This topic documents some notes from our testing of SAML Single Signon with the supported Identity Providers. These may be of help to you in configuring and testing your implementation.
Note: Your organization may have Identity Provider requirements beyond those needed for the MOVEit configuration. Because of this, it is not possible for us to give a complete step-by-step procedure for configuring the Identity Provider. Refer to your Identity Provider's documentation for detailed configuration information.
See the User Authentication - Single Signon page for information about the MOVEit settings needed to support SAML Single Signon.
Note: If you want to use client certificates you must configure the Identity Provider to handle them. The SAML Single Signon process in MOVEit DMZ does not support client certificates. In MOVEit DMZ, in the User Profile for SAML users, the SSL Client Certificate Required option must be set to No.
These are notes from our test configurations using ADFS as the identity provider. The notes assume that you have ADFS connected to an Active Directory server.
Notes on the Identity Provider Installation/Configuration
Set up the Service Provider
Configure the MOVEit settings required by ADFS.
Register MOVEit as the Service Provider/Relying Party
The SAML Service Provider and Identity Provider must register each other, in order to properly trust the requests and assertions that flow between the two servers. This is typically done by exchanging metadata files, which contain XML descriptions of the services, endpoints, and certificates of the server.
Register MOVEit as a Relying Party in ADFS. You can use the ADFS 2.0 Management Console to add a Relying Party Trust. This is where you can provide the URL for the Service Provider (MOVEit) metadata file, or provide a copy of the metadata file.
Set User Attributes
The settings for User Attributes are made in the both the Identity Provider's configuration and in the MOVEit settings. These settings determine which user information (such as Account Name, Common Name, Email Address), will be sent to MOVEit DMZ in authentication assertions.
You set the User Attributes, known as "claims" in ADFS, by using the Add Claim Rules dialog (in the ADFS 2.0 Management Console).
We set the following attributes:
On the Issuance Transform Rules tab, click the Add Rule button.
Select Send Claims Using a Custom Rule.
Enter a rule name like "Create transient session ID"
Enter the following rule text:
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]
=> add(store = "_OpaqueIdStore",
types = ("http://ipswitch.com/transientsessionid"),
query = "{0};{1};{2};{3};{4}",
param = "useEntropy",
param = c1.Value,
param = c1.OriginalIssuer,
param = "",
param = c2.Value);
Click Finish to add the rule.
Click the Add Rule button again.
Select Transform an Incoming Claim.
Enter a rule name like "Send transient session ID as NameID".
As the Incoming claim type, enter: http://ipswitch.com/transientsessionid
Select Name ID as the Outgoing claim type.
Select Transient Identifier as the Outgoing name ID format.
Click Finish to add the rule.
In the (MOVEit) Single Signon settings, select to edit the Identity Provider, then in the User Settings, set the following:
Set other user or group settings as desired.
Additional ADFS Configuration
SHA-256: Currently, MOVEit DMZ does not support SHA-256 hashing in XML signatures, so ADFS must be configured to not use SHA-256 with the Service Provider. In the Relying Party Trust entry for MOVEit DMZ, in the Advanced tab, change Secure hash algorithm to SHA-1.
Register ADFS as the Identity Provider
Now that MOVEit DMZ is registered with the ADFS server, the reverse needs to happen as well. Again, you may either download the ADFS server's metadata (the ADFS server's metadata location is typically "<ADFS Server URL>/FederationMetadata/2007-06/FederationMetadata.xml"), or provide the metadata URL to MOVEit DMZ as part of the Identity Provider configuration.
Test Authentication using SAML
To test the configuration, sign on to MOVEit as an Org admin, copy the Direct User Signon Link from the Edit Federated Identity Provider Settings page (for the configured Identity Provider). Sign off from MOVEit, then paste that URL in the Address Bar of your browser. If configured properly, the Identity Provider will authenticate you and then return you to MOVEit DMZ, where you will be signed on. (The Identity Provider may or may not prompt for credentials, depending on the configuration.)
Note: The login prompt is not the MOVEit Signon page. The login prompt is from the Identity Provider (ADFS uses a browser default credential input window).
See the Troubleshooting Single Signon page for common configuration issues.
These are notes from our test configurations using Shibboleth as the identity provider. The notes assume that you have Shibboleth set up as the user store, or connected to an Active Directory server.
Notes on the Identity Provider Installation/Configuration
Set up the Service Provider
Configure the MOVEit settings required by Shibboleth.
Note: If you use self-signed certificates, when you configure the Identity Provider, you will have to copy the metadata file from MOVEit, instead of using the URL for the metadata.
Register MOVEit as the Service Provider/Relying Party
The SAML Service Provider and Identity Provider must register each other, in order to properly trust the requests and assertions that flow between the two servers. This is typically done by exchanging metadata files, which contain XML descriptions of the services, endpoints, and certificates of the server.
Note: Currently, Shibboleth cannot download the Service Provider metadata file from MOVEit DMZ, so it is necessary to copy the file as shown in the first step.
Set User Attributes
The settings for User Attributes are made in both the Identity Provider's configuration and in the MOVEit settings. These settings determine which user information (such as Account Name, Common Name, Email Address), will be sent to MOVEit DMZ in authentication assertions.
Set other user or group settings as desired.
Register Shibboleth as the Identity Provider
Now that MOVEit DMZ is registered with the Shibboleth server, the reverse needs to happen as well. Again, you can either download the Shibboleth server's metadata, or provide the metadata URL to MOVEit DMZ as part of the Identity Provider configuration.
You can either select a local copy of the Identity Provider's metadata file [C:\[folder]\Metadata.xml], or copy the URL from https://<idp-machine>:<port>/idp/shibboleth, then select to add an Identity Provider, then paste the URL into the Identity Provider Metadata URL box.
Test Authentication using SAML
To test the configuration, sign on to MOVEit as an Org admin, copy the Direct User Signon Link from the Edit Federated Identity Provider Settings page (for the configured Identity Provider). Sign off from MOVEit, then paste that URL in the Address Bar of your browser. If configured properly, the Identity Provider will authenticate you and then return you to MOVEit DMZ, where you will be signed on. (The Identity Provider may or may not prompt for credentials, depending on the configuration.)
Note: The login prompt is not the MOVEit Signon page. The login prompts is from the Identity Provider (Shibboleth uses a Shibboleth splash screen,).
See the Troubleshooting Single Signon page for common configuration issues.
These are notes from our test configurations using OneLogin as the identity provider. The notes assume that you have OneLogin setup as the user store, or connected to an Active Directory server.
Notes on the Identity Provider Installation/Configuration
Set up the Service Provider
Configure the Service Provider settings required by OneLogin.
Register MOVEit as the Service Provider/Relying Party
The SAML Service Provider and Identity Provider must register each other, in order to properly trust the requests and assertions that flow between the two servers. This is typically done by exchanging metadata files, which contain XML descriptions of the services, endpoints, and certificates of the server.
From the Service Provider settings in MOVEit, open the Service Provider Metadata file and copy the entityID for the MOVEit DMZ organization. Then, open the OneLogin > Configuration page, and paste the entityID into the SAML Audience box.
From the Service Provider settings in MOVEit, copy the URL for the Assertion Consumer Interface, then open the OneLogin > Configuration page, and paste the URL into the SAML Consumer URL and also into the SAML Recipient box.
From the Service Provider settings in MOVEit, copy the URL for the Single Logout Interface (Redirect method), then open the OneLogin > Configuration page, and paste the URL into the SAML Single Logout URL box. For the Single Logout setting, OneLogin currently supports only the Redirect method.
We left the RelayState box empty.
Set User Attributes
The settings for User Attributes are made in the Identity Provider settings in MOVEit and in the OneLogin configuration. These settings determine which user information (such as Account Name, Common Name, Email Address), will be sent to MOVEit DMZ in authentication assertions.
In the (MOVEit) Single Signon settings, select to edit the Identity Provider, then in the User Settings, set the Login name to SAML NameID. This is the only required setting. Set other user or group settings as desired.
In OneLogin, select the Access Control tab and select to use the Default role.
Register OneLogin as the Identity Provider
Now that MOVEit DMZ is registered with the OneLogin server, the reverse needs to happen as well. You need to provide the metadata URL to MOVEit DMZ as part of the Identity Provider configuration.
From the OneLogin Configuration page, copy the Single Signon > Issuer URL, then go to the MOVEit settings, Single Signon, select to add an Identity Provider, then paste the URL into the Identity Provider Metadata URL field.
Test Authentication using SAML
To test the configuration, sign on to MOVEit as an Org admin, then copy the Direct Link URL from your Identity Provider configuration. Sign off from MOVEit, then paste the URL into the Address Bar of your browser. If configured properly, the Identity Provider will authenticate you and then return you to MOVEit DMZ, where you will be signed on. (The Identity Provider may or may not prompt for credentials, depending on the configuration.)
Note: The login prompt is not the MOVEit Signon page. The login prompt is from the Identity Provider.
See the Troubleshooting Single Signon page for common configuration issues.