The WS-Trust (Authentication Only) source lets you use an external Identity Provider ( Microsoft Active Directory Federated Services (ADFS)), to authenticate users. Incoming usernames and passwords will be tried against the identity provider. The identity provider must support the WS-Trust protocol (see Requirements below).
The SAML 2.0 support provided by the Single Signon (See Feature Focus - Single Signon) allows users to authenticate through an external Identity Provider when using the MOVEit web interface. This model, which relies on the client to authenticate with the Identity Provider in order to create a SAML assertion to be "consumed" by MOVEit, is not available to non-HTTP interfaces. By also supporting the WS-Trust protocol, MOVEit can directly request a secure token in the form of a SAML 2.0 assertion document by including the user's provided username and password in the request. Assuming the same Identity Provider server supports both SAML and WS-Trust authentication, then users can use the same credentials to do both Single Signon through the web interface, and username/password authentication through FTP and SSH clients, or through Windows clients, such as the Ad Hoc Transfer Plug-in for Outlook and MOVEit Sync.
Requirements
To set up an external authentication source using WS-Trust, you need the following:
Note: If you need to add an Identity Provider, see the Identity Provider section of the User Authentication - Single Signon topic.
Setting up the WS-Trust source
Identity providers that support WS-Trust will provide a metadata file or URL that is used to configure the Security Token Service.
Click Browse to find and upload the metadata file for the provider; then click Upload Metadata File.
Or
Enter a URL for the providers's metadata, then click Download Metadata File.
Click Add New Source to add this authentication source.
The entry for the WS-Trust authentication source is created and added to list of sources on the Settings (Security) page.
These settings determine how the user information is added within MOVEit. By default, the authentication source is set to automatically create a user on signon. To change any of these settings, click Edit Identity Provider Settings.
Note: The WS-Trust authentication source shares its user and group settings with the linked Identity Provider.
The Full Name Attribute, and Email Attribute template settings determine what values will be used for the new user's full name, and email address fields if they are added to the MOVEit user account.
Auto Create User on Signon: By default, when a new user successfully signs on, an account will be created in MOVEit. If you want to disable it, click False.
Group membership behavior: This setting determines how group memberships will be dealt with. When set to Ignore Differences, identity provider group memberships will be ignored. When set to Report Differences, differences between MOVEit group memberships and identity provider group memberships will be reported in the log. When set to Correct Differences, differences between MOVEit group memberships and identity provider group memberships will be corrected, if possible. MOVEit groups will NOT be added automatically, only group memberships. Groups existing on the identity provider but not on the MOVEit server will be noted as errors.
Group membership attribute: Select from the list of object properties to set the name of the group, if a group exists on the identity provider.