ShareFile Connectors Authentication and Single Sign-on

ShareFile Connectors Authentication and Single Sign-on

ShareFile Enterprise includes support for connecting to existing network drives and SharePoint document libraries from within the ShareFile app for iOS and Android. This article details the authentication events for ShareFile Connectors when deployed as part of a XenMobile solution.

Figure 1: Authentication events

There are five authentication events involved for ShareFile Connectors in a XenMobile deployment:

User-added image

  1. Secure Hub authenticates to XenMobile.
  2. The ShareFile app authenticates to ShareFile.com.
  3. ShareFile app authenticates to NetScaler in the DMZ when accessing connectors.
  4. NetScaler authenticates to the ShareFile StorageZone controller. HTTP Basic is the default method for this step. However, Kerberos authentication is also possible.
  5. StorageZone Controller impersonates the domain user account and authenticates to the Network share or SharePoint server on behalf of that user. Kerberos and NTLM are supported.

Single sign-on to ShareFile.com

When using MDX-wrapped apps with XenMobile, single sign-on form Secure Hub to ShareFile.com is achieved using SAML. The App Controller acts as the SAML Identity Provider (IDP) configured in the ShareFile account. When the app is launched, Secure Hub obtains a SAML token for the user from App Controller and passes it to the ShareFile MDX app along with information about the ShareFile sub-domain. Secure Mail for iOS uses the same technique for authentication to ShareFile in order to present the user with a list of files and folders when they select the Attach from ShareFile option.

Separate Authentication Required for Connectors

The sign-on to ShareFile.com enables access to native ShareFile data if the data resides in a Citrix-managed StorageZone in the ShareFile cloud or in a customer-managed StorageZone, but it does not authenticate the user to any StorageZone Connectors that may be assigned to the user.

To access Connectors data sources like Network drives and SharePoint document libraries, the user must also authenticate to the Active Directory domain in which the network shares or SharePoint servers reside. Steps 3 through 5 in
Figure 1 represent this separate authentication flow.

XenMobile MicroVPN Settings

ShareFile MDX-enabled mobile applications app can be configured to use the following Network access policies in XenMobile App Controller:

Network Access setting options

  • Blocked – In this mode of operation, which is the default setting for new applications, network access is not allowed and the ShareFile app cannot function. The network access setting must be changed to one of the preceding options.
  • Unrestricted – In this mode of operation, traffic from the ShareFile app is permitted to contact any host on the Internet. When communicating with the ShareFile.com control plane, traffic flows directly from the client to ShareFile.com, or directly to the external address of any storage zone.
  • Tunneled to the internal network – In this mode of operation, all network traffic from the ShareFile app is intercepted by the Worx MDX framework and redirected through the NetScaler Gateway using an app-specific MicroVPN.

    When the Network access settings is configured for Tunneled mode, the Initial VPN Mode setting becomes relevant to the connection.

Initial VPN Mode setting options

  • Full VPN Tunnel – In this mode of tunneling, traffic between the client and the destination is not modified in any way by NetScaler Gateway. This method is required for applications that perform end-to-end SSL connections using certificate-based authentication.
  • Secure browse – In this mode of tunneling, SSL/HTTP traffic from the MDX app is terminated by the MDX framework, which then initiates new connections to internal connections on the user’s behalf.
  • User-added image

Consider the following points as you design your XenMobile and ShareFile deployment:

  • Single sign-on to ShareFile.com is available for the ShareFile MDX-wrapped applications and Secure Mail, by configuring App Controller with ShareFile account details.
  • Authentication to ShareFile.com is not sufficient to authenticate users to domain-joined network shares and SharePoint document libraries.

Additional Resources

Configure ShareFile Single Sign-On with XenMobile

XenMobile ShareFile Mobile App SSO using SAML

Secure Mobile Data Access with Worx-enabled ShareFile

Related:

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software VPN SAML Authentication Bypass Vulnerability

A vulnerability in the implementation of Security Assertion Markup
Language (SAML) 2.0 Single Sign-On (SSO) for Clientless SSL VPN (WebVPN) and
AnyConnect Remote Access VPN in Cisco Adaptive Security Appliance (ASA)
Software and Cisco Firepower Threat Defense (FTD) Software could allow
an unauthenticated, remote attacker to successfully establish a VPN
session to an affected device.

The vulnerability is due to
improper credential management when using NT LAN Manager (NTLM) or basic
authentication. An attacker could exploit this vulnerability by opening
a VPN session to an affected device after another VPN user has
successfully authenticated to the affected device via SAML SSO. A successful
exploit could allow the attacker to connect to secured networks behind
the affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asaftd-saml-vpn

Security Impact Rating: High

CVE: CVE-2019-1714

Related: