Single Sign-On
Single Sign-On (SSO) allows users to log into MetaDefender Managed File Transfer without having to enter the Active Directory credentials or creating a local account. Enabling SSO is available for Identity Providers (IdP) supporting the OpenID Connect protocol.
For a step-by-step tutorial, refer to:
Requirements
Below are the technical requirements of MetaDefender® MFT supporting SSO.
Technical Details
SSO Details | |
---|---|
Protocol | OpenID Connect |
Authorization Flow | Authorization Code Flow |
Required Scopes | openid , profile ,email |
Response Mode |
|
Claims
Following are the claims used to propagate user details in MetaDefender® MFT. Claims are resolved in the following sequence, with the first claim found determining the value for the corresponding user detail.
Either the upn
or the name
claim is required; when neither exists, authentication will fail.
User Detail | Claim(s) |
---|---|
User Name |
|
Display Name |
|
Given Name |
|
Surname |
|
Email Address |
|
If details can not be populated due to missing claims, their values will be left empty.
Configuration
In order to set up single sign-on, go to Settings → Single Sign-On.
Name | Description |
---|---|
Enable SSO | Turn SSO integration on / off |
Ignore TLS Certificate | Accept requests from the IdP even if the certificate is not fully trusted. |
Load User Profile | Attempt to retrieve user claims by calling the/userinfo endpoint. |
Skip Endpoint Validation | If enabled, the authority of the OpenID endpoints are not validated against the issuer. Find th__is information in the /.well-known/openid-configuration endpoint of the SSO provider. |
Provider Name | A friendly name that identifies the IdP in Managed File Transfer. |
Authority | The URL of the IdP. |
IP Address Or Domain | The IP or domain of the Managed File Transfer instance used to construct the Redirect URL. |
Redirect URI | The generated URL where users are redirected by the IdP after authentication. |
Client ID | A unique identifier assigned by the identity provider to registered clients. |
Client Secret | A randomly generated sequence issued by the identity provider and used in client authorization. |
Administrator Emails | A list of email addresses used for assigning administrative privileges to their owners (‘Administrator’ role in Managed File Transfer). |
Integration Scopes (Optional) | A list of optional scopes for making requests to the IdP. |
Additional endpoints (Optional) | Specifies a list of additional base addresses for endpoints. |
There is no technical limit to the number of Single Sign-On (SSO) users. Only the license user limit serves as a restriction.