreateto complete the SAML IdP configuration.

    gateway image 7

To configure your Citrix ADC AAA virtual server

When an employee attempts to sign in, for them to utilize their corporate credentials, they are redirected to a Citrix Gateway Citrix ADC AAA Virtual Server. This virtual server listens on port 443, which requires an SSL certificate, in addition to external and internal DNS resolution to the IP address being hosted on Citrix Gateway. The following steps require these pre-exist, assume that the DNS name resolution is already in place, and that the SSL certificate is already installed on your Citrix Gateway appliance.

  1. In the Configuration Utility, navigate toSecurity > AAA – Application Traffic > Virtual Serversand select theAddbutton.
  2. From theAuthentication Virtual Serverwindow, provide a name and an IP address.

  3. Scroll down and make sure that theAuthenticationandStatecheck boxes are checked

    gateway image 8

  4. ClickContinue
  5. In theCertificatessection, clickNo Server Certificate
  6. From theServer Cert Keywindow, clickBind
  7. UnderSSL Certificates, choose your Citrix ADC AAA SSL Certificate and selectInsertNote: This is NOT the ShareFile SP certificate
  8. ClickBind, then clickContinue
  9. From theAdvanced Authentication Policiesoption, clickNo Authentication Policy
  10. From thePolicy Bindingpage, selectPolicy, selectShareFile_LDAP_SSO_Policycreated earlier.
  11. ClickSelect, thenBind(leaving defaults) to return to the Authentication Virtual Server screen.
  12. UnderAdvanced Authentication Policies, clickNo SAML IDP Policy
  13. UnderPolicies, select your SHAREFILE_SSO_POLICY. ClickSelect
  14. From thePolicy Bindingpage (leave defaults), clickBind, thenClose
  15. ClickContinueandDone

Validate the configuration

  1. Go tohttps://subdomain.sharefile.com/saml/login。你现在重定向到Citrix网关团体n-in form.
  2. Sign in with your user credentials that are valid for the environment you configured. Your folders atsubdomain.sharefile.comnow appear.
Citrix Content Collaboration single sign-on configuration guide for Citrix Gateway
June 7, 2023
Contributed by:
J C
June 7, 2023
Contributed by:
J C

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.