External Authentication - WS-Trust (Authentication Only)

The WS-Trust (Authentication Only) source lets you use an external Identity Provider (Microsoft Active Directory Federated Services (ADFS)) to authenticate users. Incoming usernames and passwords will be tried against the identity provider. The identity provider must support the WS-Trust protocol (see Requirements below).

The SAML 2.0 support provided by the Single Sign-on (See Feature Focus - Single Sign-on) allows users to authenticate through an external Identity Provider when using the MOVEit web interface. This model, which relies on the client to authenticate with the Identity Provider in order to create a SAML assertion to be "consumed" by MOVEit, is not available to non-HTTP interfaces. By also supporting the WS-Trust protocol, MOVEit can directly request a secure token in the form of a SAML 2.0 assertion document by including the user's provided username and password in the request. Assuming the same Identity Provider server supports both SAML and WS-Trust authentication, then users can use the same credentials to do both single sign-on through the web interface, and username/password authentication through FTP and SSH clients, or through Windows clients, such as the Ad Hoc Transfer Plug-in for Outlook and MOVEit Sync.

Requirements

To set up an external authentication source using WS-Trust, you need the following:

• An Identity Provider. MOVEit supports either:
  • Microsoft Active Directory Federation Services (ADFS)
  • Windows Server (2016, 2019) Active Directory Federation Services (AD FS)
• The Identity Provider must support the WS-Trust version 1.3 protocol, and provide at least one username/password binding (a binding that accepts a UsernameToken, or HTTP basic or digest authentication).
• The Identity Provider must be on a host that MOVEit Server can connect to using HTTPS.
• The Security Token Service for communication between MOVEit and the WS-Trust server must be configured before you set up the WS-Trust source. The WS-Trust source requires an existing Identity Provider be configured in the MOVEit Single Sign-on settings page. The authentication source will be linked to that Identity Provider. If no Identity Provider is configured, you must add and configure one before the WS-Trust authentication source can be added.

  Note: If you need to add an identity provider, see the Identity Provider section of the User Authentication - Single Sign-on topic.

Setting up the WS-Trust Source

1. Check that you have met the requirements in the above section.
2. Add WS-Trust as an authentication source, as described in the External Authentication - Overview topic.
3. Configure this authentication method to use the Security Token Service.
   1. Identity providers that support WS-Trust generate a metadata file or URL that is used to configure the Security Token Service.
      • Click Browse to find and upload the metadata file for the provider; then click Upload Metadata File.

      Or

      • Enter a URL for the provider's metadata, then click Download Metadata File.
   2. Click Add New Source to add this authentication source.

      The entry for the WS-Trust authentication source is created and added to list of sources on the Settings (Security) page.

4. To complete the setup, in the list of authentication sources, click Edit next to your WS-Trust source. The Edit Authentication Source page opens.
5. Make sure Enabled is set to Yes.
6. Make sure the Security Token Service endpoint is set to the appropriate location.
7. Edit user and group settings as appropriate.

   These settings determine how the user information is added within MOVEit. By default, the authentication source is set to automatically create a user on sign-on. To change any of these settings, click Edit Identity Provider Settings.

   Note: The WS-Trust authentication source shares its user and group settings with the linked Identity Provider.

   • The Full Name Attribute and Email Attribute template settings determine what values will be used for the new user's full name, and email address fields if they are added to the MOVEit user account.
   • Auto Create User on Sign-on: By default, when a new user successfully signs on, an account will be created in MOVEit. If you want to disable it, click False.
   • Group membership behavior: This setting determines how group memberships will be dealt with. When set to Ignore Differences, identity provider group memberships will be ignored. When set to Report Differences, differences between MOVEit group memberships and identity provider group memberships will be reported in the log. When set to Correct Differences, differences between MOVEit group memberships and identity provider group memberships will be corrected, if possible. MOVEit groups will NOT be added automatically, only group memberships. Groups existing on the identity provider but not on the MOVEit server will be noted as errors.
   • Group membership attribute: Select from the list of object properties to set the name of the group, if a group exists on the identity provider.
8. Save any changes.

   You are now ready to use WS-Trust authentication.