Single Sign-on using SAML

Through support of SAML 2.0 functionality, you can customize MOVEit to use a third-party "identity provider" to authenticate MOVEit users. An identity provider is an application that provides identity assertions by way of SAML and in response to authentication requests from a service provider. MOVEit acts as the service provider. In this deployment pattern, MOVEit can be referred to as the "SAML consumer."

Security Assertion Markup Language (SAML) 2.0 provides a mechanism for exchanging authentication data among secure web domains. SAML 2.0 is an XML-based protocol and an OASIS standard. For more information about SAML, refer to SAML Overview from OASIS.

The SAML single sign-on service allows users to connect to MOVEit using a third-party identity provider. This enables users signed on to their network or corporate account to access MOVEit without needing to enter additional MOVEit specific credentials.

MOVEit supports authentication from the following as the Identity Provider:

• Shibboleth
• OneLogin
• Windows Server Active Directory Federation Services (AD FS). (Note: Microsoft refers to early versions as "ADFS")

We tested Windows Server 2019 AD FS (sometimes referred to as "ADFS 5.0") and Windows Server 2016 AD FS (sometimes referred to as "ADFS 4.0") with MOVEit Transfer.

Authentication with these Identity Providers has been tested and is supported. Other identity providers not listed here that support the SAML 2.0 protocol should also work with MOVEit.

Single Sign-on for the MOVEit Desktop, Mobile Client, MOVEit Web UI

When Single Sign-on is available, a user session works like this:

1. User accesses MOVEit Server URL using a browser.

   If the user is not already signed-in, a login page displays the option to use single sign-on.

   

2. User clicks the SSO login link.
   • Single IdP. User is brought to their Identity Provider's login page.
   • Two or more IdPs. A page for current identity provider (IdP) displays, or list of Identity Providers displays.

     

3. User chooses an Identity provider (such as Active Directory Federated Services), which authenticates the user.

   Identity provider redirects browser to MOVEit Server with an authentication assertion.

   MOVEit validates the assertion and signs the user on.

4. If the Single Logout service is configured, when the user logs out of their network (identity provider) account, they will also be signed off from MOVEit.

To set up Single Sign-on for users signing on to MOVEit Transfer web interface, you need to do the following:

• Make sure the requirements for the Identity Provider are identified and met. Refer to your Identity Provider's documentation for the required configuration settings.

  Note: If you are using Active Directory as your user store (configured in User Authentication as External Only), then you can use that same user store with the Identity Provider. You will need to install and configure ADFS so that Active Directory can act as the Identity Provider.

• Configure Service Provider/Relying Party settings: See Settings - User Authentication - Single Sign-on for details on setting up MOVEit Server as a SAML Service Provider.
• Configure Federated Identity Provider settings: See Settings - User Authentication - Single Sign-on for details on adding one or more Identity Providers.

Single Sign-on for the MOVEit Transfer Outlook and Sync Clients

When Single Sign-on is configured for the Outlook plug-in and MOVEit Sync clients, a user session works like this:

1. User sends a file using the Ad Hoc Transfer client (Outlook plug-in), or a Sync operation is initiated.
2. MOVEit Connector (on the client computer) requests SAML information from MOVEit Server.
3. MOVEit Server returns SAML information, including the Service Provider URL and an Identity Provider URL.
4. MOVEit Connector uses the SAML information to obtain a SAML token from the Identity Provider.
5. MOVEit Connector sends a sign-on request (which includes the SAML token) to MOVEit Server.
6. MOVEit Server signs the user on.

To set up Single Sign-on for users signing on to MOVEit Transfer from the Outlook plug-in and MOVEit Sync clients, you need to use ADFS as the Identity Provider. Both clients can use the MOVEit Transfer Single Sign-on services to sign on using a Windows domain account. Currently, only ADFS supports using Windows Authentication.

Assuming the Service Provider and Identity Provider settings are configured (see "Single Sign-on for MOVEit web interface"), Outlook plug-in and MOVEit Sync users can complete the configuration as described in the following procedure.

• Single Sign-on using Windows Authentication from MOVEit Transfer clients

If MOVEit is configured for Single Sign-on through an Identity Provider using the same Domain Controller that your users use to perform Windows Authentication, it is possible to configure the Outlook plug-in and MOVEit Sync clients to automatically sign those users on without requiring credentials. To achieve this, follow these steps:

Note: This procedure must be run on the end-user computer.

1. Log into Windows as a user on the same Domain Controller that the MOVEit Identity Provider uses for authentication.

   Note: If the client was installed using silent install with the Windows Authentication and Organization ID properties already set, then the user will not need to sign-on. The user will be signed on when they log into their Windows account.

2. In the system tray, right-click the MOVEit Connector, then select Configuration.
3. In either the MOVEit Send tab or the MOVEit Sync tab, select the Use Windows Authentication option. Instead of using the username and password from this dialog, the MOVEit Connector will initiate a SAML sign-on by requesting the SAML information from MOVEit. The user will not have to enter their user name and password here.
4. When Use Windows Authentication is selected, the Username and Password fields will be hidden, and the Organization ID will appear. The user should enter their MOVEit Organization name provided by you, the Org administrator. If the user uses the default MOVEit organization, they can leave this option blank.

Note: MOVEit Transfer Clients (Sync, MOVEit Ad Hoc, and so on) can also be configured to use WS-Trust authentication, allowing users to sign on using Windows Authentication when ADFS is not available, for example, if the user signs on from a home network. For information about setting up WS-Trust Authentication, see the "Single Sign-on for FTP and SSH Clients" section.

Single Sign-on for FTP and SSH Clients

WS-Trust authentication allows MOVEit to directly authenticate users using the same identity provider used for single sign-on with SAML. We recommend configuring a WS-Trust authentication source in addition to SAML Single Signon services for customers who want to provide FTP and SSH access to MOVEit using the same credentials the user uses to authenticate to their Identity Provider.

Currently, only the ADFS Identity Provider supports WS-Trust.

If you have a requirement to use WS-Trust, you can do so by setting up the following components:

Note: If you have already configured the Service Provider settings and added ADFS as the Identity Provider, you do not need to complete this setup again.

• Configure Service Provider/Relying Party settings: See Settings - User Authentication - Single Sign-on for details on setting up MOVEit Server as a SAML Service Provider.
• Configure Federated Identity Provider: See Settings - User Authentication - Single Sign-on for details on adding one or more Identity Providers.
• Configure External authentication - WS-Trust: See Settings - Service Integration - WS-Trust for details on setting up the external authentication method.

Sign-on Information and Settings Needed for End Users

After you have configured the single sign-on components, you need to provide the following information to your end-users.

• Web browser sign-on. Provide the direct sign-on URL (shown on the Single Sign-on page).
• Outlook plug-in or Sync client sign-on. Direct end-users to select the Windows Authentication option in the configuration options (on the client computer, right-click the MOVEit Connector (in the system tray), then select Configuration. In either the MOVEit Send tab or the MOVEit Sync tab, select the Windows Authentication option. Instead of using the username and password from this dialog, the MOVEit Connector will initiate a SAML sign-on by requesting the SAML information from MOVEit.
• Single Logout service. If this service is enabled, when the user logs out of their identity provider account, they will also be logged out of any MOVEit sessions.

How Session Termination and Timeouts are Handled

• MOVEit Server session termination: As a SAML authenticated user, if your MOVEit Server session is manually terminated by an administrator, a flag is set for that user. If that user navigates to any page in MOVEit Server that requires an active session, the user will be redirected to the MOVEit Server Sign-on page. The user will also see a notification that the session has been terminated.
• If the MOVEit Server session terminates due to a timeout, or the Identity Provider terminates due to session timeout, user logout, or admin terminated session, the browser may handle the subsequent re-authentication sequence. Some browsers may re-authenticate users within the same browser session without requiring the user to re-enter credentials. To prevent this "silent" re-authentication by the browser, the user should close the browser after logging out of MOVEit Server.

  Note: If you use the ADFS Identity Provider and want to avoid silent re-authentication by the browser, you can configure HTML form-based sign-on. For more information, see the procedure below.

• HTML Form-based Sign-on for Active Directory Federation Services

Depending on how the Identity Provider is configured, many browsers will silently re-authenticate the user when they initiate the next session, which may be the desired behavior. However, if you want users to re-enter their password after doing a full SAML sign off, you can configure HTML Form-based sign-on. This procedure describes how to configure form-based sign-on for ADFS.

1. Open the ADFS web application's web.config file (by default, C:\inetpub\adfs\ls\web.config) in a text editor.
2. Locate the microsoft.identityServer.web localAuthenticationTypes element.
3. Move the child element of the localAuthenticationTypes element with the name "Forms" to the top of the list of child elements.
4. Save the web.config file and restart the ADFS service.