Single Sign-On

Single Sign-On (SSO) allows users to log into MetaDefender Managed File Transfer without having to enter the active directory credentials or creating a local account. Enabling SSO is available for Identity Providers (IdP) supporting the OpenID Connect protocol.

Requirements

Below are the technical requirements of MetaDefender® MFT supporting SSO.

Technical Details

SSO Details


Protocol

OpenID Connect

Authorization Flow

Authorization Code Flow

Required Scopes

openid , profile ,email

Response Mode

code and state in either:

  • OAuth 2.0 Form Post Response Mode

  • query Response Mode

Claims

Following are the claims used to propagate user details in MetaDefender® MFT. Claims are resolved in the following sequence, with the first claim found determining the value for the corresponding user detail.

Required Claims

Either the upn or the name claim is required; when neither exists, authentication will fail.

User Detail

Claim(s)

User Name

  1. upn

  2. preferred_username

  3. name

Display Name

  1. unique_name

  2. name

Given Name

  1. given_name

Surname

  1. family_name

Email Address

  1. email

  2. upn

Info

If details can not be populated due to missing claims, their values will be left empty.

Configuration

In order to set up single sign-on, go to "Settings" → "Single Sign-On."

Redirection

URL(s) for redirection can be generated on the configuration page of SSO within MetaDefender Managed File Transfer™. The redirection URL's format is the following: <protocol>://<host>:<port>/vault_rest/authenticate-sso

For example if MetaDefender Managed File Transfer™ is being accessed on the address https://my-mft:8010, then the SSO provider will be asked to redirect authentications to https://my-mft:8010/vault_rest/authenticate-sso.

Info

MetaDefender Managed File Transfer™ will always dynamically create the redirection URL based on what address the instance is being accessed on.

Name

Description

Enable SSO

Turn SSO integration on/off

Ignore TLS Certificate

Accept requests from the IdP even if the certificate is not fully trusted

Load User Profile

Attempt to retrieve user claims by calling the/userinfo endpoint

Skip Endpoint Validation

If enabled, the authority of the OpenID endpoints are not validated against the issuer; Find th__is information in the /.well-known/openid-configuration endpoint of the SSO provider.

Provider Name

A friendly name that identifies the IdP in Managed File Transfer

Authority

The URL of the IdP

IP Address Or Domain

The IP or domain of the MetaDefender Managed File Transfer™ instance used to construct the Redirect URL

Redirect URI

The constructed redirection URL to copy and provide in the configuration of the SSO provider

Client ID

A unique identifier assigned by the identity provider to registered clients

Client Secret

A randomly generated sequence issued by the identity provider and used in client authorization

Administrator Emails

A list of email addresses used for assigning administrative privileges to their owners ("administrator" role in Managed File Transfer)

Integration Scopes (Optional)

A list of optional scopes for making requests to the IdP

Additional endpoints (Optional)

Specifies a list of additional base addresses for endpoints

Info

There is no technical limit to the number of Single Sign-On (SSO) users. Only the license user limit serves as a restriction.

Warning

Rate limiting may block authentication with SSO. If this occurs, adjust the rate-limiting settings to suit your needs.