User Authentication

This topic describes the options you have for configuring and managing user authentication. To access these settings, select Settings, go to the Security Policies section, and select any of the options associated with User Authentication.

Lockouts

Setting up a username lockout policy will allow this site to lock out usernames against which several bad password tries have been made. (This prevents someone from guessing the password of a valid username.) Once User Lockouts have been enabled and configured, a user who attempts to sign on with an incorrect password will be locked out following a specific number of failed attempts in a certain amount of time. Lockouts can also be set to expire after a configurable amount of time has elapsed.

Auth Method (Authentication Method)

MOVEit supports the following authentication methods:

• MOVEit DMZ - The built-in table of usernames and passwords.
• EXTERNAL Then MOVEit - Use the configured external authentication sources first. If the user fails to authenticate to these sources, fall back on the built-in table of usernames and passwords.
• EXTERNAL Only - Use only the configured external authentication sources.

Note: The Change password on next signon checks will not be enforced in any mode other than MOVEit DMZ.

Authentication Sources

When the organization's Auth Method is set to EXTERNAL Then MOVEit, or EXTERNAL Only, the Authentication Source list becomes available. Here, an administrator may add, edit, remove, and change the priority of the external authentication sources configured for this organization. When a user signs on to the organization for the first time, each active authentication source will be tried, in the order they are listed here. If a user successfully authenticates to one of the sources, that source is recorded in the user's profile, so that they will be immediately authenticated against it the next time they sign on (see the Authentication Source Affinity section of the User Profile page for more details).

The up and down arrows in the Actions column allow you to change the order in which the authentication sources are queried.

For more information about adding and configuring external authentication sources, see the External Authentication documentation in this section.

Multi Signons (Multiple Signons)

This section lets an administrator edit the default Deny Multiple Signons setting for the organization. New users will be created with the default setting, and when changed, an option is provided to set all current users with the new setting value.

• Allowed: Users will be allowed to sign on to the MOVEit DMZ server multiple times using the same interface (web, FTP, SSH, etc.) from different IP addresses. For example, a user will be allowed to sign on to the web interface from two different machines.
• Prohibited: Users will not be allowed to sign on to the MOVEit DMZ server multiple times using the same interface (web, FTP, SSH, etc.) from different IP addresses. For example, a user WILL be allowed to sign on to the web interface from one machine, and the FTP interface from another, but will NOT be allowed to sign on to the web interface from two different machines. If there are no existing sessions using the same interface from different IP addresses, the user will be allowed to sign on, and additionally any existing sessions using the same interface from the same IP address will be forcibly terminated.

Expiration

This section is where administrators may list, add, edit, delete, and assign Expiration Policies. These policies govern how accounts that are assigned the policy will be considered expired and removed from the system. For more information about creating and assigning expiration policies, see the Expiration Policies Feature Focus page.

Single Signon

The Single Signon feature allows MOVEit Server to authenticate a user without requiring sign on, provided that user is already signed on to a third-party user directory (like Microsoft Active Directory) using their network or corporate account. This section is where administrators can set up MOVEit as a service provider and configure one or more identity providers. For information on configuring Single Signon, see the User Authentication - Single Signon page. For information on general requirements, supported functionality, and how to deploy single signon to users, see the Single Signon Feature Focus page.