Single Sign On SSO Google

  • 1
  • Question
  • Updated 7 months ago
Can I integrate the SSO feature with Gmail account?
Photo of Heart Transformation

Heart Transformation

  • 1 Post
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Keith Lindsay

Keith Lindsay

  • 211 Posts
  • 39 Reply Likes
As far as I know Gmail is a service provider and so is ShareFile, you need to have an identity provider in order to use SAML SSO with our product.
Photo of Michael

Michael

  • 10 Posts
  • 2 Reply Likes
GSuite (business/enterprise edition) is an IDP, but based on the conversations I've seen there is some confusion over how to enter the ACS. We are waiting for Citrix to provide further feedback on exactly how to set this up.
Photo of Heart_Crafter

Heart_Crafter

  • 2 Posts
  • 0 Reply Likes
Was this ever resolved?
So far, I am getting "Invalid single-sign-on request (user not valid for this provider)." when I try Google SAML/SSO.
Photo of Chris Anderson

Chris Anderson, Product Manager

  • 332 Posts
  • 50 Reply Likes
Hi Michael and Heart_Crafter,

I am currently working on setting up Google Suite as an IdP for ShareFile. Once I am finished, I will create a how to guide and post it under 'Additional Configurations' on the following support article: https://support.citrix.com/article/CTX208557

Currently I have it working if I start from Google - by clicking on my SAML Custom App (ShareFile). However, getting it to work while starting from my ShareFile login page is still a work in progress. I hope to have this working soon, at which point I will work on creating the how to guide. 
Photo of Michael

Michael

  • 10 Posts
  • 2 Reply Likes
This issue is getting Google to provide the Immutable ID when ShareFile pings it and that is where I ran in to an issue. I ended up using a third party solution called CloudPages, which was the work-around.
Photo of Michael

Michael

  • 10 Posts
  • 2 Reply Likes
One new comment, GSuite doesn't allow web-view applications to authenticate using SSO. So the ShareFile App for iPhone/iPad will not work as Google requires authentication in a browser and not within the app itself.
Photo of Brent

Brent

  • 1 Post
  • 0 Reply Likes
Is there any update on this or the g-suite sso how to article?
Photo of Michael

Michael

  • 10 Posts
  • 2 Reply Likes
Google just put this out in their update yesterday. I can get it to work with IdP initiated requests, but if I try to initiate through ShareFile I get invalid user error. Here is the link to G Suite's how-to, but like I said I don't think it's been fully debugged: https://support.google.com/a/answer/7671292?hl=en&ref_topic=6304952
Photo of Michael

Michael

  • 10 Posts
  • 2 Reply Likes
We debugged this with Google's Tech support. The entity ID in GSuite needs to be https://YOURSUBDOMAIN.sharefile.com/saml/acs?idpentityid=https://accounts.google.com/o/saml2?idpid=YOURID

The acs URL for both ShareFile and GSuite should be https://YOURSUBDOMAIN.sharefile.com/saml/info 

SP-Initiated Auth Context should be "unspecified"

In GSuite leave signed response unchecked, and Name ID should be "Basic Information" and Primary Email with format being "Email".

This should now work, would be great if Citrix will test out this setting and post the how-to but it is working for us!
Photo of Mike Edwards

Mike Edwards

  • 2 Posts
  • 0 Reply Likes
Man, this is frustrating. I tried your fixes but am still getting 403s. How are you testing the idp requests?
Photo of Michael

Michael

  • 10 Posts
  • 2 Reply Likes
the 403 error likely means that GSuite hasn't propagated the changes in the account yet. I would get 403 errors for up to 24 hours after I made a change on the GSuite end. The change on the ShareFile side is pretty much instantaneous.