SAML Single Signon Service

Security Assertion Markup Language (SAML) 2.0 provides a mechanism for exchanging authentication data among secure web domains. SAML 2.0 is an XML-based protocol, and an OASIS standard. For more information about SAML, refer to SAML Overview from OASIS.

The SAML Single Signon service allows your users to connect to MOVEit Server using a third-party Identity Provider to authenticate. Thus, a user who is signed on using their network or corporate account can access MOVEit without needing to enter credentials again.

This topic covers:

• Third-party requirements for Single Signon
• Single Signon for the MOVEit Server web interface
• Single Signon for the Ipswitch Clients
• Single Signon for FTP and SSH clients
• Instructions for End Users
• How Session Termination and Timeouts are Handled
• Single Signon Automatic Authentication For Windows Users Using Internet Explorer

Third-party requirements for Single Signon

Through support of SAML 2.0 functionality, MOVEit can use a third-party "identity provider" to authenticate users. An identity provider is an application that provides identity assertions via SAML, in response to authentication requests from a service provider. MOVEit acts as the service provider, also known as the "SAML consumer."

MOVEit supports authentication from the following as the Identity Provider:

• Microsoft Active Directory Federation Services (ADFS)
• Shibboleth
• OneLogin

Authentication with these Identity Providers has been tested and is supported by Ipswitch. Other servers that support the SAML 2.0 protocol should also work with MOVEit.

Single Signon for the MOVEit Server web interface

When Single Signon is configured for the MOVEit web interface, a user session works like this:

1. User accesses MOVEit Server URL using a browser.
2. MOVEit Server redirects browser to Identity Provider with an authentication request.
3. Identity Provider authenticates user.
4. Identity Provider redirects browser to MOVEit Server with an authentication assertion.
5. MOVEit Server validates the assertion and signs the user on.
6. If the Single Logout service is configured, when the user logs out of their network (Identity Provider) account, they will also be signed off from MOVEit.

To set up Single Signon for users signing on to MOVEit Transfer web interface, you need to do the following:

• Make sure the requirements for the Identity Provider are identified and met. Refer to your Identity Provider's documentation for the required configuration settings.

  Note: If you are using Active Directory as your user store (configured in User Authentication as External Only); then you can use that same user store with the Identity Provider. You will need to install and configure ADFS so that Active Directory can act as the Identity Provider.

• Configure Service Provider/Relying Party settings: See Settings - User Authentication - Single Signon for details on setting up MOVEit Server as a SAML Service Provider.
• Configure Federated Identity Provider settings: See Settings - User Authentication - Single Signon for details on adding one or more Identity Providers.

Single Signon for the Ipswitch Clients

When Single Signon is configured for the Outlook plug-in and MOVEit Sync clients, a user session works like this:

1. User sends a file using the Ad Hoc Transfer client (Outlook plug-in) or a Sync operation is initiated.
2. MOVEit Connector (on the client computer) requests SAML information from MOVEit Server.
3. MOVEit Server returns SAML information, including the Service Provider URL and an Identity Provider URL.
4. MOVEit Connector uses the SAML information to obtain a SAML token from the Identity Provider.
5. MOVEit Connector sends a signon request (which includes the SAML token) to MOVEit Server.
6. MOVEit Server signs the user on.

To set up Single Signon for users signing on to MOVEit Transfer from the Outlook plug-in and MOVEit Sync clients, you need to use ADFS as the Identity Provider. Both clients can use the MOVEit Transfer Single Signon services to sign on using a Windows domain account. Currently, only ADFS supports using Windows Authentication.

Assuming the Service Provider and Identity Provider settings are configured (see "Single Signon for MOVEit web interface"), Outlook plug-in and MOVEit Sync users can complete the configuration as described in the following procedure.

• Single Signon using Windows Authentication from Ipswitch clients

If MOVEit is configured for Single Signon through an Identity Provider using the same Domain Controller that your users use to perform Windows Authentication, it is possible to configure the Outlook plug-in and MOVEit Sync clients to automatically sign those users on without requiring credentials. To achieve this, follow these steps:

Note: This procedure must be run on the end user computer

1. Log into Windows as a user on the same Domain Controller that the MOVEit Identity Provider uses for authentication.

   Note: If the client was installed using silent install with the Windows Authentication and Organization ID properties already set, then the use will not need to signon. The user will be signed on when they log into their Windows account.

2. In the system tray, right-click the MOVEit Connector, then select Configuration.
3. In either the MOVEit Send tab or the MOVEit Sync tab, select the Use Windows Authentication option. Instead of using the username and password from this dialog, the MOVEit Connector will initiate a SAML signon by requesting the SAML information from MOVEit. The user will not have to enter their user name and password here.
4. When Use Windows Authentication is selected, the Username and Password fields will be hidden, and the Organization ID will appear. The user should enter their MOVEit Organization name provided by you, the Org administrator. If the user uses the default MOVEit organization, they can leave this option blank.

Note: The Ipswitch clients can also be configured to use WS-Trust authentication, which can allow users to sign on using Windows Authentication when ADFS is not available, for example, if the user signs on from a home network. For information about setting up WS-Trust Authentication, see the "Single Signon for FTP and SSH Clients" section.

Single Signon for FTP and SSH clients

WS-Trust authentication allows MOVEit to directly authenticate users using the same identity provider that is used for single signon with SAML. We recommend configuring a WS-Trust authentication source in addition to SAML Single Signon services for customers who want to provide FTP and SSH access to MOVEit using the same credentials the user uses to authenticate to their Identity Provider.

Currently, only the ADFS Identity Provider supports WS-Trust.

If you have a requirement to use WS-Trust, you can do so by setting up the following components:

Note: If you have already configured the Service Provider settings and added ADFS as the Identity Provider, you do not need to complete this setup again.

• Configure Service Provider/Relying Party settings: See Settings - User Authentication - Single Signon for details on setting up MOVEit Server as a SAML Service Provider.
• Configure Federated Identity Provider: See Settings - User Authentication - Single Signon for details on adding one or more Identity Providers.
• Configure External authentication - WS-Trust: See Settings - Service Integration - WS-Trust for details on setting up the external authentication method.

Instructions for End Users

After you have configured the Single Signon components, you need to provide the following information to your end users.

• For signing on from a web browser, provide the Direct Signon URL (shown on the Single Signon page).
• For signing on from the Outlook plug-in or Sync clients, direct your users to select the Windows Authentication option in the configuration options (on the client computer, right-click the MOVEit Connector (in the system tray), then select Configuration. In either the MOVEit Send tab or the MOVEit Sync tab, select the Windows Authentication option. Instead of using the username and password from this dialog, the MOVEit Connector will initiate a SAML signon by requesting the SAML information from MOVEit.
• Single Logout service: If this service is enabled, when the user logs out of their identity provider account, they will also be logged out of any MOVEit sessions.

How Session Termination and Timeouts are Handled

• MOVEit Server session termination: As a SAML authenticated user, if your MOVEit Server session is manually terminated by an administrator, a flag is set for that user. If that user navigates to any page in MOVEit Server that requires an active session, the user will be redirected to the MOVEit Server Signon page. The user will also see a notification that the session has been terminated.
• If the MOVEit Server session terminates due to a timeout, or the Identity Provider terminates due to session timeout, user logout, or admin terminated session, the browser may handle the subsequent re-authentication sequence. Some browsers may re-authenticate users within the same browser session without requiring the user to re-enter credentials. To prevent this "silent" re-authentication by the browser, the user should close the browser after logging out of MOVEit Server.

  Note: If you use the ADFS Identity Provider and want to avoid silent re-authentication by the browser, you can configure HTML form-based sign on. For more information, see the procedure below.

• HTML Form-based Signon for ADFS

Depending on how the Identity Provider is configured, many browsers will silently re-authenticate the user when they initiate the next session, which may be the desired behavior. However, if you want users to have to re-enter their password after doing a full SAML sign off, you can configure HTML Form-based signon. This procedure describes how to configure form-based signon for ADFS.

1. Open the ADFS web application's web.config file (by default, C:\inetpub\adfs\ls\web.config) in a text editor.
2. Locate the microsoft.identityServer.web localAuthenticationTypes element.
3. Move the child element of the localAuthenticationTypes element with the name "Forms" to the top of the list of child elements.
4. Save the web.config file and restart the ADFS service.

• Single Signon Using Windows Authentication from Internet Explorer

If MOVEit is configured for Single Signon through an Identity Provider using the same Domain Controller that your users use to perform Windows Authentication, it is possible to configure Internet Explorer to automatically sign those users on without requiring credentials. To achieve this, follow these steps:

Note: This procedure must be run on the end user computer.

1. Log into Windows as a user on the same Domain Controller that the MOVEit Identity Provider uses for authentication.
2. Open up Internet Explorer.
3. Go to Internet Options > Security, select Local intranet, then click Sites. The Local intranet dialog opens. Click Advanced.
4. Add the base identity provider URL as a trusted site. This URL is the location you are redirected to during SAML Authentication. For example, an ADFS URL might look something like this: https://adfs.mycompany.internal
5. Close Internet Options.
6. Navigate to the MOVEit Signon page and attempt a SAML Authentication.

   You should automatically sign on to MOVEit using your Windows account without being prompted for credentials.