Jump to content
  • 0

Xenmobile Cloud as IDP for ShareFile on prem SSO? Is passthrough possible on windows via Web browser or the Citrix Files application?


Christopher Sinclair1709160892

Question

Posted

We have a netscaler gateway on prem as well as our storages for Sharefile. Currently we have ShareFile use Xenmobile as the IDP for SSO - this results (whether you are using the windows app or web browser) in the user being presented with a Netscaler logon prompt window where they can input their regular Active Directory credentials. It also allows Secure Hub to directly pass credentials to the Citrix Files mobile app (iOS / Android) which currently works perfectly. The correct Sharefile GPO settings are enabled already for the Citrix Files windows app.

 

Does anybody know how we can get true SSO and pass their windows credentials directly into this Netscaler prompt? Is this even possible?

 

Theres quite a bit of documentation on using the old Xenmobile on prem as IDP but nothing related to Xenmobile cloud.

9 answers to this question

Recommended Posts

Posted
43 minutes ago, David Wilkinson1709157632 said:

Didn't see a response to this question...

 

You can set your NetScaler up as your IDP for Sharefile and point to your company LDAP.      You can review the details here:   https://support.citrix.com/article/CTX208557

 

Unfortunately that will break SSO on the sharefile mobile app (Secure Hub needs to pass credentials to Sharefile)

 

After talking to numerous support people it looks like its not possible to do true SSO with their current line up if you are hosting Sharefile on prem and using Xenmobile (endpoint management) in the cloud as the IDP. You will always have to manually enter the credentials into the Netscaler logon prompt. Xenmobile on prem however might be a different story

Posted

We just recently moved from XenMobile on-prem to the Citrix Cloud, and our SSO works both for the browser-based ShareFile Company Login and via the 'Citrix Files for XenMobile' app on both iOS and Android. If I remember correctly we first setup ShareFile in XenMobile, making sure our IdP certificate was loaded into XenMobile (Settings > Certificates) as a SAML cert. Then we went into the ShareFile admin SAML settings and change the Login URL to match our IdP URL (because updating in XenMobile changes the Login URL to the XenMobile MDM URL).

 

Something changed when moving to the Cloud and it broke the mobile app SSO, but we resolved this with a Traffic Policy on the Gateway (which still has a confusing part to it that we've been working on - as in it shouldn't work).

 

FYI we also host ShareFile StorageZones on prem. We've never seen a prompt from the Netscaler. Are you sure the prompt isn't from a Network Share Connector?

Posted
22 minutes ago, Ryan Tsamouris said:

We just recently moved from XenMobile on-prem to the Citrix Cloud, and our SSO works both for the browser-based ShareFile Company Login and via the 'Citrix Files for XenMobile' app on both iOS and Android. If I remember correctly we first setup ShareFile in XenMobile, making sure our IdP certificate was loaded into XenMobile (Settings > Certificates) as a SAML cert. Then we went into the ShareFile admin SAML settings and change the Login URL to match our IdP URL (because updating in XenMobile changes the Login URL to the XenMobile MDM URL).

 

Something changed when moving to the Cloud and it broke the mobile app SSO, but we resolved this with a Traffic Policy on the Gateway (which still has a confusing part to it that we've been working on - as in it shouldn't work).

 

FYI we also host ShareFile StorageZones on prem. We've never seen a prompt from the Netscaler. Are you sure the prompt isn't from a Network Share Connector?

 

Do you have xenmobile authenticating through your netscaler for all of your mobile devices (Secure Mail / Secure hub) ?

 

Also are you using Xenmobile as the IDP or ?

Posted
14 hours ago, Christopher Sinclair1709160892 said:

Do you have xenmobile authenticating through your netscaler for all of your mobile devices (Secure Mail / Secure hub) ?

 

Yes, for the Secure Apps, they authenticate to the Netscaler Gateway, which then that user is SSO'd to whatever site is behind it using NTLM or Kerberos.

 

14 hours ago, Christopher Sinclair1709160892 said:

Also are you using Xenmobile as the IDP or ?

 

For the ShareFile mobile app, it's sort of confusing as I can't find the documentation we used to set this up four years ago:

  1.  Our IdP is only accessible internally (for ShareFile)
  2. When logging in via browser, while on the internal network via Wi-Fi or VPN, the user is redirected to our internal IdP to complete SAML. This means Employees cannot access ShareFile off-network.
  3. When logging in via mobile using the Citrix Files for XenMobile app, the user is tunneled through the Netscaler to get to our internal IdP and complete SAML. However...
  4. To get this to work we took the SSL cert from our internal IdP and loaded it into the XenMobile Certificates as a SAML cert. This way we could use XenMobile ShareFile Enterprise mode to provide user rights and user provisioning, but the app would use the same SAML Login URL as any other ShareFile service. This is why I mentioned above that after we setup ShareFile in the XenMobile web console, we go into the ShareFile admin portal and change the Login URL from https://mdm.company.com to https://idp.company.com.

Sorry if this is confusing, it was years ago and I was only part of the team that configured it. What I can say is that we never receive login prompts for any ShareFile app, including from web, mobile, mobile network share connectors, or the Outlook Plug-in.

Posted
1 hour ago, Christopher Sinclair1709160892 said:

I see - makes sense. Unfortunately we are planning to use ShareFile to sent and receive files externally often with outside people (non employees) so that might not work for us. Interesting setup though - I wonder if we could do something similar but with the netscaler tunneling for web traffic as well

 

Well we do still allow external access for Client users, just not Employee access from outside the network. 

Posted
3 hours ago, Ryan Tsamouris said:

 

Well we do still allow external access for Client users, just not Employee access from outside the network. 

 

Okay so your saying you are using the Netscaler as your IDP within Sharefile - you gave it (Xenmobile) admin access to modify its settings (Sharefile) then went back and changed the logon URL to your netscaler VIP? Or what is your internal IDP?

 

Also if you wouldn't mind sharing what you have setup internally on your netscaler (any specific information removed of course) that would be awesome!

Posted

So for Employees, ShareFile SAML is setup with our internal third-party IdP (not using Netscaler as the IdP). In XenMobile, we enabled ShareFile Enterprise mode, but then changed the Login URL in the ShareFile Admin portal so that the mobile app would use the same internal IdP through the Gateway (over cvpn like Secure Mail/Web). This only works after you add your IdP's SSL certificate as the SAML cert in XenMobile (Settings > Certificates), as the X.509 certificate in ShareFile has to match what you have in XenMobile:

 

image.thumb.png.11eec991f48ba29231ff78a81a04cd9a.png

 

image.thumb.png.af9e48da23b3d1d9185903704706a518.png

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...