Configuring Single Sign-On for ActiveTransfer User Interface
ActiveTransfer supports Single Sign-On (SSO) through Security Assertion Markup Language (SAML) 2.0, an XML-based framework for exchanging security information. You can use SAML to access ActiveTransfer web client through SSO. SSO is supported only for HTTPS protocol.
ActiveTransfer serves as the service provider (SP) and communicates between a third-party identity provider (IDP) such as, ADFS, Okta, and so on, to access the target application, ActiveTransfer web client. You can configure ActiveTransfer for exchanging authentication data between the third-party identity provider and ActiveTransfer service provider. The third-party identity provider is the SAML authority and ActiveTransfer is the SAML consumer.
To enable SSO for
ActiveTransfer user interface (UI)
1. Create a WebSSO configuration file at Integration Server\instances\default\packages\WmMFT\config\sso
Note:
You can also provide the configuration filename that represents the port number. For example, websso_9102.properties.
The WebSSO configuration file requires the below key value pairs:
Key | Key value |
SSO_KEYSTORE | C:/softwares/keycloak/keys/keycloak.jks |
SSO_SP_MAPPED_PORT | 9102 |
SSO_SP_ENDPOINT_URL | https://localhost:9102/mft/sso |
SSO_IDP_METADATA_URL | https://localhost:8443/auth/realms/ TestSAML/protocol/saml/descriptor/ Or file:///C:/SoftwareAG_105/IDPMetadata.xml |
SSO_KEYSTORE_PASSWORD | password in plain text |
SSO_KEYSTORE_TYPE | JKS |
SSO_SIGN_ALIAS | keycloakssl |
SSO_SIGN_ALIAS_PASSWORD | password in plain text |
SSO_ENCRYPT_ALIAS | keycloakssl |
SSO_ENCRYPT_ALIAS_PASSWORD | password in plain text |
SSO_DEFAULT_ALIAS | keycloakssl |
Important:
If you want to configure SSO for IDP initiated login, then add the property,
SSO_IDP_INITIATED_REDIRECT_URI in the file
(websso_9102.properties) with the IDP initiated URL. For example,
SSO_IDP_INITIATED_REDIRECT_URI=https://idp.machine/adfs/ls/idpinitiatedsignon.aspxWhen you configure the WebSSO property file, the system generates the
SPMetadata.xml file and downloads the
IDPMetadata.xml file in the
/sso and
/gen directories. However, if you cannot download the IDPMetadata.xml file from the IDP server or file path, copy the content of the hosted IDPMetadata XML file to the generated IDPMetadata.xml file.
You can restart the server or trigger
wm.mft.sso:initializeSSO from
Designer or Package Management from
Integration Server Administrator console to regenerate the property file.
The SP metadata file needs to be used by the IDP Provider to add the Service Provider.
You can map multiple values of SSO in your system by creating multiple
sso configuration files.