The primary configuration element for MOVEit DMZ's External Authentication feature is the Authentication Source. These sources define the type of server (LDAP, RADIUS, or WS-Trust) being used for authentication, the settings for accessing that server, and the settings for dealing with users who successfully authenticate to the server. Each Authentication Source is listed on the Auth Method page of the User Policy settings section in the order they will be checked if presented with new credentials. Links are provided for editing and deleting existing sources and changing their priorities, as well as for adding new sources.
To add an authentication source, go to Settings page, then in the Security Policies section, in User Auth, select Auth Method.
Clicking Add Authentication Source will bring up the Add Authentication Source page. Here, a new authentication source can be created, and its basic settings defined.
The basic settings for each new authentication source are:
Source Name - The "friendly" name which will identify this source. The name will be listed in the authentication source list, as well as each user's source affinity selection page.
Source Type - Identifies the type of authentication server this source will be defining. The following authentication source types are available:
LDAP (Lookup + Authentication) - Incoming usernames and passwords will be tried against a remote LDAP server. If authentication is successful, a new user may be created on the fly as a clone of an existing template user. However, user attributes such as email address and group memberships will be carried over from the LDAP server.
LDAP (Authentication Only) - Incoming usernames and passwords will be tried against a remote LDAP server. If authentication is successful, a new user may be created on the fly as a clone of an existing template user.
RADIUS (Authentication Only) - Incoming usernames and passwords will be tried against a remote RADIUS server. If authentication is successful, a new user may be created on the fly as a clone of an existing template user.
WS-Trust (Authentication Only) - Incoming usernames and passwords will be tried against a remote WS-Trust server. If authentication is successful, a new user may be created on the fly as a clone of an existing template user.
LDAP Server Type (LDAP Only) - Identifies the type of LDAP server this authentication source will be querying. Based on this value, default settings will be prefilled in several fields for the newly created authentication source, and configuration hints appropriate to the server type will be displayed. Available server types are Microsoft Active Directory, Sun iPlanet, Novell eDirectory, and IBM Domino. Selecting Other will cause no default settings or configuration hints to be shown.
WS-Trust Identity Provider (WS-Trust Only) - Identifies the WS-Trust server this authentication source will be querying. In SAML terminology, the server is called an Identity Provider. You may have already set up an Identity Provider for the Single Signon feature. The Add New Federated Identity Provider link opens the page where you can configure a new identity provider. For information about adding an identity provider, see the User Authentication - Single Signon topic.
Note: If you have set up the Single Signon feature, you want to use the same identity provider that you use for browser-based single signon. This will allow users to use the same credentials to do both single signon through the browser (web interface), and username/password authentication through FTP and SSH clients.
Priority - Determines where in the current authentication source list this new source should be placed. Select Highest to make this new source the first source on the list. Select Lowest to make this new source the last source on the list. Select Middle to place this new source in the middle of the list.
Once the new authentication source is added, a link will be provided at the top of the page, allowing the administrator to go directly to the settings page for the new source.
Editing an Authentication Source
An authentication source can be configured by clicking the Edit link for it in the authentication source list. Basic settings for the authentication source can be changed in the Edit Authentication Source Settings section, which is common to all authentication source types. Other settings appear based on the type of the source.
Common Settings
The Edit Authentication Source Settings section is common to all authentication source types. Here, the friendly name of the source can be changed, along with the Enabled status.
Enabled - Select the Yes option to make the authentication source immediately available for use as soon as it is added. Otherwise, select the No option to add the source to the list as temporarily disabled, so you can fine tune the source settings before making it available.
Specific Settings
Specific settings for each of the various types of external authentication sources can be found in their own documents in this section.
