ShareFile single sign-on configuration guide for ADFS 3

Prerequisites to installation

To set up ShareFile to authenticate with Active Directory Federated Services, you need the following:

  • Windows Server 2012 R2
  • A publicly signed SSL Certificate from a CA. Self-signed and unsigned certificates are not accepted.
  • An FQDN for your ADFS server
  • Access to an administrator account within ShareFile with the ability to configure single sign-on.


To provision users from your Active Directory to ShareFile, reference the User Management Tool installation guide.

ADFS 3.0 (Role-based install)

  1. You cannot download Microsoft Active Directory Federated Services 3.0 separately. You must use a Windows 2012 R2 server for this version.

    adfs3 image 1

  2. Install the Role-based or featured based installation. Click Next.

    adfs3 image 2

  3. Select the server for the install and click Next. Then select Active Directory Federation Services. Click Next.

    adfs3 image 3

  4. Click Next through the Server Roles, AD FS and then to the Confirmation screen. Check the box for Restart, say Yes to the next screen, and click Install.

    adfs3 image 4

  5. Once ADFS is installed, you must complete a post deployment activity if this is the first AD FS server in Active Directory. Use your own configuration information for this step.

    adfs3 image 5

Setting up ADFS 3.0

  1. In the ADFS 3.0 management console, start the Configuration Wizard.
  2. When the wizard starts, select Create a new Federation Service and click Next.

    adfs3 image 6

    adfs3 image 7

  3. Since we use a Wildcard Certificate, we must determine a Federation Service Name. If you are not using a wildcard SSL cert, you might not have to do this step. Then click Next to continue.

    adfs3 image 8

  4. Click Next to configure.

    adfs3 image 9

  5. Confirm that all the configurations were finished without error and click Close and exit the wizard.

    adfs3 image 10

    adfs3 image 11

  6. Expand the Service node in the Management Console. Select the Token Signing certificate and click View Certificate in the right-hand column.

    adfs3 image 12

  7. In the Certificate window, select the Details tab and then click Copy to File.

    adfs3 image 13

  8. Click Next to continue.

    adfs3 image 14

  9. Select Base-64 encoded X.509 (.CER) as the export format for the certificate, then click Next.

    adfs3 image 15

  10. Save the certificate file and click Next.

    adfs3 image 16

  11. Click Finish to save the file.

    adfs3 image 17

  12. Browse to the folder where you exported the certificate and open it with Notepad.

    adfs3 image 18

  13. Select all the text inside the Notepad and copy.

    adfs3 image 19

  14. Open Internet Explorer and go to your ShareFile account (https://<yoursubdomain> Sign in with your administrator account. Navigate to Admin Settings > Security > Login & Security Policy. Find Single sign-on / SAML 2.0 Configuration.
    • Switch Enable SAML setting to Yes.
    • ShareFile Issuer / Entity ID: https://<subdomain>
    • Your IDP Issuer / Entity ID: https://<adfs>
    • X.509 Certificate: Paste the contents of exported certificate from previous section
    • Login URL: https://<adfs>

    adfs3 image 20

  15. In Optional Settings, change the following values.
    • Enable Web Authentication: Yes (Check marked)
    • SP-Initiated Auth Context: User Name and Password – Minimum

    adfs3 image 21

  16. Minimize Internet Explorer and return to the ADFS Management Console. Expand the Trust Relationships node and select Relying Party Trusts. Then click Add Relying Party Trust… from the right-hand side of the console. This launches the Add Relying Trust Wizard.

    adfs3 image 22

  17. Click Start to begin specifying a Relying Party Trust.

    adfs3 image 23

  18. Retrieving the metadata from the SAML site can configure the trust automatically for you. Use https://<yoursubdomain> as the federation metadata address (host name or URL). Click Next.

    adfs3 image 24

  19. Specify a Display Name. Typically you keep this as <yoursubdomain>, so you can identify the different trusts from each other.

    adfs3 image 25

    adfs3 image 26

  20. Permit all users to access this relying party. Click Next.

    adfs3 image 27

  21. Verify that the information is correct and click Next.

    adfs3 image 28

  22. Verify that the check box for Open the Edit Claim Rules dialog for this relying party trust when the wizard closes is checked. Then click Close.

    adfs3 image 29

  23. On the Issuance Transform Rules tab, click Add Rule.

    adfs3 image 30

  24. The first rule is to Send LDAP Attributes as Claims.

    adfs3 image 31

  25. Users in the ShareFile are identified by their email address. We send the claim as a UPN. Give a descriptive Claim rule name, such as E-mail Address to E-mail Address. Select Active Directory as the attribute store. Finally, select E-Mail Address as the LDAP attribute and E-mail Address as the Outgoing Claim Type. Click Finish.

    adfs3 image 32

  26. Create a second rule. This rule is used to Transform an Incoming Claim. Click Next.

    adfs3 image 33

  27. The incoming claim type transforms the incoming email address to an outgoing Name ID claim type in the email format. Give a descriptive name, such as Named ID to E-Mail Address. The Incoming claim type is Email Address, the Outgoing claim type Name ID. The Outgoing name format is Email. Click Finish.

    adfs3 image 34

  28. Verify that the claims are correct, then click OK.

    adfs3 image 35

  29. Switch to any web browser and navigate to https://<yoursubdomain> You are redirected to your ADFS services. If your sign-in email is linked to a user on AD, then you are able to authenticate with your AD credentials.

    adfs3 image 36

ShareFile single sign-on configuration guide for ADFS 3