Through support of SAML 2.0 and OIDC, you can customize MOVEit to use a third-party "identity provider" (IdP) to authenticate MOVEit users.

Single Sign-on Option (MOVEit Mobile shown)

Single Sign-on Option (Web UI shown)

User Selects Identity Provider (Web UI shown)

Security Assertion Markup Language (SAML) 2.0 provides a mechanism for exchanging authentication data among secure web domains. SAML 2.0 is an XML-based protocol and an OASIS standard. For more information about SAML, refer to SAML Overview from OASIS.

Important: The SAML single sign-on service allows users to connect to MOVEit using a third-party identity provider. This enables users signed on to their network or corporate account to access MOVEit without needing to enter additional MOVEit specific credentials.

MOVEit supports authentication from the following as the Identity Provider:

  • Open ID Connect (OIDC) based on OAuth2.
  • Shibboleth
  • OneLogin
  • Windows Server Active Directory Federation Services (AD FS). (Note: Microsoft refers to early versions as "ADFS")
Note: We tested Windows Server 2019 AD FS (sometimes referred to as "ADFS 5.0") and Windows Server 2016 AD FS (sometimes referred to as "ADFS 4.0") with MOVEit Transfer.

Authentication with these Identity Providers has been tested and is supported. Other identity providers not listed here that support the SAML 2.0 protocol should also work with MOVEit.

Single Sign-on for the MOVEit Desktop, Mobile Client, MOVEit Web UI

Single Sign-on Option (Desktop Client shown)

Single Sign-on Option (Mobile Client shown)

Single Sign-on Option (Web UI shown)

When Single Sign-on is available, a user session works like this:

  1. User accesses MOVEit Server URL using a browser.

    If the user is not already signed-in, a login page displays the option to use single sign-on.

  2. User clicks the SSO login link.
    • Single IdP. User is brought to their Identity Provider's login page.
    • Two or more IdPs. A page for current identity provider (IdP) displays, or list of Identity Providers displays.

  3. User chooses an Identity provider (such as Active Directory Federated Services), which authenticates the user.

    Identity provider redirects browser to MOVEit Server with an authentication assertion.

    MOVEit validates the assertion and signs the user on.

  4. If the Single Logout service is configured, when the user logs out of their network (identity provider) account, they will also be signed off from MOVEit.

To set up Single Sign-on for users signing on to MOVEit Transfer web interface, you need to do the following:

  • Make sure the requirements for the Identity Provider are identified and met. Refer to your Identity Provider's documentation for the required configuration settings.
    Note: If you are using Active Directory as your user store (configured in User Authentication as External Only), then you can use that same user store with the Identity Provider. You will need to install and configure ADFS so that Active Directory can act as the Identity Provider.
  • Configure Service Provider/Relying Party settings: See Settings - User Authentication - Single Sign-on for details on setting up MOVEit as a Service Provider.
  • Configure Federated Identity Provider settings: See Settings - User Authentication - Single Sign-on for details on adding one or more Identity Providers (IdPs).