When ShareFile single sign-on fails you will likely need to capture the SAML token passed from the Identity Provider (IdP) to the ShareFile hosted application tier for troubleshooting. The easiest way to to capture a SAML token is by using Google Chrome. Below I will outline the steps to capture and analyze the ShareFile SAML token.
Start by adding the Developer Tools to your Chrome session
Select the Network tab and check the box for Preserve Log
Now test SSO https://subdomain.sharefile.com /saml/login. I’m authenticating to NetScaler / App Controller in this example
After the SSO fails you should end up back at the ShareFile login page. If you receive errors from the NetScaler login, XenMobile Server, or ADFS/Ping/etc server then this troubleshooting to capture a SAML token won’t help you as it’s not getting that far in the process.
Look through the traffic in the developer tools and find the acs path
Select the header and find the SAMLResponse under the Form Data. Copy the content of the SAMLResponse to your clipboard.
Using your web browser go to https://www.samltool.com/decode.php. Paste the SAMLResponse you captured into the Deflated and Encoded XML and press Decode and Inflate XML
Common issues:
- x509 certificate in the SAML token doesn’t match the x509 certificate configured on the ShareFile account (Admin > Configure Single Sign-on > x509 Certificate)
- The email address in the NameID field doesn’t exist: <saml2:NameID Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>dan.brinkmann@citrix.com</saml2:NameID> This field might be empty if the user account in Active Directory is missing the email address field.
- XenMobile Server or your IdP is not using a NTP server and the time is off. Check the AuthnInstant time in the SAML token. You can also look at the Conditions which specifies a NotBefore and NotOnorAfter time.
Hi,
We have Xenmobile 10, Sharefile, Netscaler 10.5 55.8.
SSO works while using the sharefile app.
However, when I go to the SAML login page, after signing in the netscaler, I am always redirected back to the login page.
I checked the SAML using your steps above and all looks well.
Suggestions?
all is not well then. something is mismatched
Hi Dan,
Great post on SAML troubleshooting. I just finished writing an extension for Chrome to make this a bit easier by skipping the decoding of the SAML message and doing it for you in a Developer Tools panel. Its in the Chrome Store as SAML Chrome Panel (https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace).
I hope its of use and can save some more time!
Thanks,
Milton
https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php
is invalid
fixed, thanks for the heads up
https://rnd.feide.no/simplesaml/module.php/saml2debug/debug.php is invalid
Thanx mate. You just saved me a lot of debugging work 🙂