Web Interface - Settings - System - User Authentication

SiteMinder

This section allows sysadmins to enable single-signon integration with CA's eTrust SiteMinder authentication product.

settings_siteminder.png (16246 bytes)

Enabling the option causes MOVEit DMZ to begin watching for the SiteMinder-specific HTTP headers that indicate a user has already been authenticated by a SiteMinder Policy Server acting through a SiteMinder Web Agent. When such headers are present, MOVEit DMZ will automatically log the user on, without having to prompt the user for authentication credentials again. This allows DMZ to achieve true single-signon integration when operating in a SiteMinder environment.

To add an additional measure of security to MOVEit DMZ's communication with SiteMinder, a special shared secret will be automatically generated whenever this setting is enabled. In order for DMZ to trust the HTTP headers injected into the request by the SiteMinder Web Agent, a special header with the name "HTTP_SM_MOVEITDMZ_SHAREDSECRET" must be included with a value of this shared secret. Such a header can be configured as part of a Response object in SiteMinder. See the SiteMinder Integration page in the Advanced Topics section for more information about configuring a Response object.

Unique Usernames

The sysadmin can set whether a username can be used in one MOVEit DMZ organization only, or whether it can be used in multiple organizations.

settings_uniqueusernames.png (9696 bytes)

The default setting ('Across multiple organizations'), means that the username is not allowed to be used in any other organization on the system.
The setting 'Within individual organizations' means that a username used by a user in one MOVEit DMZ organization is unique to that organization and thus can also be used in other organizations. Note that though the usernames can be used across organizations, user accounts cannot. The user will need a user account on each organization.
Note that if you are using MOVEit Central, or scripts, to access MOVEit DMZ, this setting can affect the ability of existing MOVEit Central accounts and scripts to authenticate to MOVEit DMZ.

When a username is used in multiple organizations, authenticating the username becomes a bit more complicated. Normally, the appropriate organization will be automatically determined by checking cookies or matching host names, but in some cases it may require users to provide an organization name. To authenticate, the organization must be identified. This can be done by:
- Setting up the hostname to match with the organization's base URL.
- Providing the Org ID in the query string.
- The user specifying which organization they want to log into (in the username field on the signon page). The necessary syntax is Org name, short name, or Org ID followed by a backslash ("\") and then the username. For example, 'testorg\fred', rather than just 'fred'. This syntax should be communicated to all users who are members of multiple organizations because the username may become non-unique at any time (ie when the same username is added to another org).