System - User Authentication

SiteMinder

This section allows sysadmins to enable single-signon integration with CA's eTrust SiteMinder authentication product.

Enabling the option causes MOVEit Transfer to begin watching for the SiteMinder-specific HTTP headers that indicate a user has already been authenticated by a SiteMinder Policy Server acting through a SiteMinder Web Agent. When such headers are present, MOVEit Transfer will automatically log the user on, without having to prompt the user for authentication credentials again. This allows MOVEit Transfer to achieve true single-signon integration when operating in a SiteMinder environment.

To add an additional measure of security to the communication between MOVEit Transfer and SiteMinder, a special shared secret will be automatically generated whenever this setting is enabled. In order for MOVEit Transfer to trust the HTTP headers injected into the request by the SiteMinder Web Agent, a special header with the name HTTP_SM_MOVEITDMZ_SHAREDSECRET must be included with a value of this shared secret. Such a header can be configured as part of a Response object in SiteMinder. See the SiteMinder Integration page in the Advanced Topics section for more information about configuring a Response object.

Unique Usernames

The sysadmin can set whether a username can be used in only one MOVEit Transfer organization, or in multiple organizations.

• Across multiple organizations (default). The username is not allowed to be used in any other organization on the system.
• Within individual organizations. A username used by a user in one MOVEit Transfer organization is unique to that organization, and can also be used in other organizations. Note: Although usernames can be used across organizations, user accounts cannot. The user requires a user account on each organization.

If you are using MOVEit Automation or scripts to access MOVEit Transfer, this setting can affect the ability of existing MOVEit Automation accounts and scripts to authenticate to MOVEit Transfer.

When a username is used in multiple organizations, authenticating the username becomes a bit more complicated. Normally, the appropriate organization will be automatically determined by checking cookies or matching host names, but in some cases it may require users to provide an organization name. To authenticate, the organization must be identified. This can be done by:

• Setting up the hostname to match with the organization's base URL.
• Providing the Org ID in the query string.
• The user specifying which organization they want to log into (in the username field on the signon page). The necessary syntax is Org name, short name, or Org ID followed by a backslash (\) and then the username. For example, testorg\fred rather than just fred. This syntax should be communicated to all users who are members of multiple organizations because the username may become non-unique at any time (ie when the same username is added to another org).