Single Sign-On
Single Sign-On (SSO) allows users to log into MetaDefender Managed File Transfer without having to enter the active directory credentials or creating a local account. Enabling SSO is available for Identity Providers (IdP) supporting the OpenID Connect protocol.
For a step-by-step tutorial, refer to:
Requirements
Below are the technical requirements of MetaDefender® MFT supporting SSO.
Technical Details
| SSO Details | |
|---|---|
| Protocol | OpenID Connect |
| Authorization Flow | Authorization Code Flow |
| Required Scopes | openid , profile ,email |
| Response Mode |
|
Claims
Following are the claims used to propagate user details in MetaDefender® MFT. Claims are resolved in the following sequence, with the first claim found determining the value for the corresponding user detail.
Either the upn or the name claim is required; when neither exists, authentication will fail.
| User Detail | Claim(s) |
|---|---|
| User Name |
|
| Display Name |
|
| Given Name |
|
| Surname |
|
| Email Address |
|
If details can not be populated due to missing claims, their values will be left empty.
Configuration
In order to set up single sign-on, go to "Settings" → "Single Sign-On."
| Name | Description |
|---|---|
| Enable SSO | Turn SSO integration on/off |
| Ignore TLS Certificate | Accept requests from the IdP even if the certificate is not fully trusted |
| Load User Profile | Attempt to retrieve user claims by calling the/userinfo endpoint |
| Skip Endpoint Validation | If enabled, the authority of the OpenID endpoints are not validated against the issuer; Find th__is information in the /.well-known/openid-configuration endpoint of the SSO provider. |
| Provider Name | A friendly name that identifies the IdP in Managed File Transfer |
| Authority | The URL of the IdP |
| IP Address Or Domain | The IP or domain of the Managed File Transfer instance used to construct the Redirect URL |
| Redirect URI | The generated URL where users are redirected by the IdP after authentication |
| Client ID | A unique identifier assigned by the identity provider to registered clients |
| Client Secret | A randomly generated sequence issued by the identity provider and used in client authorization |
| Administrator Emails | A list of email addresses used for assigning administrative privileges to their owners ("administrator" role in Managed File Transfer) |
| Integration Scopes (Optional) | A list of optional scopes for making requests to the IdP |
| Additional endpoints (Optional) | Specifies a list of additional base addresses for endpoints |
There is no technical limit to the number of Single Sign-On (SSO) users. Only the license user limit serves as a restriction.
Rate limiting may block authentication with SSO. If this occurs, adjust the rate-limiting settings to suit your needs.