Configuring Single Sign-On for ActiveTransfer Web Client through SAML 2.0
ActiveTransfer supports Single Sign-On (SSO) through Security Assertion Markup Language (SAML) 2.0, an XML-based framework for the exchange of security information. You can use SAML to access ActiveTransfer web client through SSO. SSO is supported only for HTTPS protocol.
ActiveTransfer serves as the service provider (SP) and communicates between a third-party identity provider (IDP) such as, ADFS, Okta, and so on, to access the target application, ActiveTransfer web client. You can configure ActiveTransfer for exchanging authentication data between the third-party identity provider and ActiveTransfer service provider. The third-party identity provider is the SAML authority and ActiveTransfer is the SAML consumer.
To enable SSO for
ActiveTransfer Web Client
1. Enable the system property, mft.server.https.auth.samlto true in the Integration Server_directory \instances\ instance_name \packages\WmMFT\config\properties.cnf file.
2. Configure the redirection URI, the ActiveTransfer Server URL that you provided when registering with the identity provider in the mft.server.https.auth.saml.redirecturi property. For example, https://idp.machine/adfs/ls/idpinitiatedsignon.aspx.
3. The public key from the IDP server must be configured to the web client. Configure the profiles for SAML under the Security Infrastructure (SIN). You can configure the security properties that are set during server startup. The configuration file com.softwareag.sso.pid.properties is located in the Software AG_directory/profiles/profile/configuration/com.softwareag.platform. config.propsloader directory. The default configuration is as shown below:
com.softwareag.security.idp.keystore.keyalias=ssos
com.softwareag.security.idp.SSOassertion.lifeperiod=5
com.softwareag.security.idp.keystore.type=JKS
com.softwareag.security.idp.assertion.skew=30
com.softwareag.security.idp.truststore.location=/common/conf/
platform_truststore.jks
com.softwareag.security.idp.truststore.password=manage
com.softwareag.security.idp.keystore.location=/common/conf/keystore.jks
enabled=false
com.softwareag.security.idp.keystore.password=manage
com.softwareag.security.idp.truststore.keyalias=ssos
com.softwareag.security.idp.assertion.lifeperiod=300
com.softwareag.security.idp.truststore.type=JKS
The downloaded key from the IDP server must be included in the location, com.softwareag.security.idp.truststore.location
Note:
SIN searches for com.softwareag.security.idp.truststore.keyalias to load the alias. If a user wants to configure more than one alias, then do not set any value to this property.
4. Verify the configured SSO truststore and add the public key from the identity provider to the truststore and restart ActiveTransfer Server.
5. In the Server Management page, Ports tab, select an HTTPS listener for which you want to enable SSO.
Note:
SSO is supported only for HTTPS protocol.
a. In the SSO Options section of the Advanced tab, select the Support Single Sign-On login option.
The HTTPS host name and port (for example: https://localhost:234) is now enabled for SSO in ActiveTransfer Web Client.