ShareFile
View PDF

SAML Integration Between NetScaler and ShareFile

October 7, 2025
Contributed by: 
P

This article describes the SAML integration between NetScaler (Identity Provider) and ShareFile (Service Provider). A user in domain “example.com” is trying to single sign-on to ShareFile after authenticating at NetScaler. NetScaler is acting as an Identity Provider and will accept user email ID, password and evaluates them against Windows Active Directory. After successful authentication NetScaler creates a SAML Assertion and passes it back to ShareFile. ShareFile consumes the SAML token and validates the Signature and the Digest of the token. After successful validation, it checks the Name Identifier in the assertion and verifies it with email ID configured in the user account. Once it matches it, the user will be single signed-on to ShareFile portal.

Domain Name: example.com User Mail ID: user1@example.com NetScaler IDP URL: https://nsidp.example.com (resolves to AAA/VPN vserver) ShareFile URL: https://nseng.sharefile.com (resolves to Sharefile URL)

1.NetScaler Configuration

The NetScaler firmware version 10.5 52.8 is used in this article.

Refer to the following screen shots and configure SAML IDP Profile on NetScaler.

  1. Assertion Consumer Service URL: ACS URL of ShareFile.
  2. SP Certificate Name: ‘ShareFile’ is the CertKey created using ShareFile Signing Certificate.
    1. ShareFile Certificate is available in “Configure Single Sign-On” section. SAML 1
    2. ShareFile certificate can be downloaded by accessing the URL - https://nseng.sharefile.com/saml/metadata.The metadata tag holds the certificate and the same certificate can be used on the NetScaler. Ensure that Begin and END Certificate tags are added.
  3. IDPCertName: ‘nssp-cert’ is the CertKey created using NetScaler Signing Certificate and Private Key. For more information refer to Citrix Documentation. - Creating a Certificate Signing Request.
  4. Issuer Name: ‘https://nsidp.example.com’ is the FQDN of NetScaler AAA vserver.
  5. Signature Algorithm: Use ‘RSA-SHA1’ as Signing method. ShareFile supports SHA1 Signing Algorithm.
  6. Digest Method: Use ‘SHA1’ as Digest method.
  7. Audience: This field can be left empty or set to ShareFile FQDN - https://nseng.sharefile.com. SAML 2
  8. Configure SAML IDP Policy.
  9. Bind SAML IDP Policy to AAA virtual server.
  10. Create an LDAP Policy and bind it to AAA virtual server. Ensure that “ldaploginname” is set as mail. When NetScaler authenticates the user it expects the user name should be in email ID format ‘user1@example.com’. Similarly, when NetScaler generates an SAML Assertion, it will set the NAMEID in email ID format. add authentication ldapAction example-ldap -serverIP 1.1.1.1 -serverPort 636 -authTimeout 30 -ldapBase “cn=users,dc=example,dc=com” -ldapBindDn Administrator@example.com -ldapBindDnPassword password -ldapLoginName mail -groupAttrName memberOf -secType SSL -ssoNameAttribute userprincipalname -passwdChange ENABLED -followReferrals ON -defaultAuthenticationGroup smrtgrp2 add authentication ldapPolicy smrtgrp1 “REQ.HTTP.URL NOTCONTAINS pingidp” smrtgrp1 bind authentication vs av1 -policy smrtgrp1

2.ShareFile Configuration

  1. ShareFile Issuer: Set to ShareFile url.
  2. IDP issuer: Name of NetScaler AAA virtual server. Make sure that same name is configured as Issuer in”samlidpprofile”.
  3. X509 Certificate: NetScaler Signing Certificate. Ensure that it is the same certificate as in “samlidpprofile”.
  4. Login URL: Set it to https://nsidp.example.com/saml/login. NetScaler will be listening on /saml/login for any SAML authentication requests.
  5. Logout URL: Set it to https://nsidp.example.com/cgi/tmlogout. NetScaler will be listening on /cgi/tmlogout for any logout requests.
  6. Require SSO Login: Should be enabled.
  7. SP-Initiated SSO Certificate: This should be the ShareFile Signing Certificate.
  8. Enable Web Authentication: Should be enabled.
  9. SP-Initiated Auth Context: This should be ‘unspecified’ or UserName and Password. SAML 3

3.Successful SAML Response

After Successful user Authentication, NetScaler creates and posts a SAML Assertion that looks like this. (Important fields are highlighted in Yellow.)

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0e2d08d5cf39defdbe9dbf5e81ec991d" InResponseTo="_ad375abe5d8346d89918d92f4ac78397" IssueInstant="2014-09-02T18:32:48Z" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://auth1.example.com</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"></saml2p:StatusCode></saml2p:Status><saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0e2d08d5cf39defdbe9dbf5e81ec991" IssueInstant="2014-09-02T18:32:48Z" Version="2.0"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://auth1.nsi-test.com</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod><ds:Reference URI="#_0e2d08d5cf39defdbe9dbf5e81ec991"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod><ds:DigestValue>Digest_Value</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Signature_Value</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>---------------X509 Certificate---------------------- </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">user1@example.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2014-09-02T18:37:48Z" Recipient="https://nseng.sharefile.com/saml/acs"></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2014-09-02T18:27:48Z" NotOnOrAfter="2014-09-102T18:37:48Z"><saml2:AudienceRestriction><saml2:Audience>https://nseng.sharefile.com</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2014-09-02T18:32:48Z" SessionIndex="0bb7baaa9a69bdf56d0f19140df12c01"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
<!--NeedCopy-->

4.NetScaler Debug Logs

  1. User Authentication: AAATM LOGIN 1382 0 : Context user1@example.com@10.217.28.34 - SessionId: 3- User user1@example.com - Client_ip 10.217.28.34 - Nat_ip “Mapped Ip” - Vserver 10.217.22.223:443 - Browser_type “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR “ - Group(s) “N/A”

  2. SAML Assertion Validation:

    • “SAMLIDP: AuthnReq: RelayState not found in input
    • “SAMLIDP: ParseAuthnReq: signature method seen is RSA-SHA1”
    • “SAMLIDP: ParseAuthnReq: digest method seen is SHA1”
    • “SAML verify digest: digest algorithm 1, input for digest: <https://nseng.sharefile.com/saml/info>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</samlp:AuthnReq
    • <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI="#_ab5079ce3dac46ae802ea9497d3c194d"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod><DigestValue>uc6TfWpg8yuqgvsvbE/WgfI6TXA=</DigestValue></Reference></SignedInfo>"<!--NeedCopy-->
  3. If the Signature Validation fails, then NetScaler prints the following error message in the logs. Signature Validation fails if the Signature Method is different or the Signing Certificate is mismatched. Error while trying to verify the signature.
  4. If the Digest Validation fails, then NetScaler prints the following error message in the logs. Error while trying to verify the digest.
  5. SAML Assertion Generation: After successfully evaluating the AuthnRequest and authenticating the user, NetScaler generates a SAML Response. “SAML: SendAssertion, Signature element is >>>>>>>CyqlzmygKDSI52sroufFb+60JVM=cP9WVOzyPcJanF61ypEF8bi4T2J9+Va9HWnlU4mSJ3rUUyyAcTC9wrFcOfR7WjYfRpmCYpZbeARw/9RRIV3IaC4jywbJcYD+qjKETZpUw7yuHBqmrh39Gz3GI+/L1Uw
  6. NetScaler SAML Counters

saml_assertion_verify_success - Number of successful assertion verification. This many sessions should have been established.

saml_assertion_parse_fail - Number of times assertion parsing failed.

saml_assertion_stale - Number of stale assertions. These have passed verification, but are found stale.

saml_signature_verify_fail - Number of times signature verification failed after passing digest verification.

saml_canonicalize_fail - Number of times canonicalization (done at aaad) failed.

saml_digest_verify_fail - Number of times digest verification, the first step of verification, failed.

saml_malformed_data - Number of malformed assertions or responses from IDP.

saml_no_policy - Total number of times policy was not found during verification.

saml_parse_logout_fail - Total number of times logout request (from IDP) parsing failed.

saml_tot_sp_init_logout - Total number of SP initiated logout requests.

saml_tot_idp_init_logout -Total number of IDP initiated logout requests.

saml_large_session_index - Total number of times we have seen session index greater than 64 bytes.

saml_session_bcast_fail - Total number of times session broadcast failed.

saml_reject_unsigned_assertion - Total number of times unsigned assertions have been rejected.

saml_large_post - Post body size is more than what we look for.

saml_base64_decode_fail - Issue while trying to base64 decode SAML data.

saml_tot_dht_put_success - Total number of successful DHT puts.

saml_tot_dht_put_fail - Total number of unsuccessful DHT puts.

saml_tot_dht_get_success - Total number of success DHT pulls.

saml_tot_dht_get_notfound -Total number of times entry was not found, including false positives.

saml_tot_dht_free - Total number of times DHT entries were freed.

saml_tot_dht_deserialize_fail - Total number of times DHT deserialization failed.

saml_tot_replay_detected - Total number of times replay is detected.

SAML Integration Between NetScaler and ShareFile
October 7, 2025
Contributed by: 
P
October 7, 2025
Contributed by: 
P

In this article

Site feedback | Privacy and legal terms | Cookie preferences

About Us | Awards | Press Releases | Media Coverage | Careers | Offices | Security Center | License Agreement | Do Not Sell or Share My Personal Information

Copyright © Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

Progress and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. Trademarks for appropriate markings. Any other trademarks contained herein are the property of their respective owners.