Security Assertion Markup Language (SAML) 2.0 provides a mechanism for exchanging authentication data among secure web domains. SAML 2.0 is is an XML-based protocol, and an OASIS standard. For more information about SAML, refer to SAML Overview from OASIS.
The SAML Single Signon service allows your users to connect to MOVEit Server using a third-party Identity Provider to authenticate. Thus, a user who is signed on using their network or corporate account can access MOVEit without needing to enter credentials again.
This topic covers:
Third-party requirements for Single Signon
Through support of SAML 2.0 functionality, MOVEit can use a third-party "identity provider" to authenticate users. An identity provider is an application that provides identity assertions via SAML, in response to authentication requests from a service provider. MOVEit acts as the service provider, also known as the "SAML consumer."
MOVEit supports authentication from the following as the Identity Provider:
Authentication with these Identity Providers has been tested and is supported by Ipswitch. Other servers that support the SAML 2.0 protocol should also work with MOVEit.
Single Signon for the MOVEit Server web interface
When Single Signon is configured for the MOVEit web interface, a user session works like this:
To set up Single Signon for users signing on to MOVEit DMZ web interface, you need to do the following:
Note: If you are using Active Directory as your user store (configured in User Authentication as External Only); then you can use that same user store with the Identity Provider. You will need to install and configure ADFS so that Active Directory can act as the Identity Provider.
Single Signon for the Ipswitch Clients
When Single Signon is configured for the Outlook plug-in and MOVEit Sync clients, a user session works like this:
To set up Single Signon for users signing on to MOVEit DMZ from the Outlook plug-in and MOVEit Sync clients, you need to use ADFS as the Identity Provider. Both clients can use MOVEit DMZ's Single Signon services to sign on using a Windows domain account. Currently, only ADFS supports using Windows Authentication.
Assuming the Service Provider and Identity Provider settings are configured (see "Single Signon for MOVEit web interface"), Outlook plug-in and MOVEit Sync users can complete the configuration as described in the following procedure.
If MOVEit is configured for Single Signon through an Identity Provider using the same Domain Controller that your users use to perform Windows Authentication, it is possible to configure the Outlook plug-in and MOVEit Sync clients to automatically sign those users on without requiring credentials. To achieve this, follow these steps:
Note: This procedure must be run on the end user computer
Note: If the client was installed using silent install with the Windows Authentication and Organization ID properties already set, then the use will not need to signon. The user will be signed on when they log into their Windows account.
Note: The Ipswitch clients can also be configured to use WS-Trust authentication, which can allow users to sign on using Windows Authentication when ADFS is not available, for example, if the user signs on from a home network. For information about setting up WS-Trust Authentication, see the "Single Signon for FTP and SSH Clients" section.
Single Signon for FTP and SSH clients
WS-Trust authentication allows MOVEit to directly authenticate users using the same identity provider that is used for single signon with SAML. We recommend configuring a WS-Trust authentication source in addition to SAML Single Signon services for customers who want to provide FTP and SSH access to MOVEit using the same credentials the user uses to authenticate to their Identity Provider.
Currently, only the ADFS Identity Provider supports WS-Trust.
If you have a requirement to use WS-Trust, you can do so by setting up the following components:
Note: If you have already configured the Service Provider settings and added ADFS as the Identity Provider, you do not need to complete this setup again.
Instructions for End Users
After you have configured the Single Signon components, you need to provide the following information to your end users.
How Session Termination and Timeouts are Handled
Note: If you use the ADFS Identity Provider and want to avoid silent re-authentication by the browser, you can configure HTML form-based sign on. For more information, see the procedure below.
Depending on how the Identity Provider is configured, many browsers will silently re-authenticate the user when they initiate the next session, which may be the desired behavior. However, if you want users to have to re-enter their password after doing a full SAML sign off, you can configure HTML Form-based signon. This procedure describes how to configure form-based signon for ADFS.
If MOVEit is configured for Single Signon through an Identity Provider using the same Domain Controller that your users use to perform Windows Authentication, it is possible to configure Internet Explorer to automatically sign those users on without requiring credentials. To achieve this, follow these steps:
Note: This procedure must be run on the end user computer.
You should automatically sign on to MOVEit using your Windows account without being prompted for credentials.