Configuring Single Sign-on for ActiveTransfer Web Client through SAML 2.0
ActiveTransfer supports Single Sign-On (SSO) through Security Assertion Markup Language (SAML) 2.0, an XML-based framework for the exchange of security information. You can use SAML to access ActiveTransfer web client through SSO. SSO is supported only for HTTPS protocol.
ActiveTransfer serves as the service provider (SP) and communicates between a third-party identity provider (IDP) such as, ADFS, Okta, and so on, to access the target application, ActiveTransfer web client. You can configure ActiveTransfer for exchanging authentication data between the third-party identity provider and ActiveTransfer service provider. The third-party identity provider is the SAML authority and ActiveTransfer is the SAML consumer.
To enable SSO for
ActiveTransfer Web Client
1. Enable the system property, mft.server.https.auth.samlto true in the Integration Server_directory \instances\ instance_name \packages\WmMFT\config\properties.cnf file.
2. Configure the redirection URI, the ActiveTransfer Server URL that you provided when registering with the identity provider in the mft.server.https.auth.saml.redirecturi property. For example, https://idp.machine/adfs/ls/idpinitiatedsignon.aspx.
3. Set the properties in the websso.properties configuration file.
4. The public key from the IDP server must be configured to the web client. Configure the profiles for SAML under the Security Infrastructure (SIN). You can configure the security properties that are set during server startup. The configuration file com.softwareag.sso.pid.properties is located in the Software AG_directory/profiles/profile/configuration/com.softwareag.platform. config.propsloader directory. The default configuration is:
Log on to ActiveTransfer Server.
a. On the Listeners page, select an HTTPS listener for which you want to enable SSO.
b. Under Bindings, select the Support single sign-on option.
The HTTP host name and port (for example, https://localhost:234) is now enabled for SSO. This is the endpoint URL for access to ActiveTransfer web client. This URL is used to configure the ActiveTransfer web client in the identity provider as a service provider or an application.
com.softwareag.security.idp.keystore.keyalias=ssos
com.softwareag.security.idp.SSOassertion.lifeperiod=5
com.softwareag.security.idp.keystore.type=JKS
com.softwareag.security.idp.assertion.skew=30
com.softwareag.security.idp.truststore.location=/common/conf/
platform_truststore.jks
com.softwareag.security.idp.truststore.password=manage
com.softwareag.security.idp.keystore.location=/common/conf/keystore.jks
enabled=false
com.softwareag.security.idp.keystore.password=manage
com.softwareag.security.idp.truststore.keyalias=ssos
com.softwareag.security.idp.assertion.lifeperiod=300
com.softwareag.security.idp.truststore.type=JKS
5. Verify the configured SSO truststore and add the public key from the identity provider to the truststore and restart ActiveTransfer Server.
6. In the Server Management page, Ports tab, select an HTTPS listener for which you want to enable SSO.
Note: SSO is supported only for HTTPS protocol.
a. In the SSO Options section of the Advanced tab, select the Support SSO login option.
7. Log on to ActiveTransfer Server.
a. On the Listeners page, select an HTTPS listener for which you want to enable SSO.
The HTTP host name and port (for example: https://localhost:234) is now enabled for SSO in ActiveTransfer Web Client.