Previous Topic

Next Topic

Book Contents

Book Index

SAML Single Signon Service

Security Assertion Markup Language (SAML) 2.0 provides a mechanism for exchanging authentication data among secure web domains. SAML 2.0 is is an XML-based protocol, and an OASIS standard. For more information about SAML, refer to SAML Overview from OASIS.

The SAML Single Signon service allows your users to connect to MOVEit Server using a third-party Identity Provider to authenticate. Thus, a user who is signed on using their network or corporate account can access MOVEit without needing to enter credentials again.

This topic covers:

Third-party requirements for Single Signon

Through support of SAML 2.0 functionality, MOVEit can use a third-party "identity provider" to authenticate users. An identity provider is an application that provides identity assertions via SAML, in response to authentication requests from a service provider. MOVEit acts as the service provider, also known as the "SAML consumer."

MOVEit supports authentication from the following as the Identity Provider:

Authentication with these Identity Providers has been tested and is supported by Ipswitch. Other servers that support the SAML 2.0 protocol should also work with MOVEit.

Single Signon for the MOVEit Server web interface

When Single Signon is configured for the MOVEit web interface, a user session works like this:

  1. User accesses MOVEit Server URL using a browser.
  2. MOVEit Server redirects browser to Identity Provider with an authentication request.
  3. Identity Provider authenticates user.
  4. Identity Provider redirects browser to MOVEit Server with an authentication assertion.
  5. MOVEit Server validates the assertion and signs the user on.
  6. If the Single Logout service is configured, when the user logs out of their network (Identity Provider) account, they will also be signed off from MOVEit.

To set up Single Signon for users signing on to MOVEit DMZ web interface, you need to do the following:

Single Signon for the Ipswitch Clients

When Single Signon is configured for the Outlook plug-in and MOVEit Sync clients, a user session works like this:

  1. User sends a file using the Ad Hoc Transfer client (Outlook plug-in) or a Sync operation is initiated.
  2. MOVEit Connector (on the client computer) requests SAML information from MOVEit Server.
  3. MOVEit Server returns SAML information, including the Service Provider URL and an Identity Provider URL.
  4. MOVEit Connector uses the SAML information to obtain a SAML token from the Identity Provider.
  5. MOVEit Connector sends a signon request (which includes the SAML token) to MOVEit Server.
  6. MOVEit Server signs the user on.

To set up Single Signon for users signing on to MOVEit DMZ from the Outlook plug-in and MOVEit Sync clients, you need to use ADFS as the Identity Provider. Both clients can use MOVEit DMZ's Single Signon services to sign on using a Windows domain account. Currently, only ADFS supports using Windows Authentication.

Assuming the Service Provider and Identity Provider settings are configured (see "Single Signon for MOVEit web interface"), Outlook plug-in and MOVEit Sync users can complete the configuration as described in the following procedure.

If MOVEit is configured for Single Signon through an Identity Provider using the same Domain Controller that your users use to perform Windows Authentication, it is possible to configure the Outlook plug-in and MOVEit Sync clients to automatically sign those users on without requiring credentials. To achieve this, follow these steps:

Note: This procedure must be run on the end user computer

  1. Log into Windows as a user on the same Domain Controller that the MOVEit Identity Provider uses for authentication.

    Note: If the client was installed using silent install with the Windows Authentication and Organization ID properties already set, then the use will not need to signon. The user will be signed on when they log into their Windows account.

  2. In the system tray, right-click the MOVEit Connector, then select Configuration.
  3. In either the MOVEit Send tab or the MOVEit Sync tab, select the Use Windows Authentication option. Instead of using the username and password from this dialog, the MOVEit Connector will initiate a SAML signon by requesting the SAML information from MOVEit. The user will not have to enter their user name and password here.
  4. When Use Windows Authentication is selected, the Username and Password fields will be hidden, and the Organization ID will appear. The user should enter their MOVEit Organization name provided by you, the Org administrator. If the user uses the default MOVEit organization, they can leave this option blank.

Note: The Ipswitch clients can also be configured to use WS-Trust authentication, which can allow users to sign on using Windows Authentication when ADFS is not available, for example, if the user signs on from a home network. For information about setting up WS-Trust Authentication, see the "Single Signon for FTP and SSH Clients" section.

Single Signon for FTP and SSH clients

WS-Trust authentication allows MOVEit to directly authenticate users using the same identity provider that is used for single signon with SAML. We recommend configuring a WS-Trust authentication source in addition to SAML Single Signon services for customers who want to provide FTP and SSH access to MOVEit using the same credentials the user uses to authenticate to their Identity Provider.

Currently, only the ADFS Identity Provider supports WS-Trust.

If you have a requirement to use WS-Trust, you can do so by setting up the following components:

Note: If you have already configured the Service Provider settings and added ADFS as the Identity Provider, you do not need to complete this setup again.

Instructions for End Users

After you have configured the Single Signon components, you need to provide the following information to your end users.

How Session Termination and Timeouts are Handled

Depending on how the Identity Provider is configured, many browsers will silently re-authenticate the user when they initiate the next session, which may be the desired behavior. However, if you want users to have to re-enter their password after doing a full SAML sign off, you can configure HTML Form-based signon. This procedure describes how to configure form-based signon for ADFS.

  1. Open the ADFS web application's web.config file (by default, C:\inetpub\adfs\ls\web.config) in a text editor.
  2. Locate the <microsoft.identityServer.web><localAuthenticationTypes> element.
  3. Move the child element of the localAuthenticationTypes element with the name "Forms" to the top of the list of child elements.
  4. Save the web.config file and restart the ADFS service.

If MOVEit is configured for Single Signon through an Identity Provider using the same Domain Controller that your users use to perform Windows Authentication, it is possible to configure Internet Explorer to automatically sign those users on without requiring credentials. To achieve this, follow these steps:

Note: This procedure must be run on the end user computer.

  1. Log into Windows as a user on the same Domain Controller that the MOVEit Identity Provider uses for authentication.
  2. Open up Internet Explorer.
  3. Go to Internet Options > Security, select Local intranet, then click Sites. The Local intranet dialog opens. Click Advanced.
  4. Add the base identity provider URL as a trusted site. This URL is the location you are redirected to during SAML Authentication. For example, an ADFS URL might look something like this: https://adfs.mycompany.internal
  5. Close Internet Options.
  6. Navigate to the MOVEit Signon page and attempt a SAML Authentication.

    You should automatically sign on to MOVEit using your Windows account without being prompted for credentials.