Configure Service Provider Properties

You can use the Service Provider Properties (SAML only) page to populate and configure attribute fields in the SAML service provider's metadata file (Metadata.xml). You can find the Service Provider Properties (SAML only) link on the SETTINGS > Security Policies > User Auth > Single Sign-on page.

Figure 1. SAML Service Provider Properties Configuration Page (link to open highlighted)

This section covers how you can populate SAML/Metadata.xml using the Service Provider Properties page in the WebUI, including:

  • Create a Signing Certificate
  • Create an Encryption Certificate
  • Set Appropriate Assertion Consumer Interfaces
  • Set the Appropriate Single Logout Interfaces
Figure 2. Service Provider Properties (SAML only) page

Create a Signing Certificate

The MOVEit Server (Service Provider) sends a request to the Identity Provider. The private portion of the Signing Certificate assures that the request is from the MOVEit Server. The Identity Provider uses the public portion to verify the signature.

Click Create Certificate to open the Signing Certificate page. Enter the appropriate values, then click Create Certificate. Only the Common Name (CN) is required.

The new certificate is shown in the list.

You always have the option of replacing or deleting an existing certificate.

Note: While most servers require a Service Provider to have a signing certificate to sign requests, the encryption certificate is optional, though highly recommended for security.

Create an Encryption Certificate

The Identity Provider sends an "authentication assertion" or other response to the MOVEit Server. The public portion of the Encryption Certificate is used to encrypt the assertion. MOVEit uses the private portion to decrypt the assertion.

Click Create Certificate to open the Encryption Certificate page. Enter the appropriate values, then click Create Certificate. Only the Common Name (CN) is required.

The new certificate is shown in the list.

You always have the option of replacing or deleting an existing certificate.

Set the appropriate Assertion Consumer Interfaces

This interface determines how MOVEit will receive the response (the user authentication) from the identity provider. You can enable multiple interfaces, in which case the identity provider will use the first interface listed whose binding it supports.

  • HTTP-Post: The HTTP-Post binding means that MOVEit will receive the security assertion from the identity provider through the client browser using an HTTP POST request. This is the most frequently used and most widely supported binding for assertion consumer interfaces. This is enabled by default.
  • HTTP-Artifact: The HTTP-Artifact binding means that MOVEit will receive a reference to the security assertion (this reference is called an "artifact") from the identity provider through the client browser using an HTTP GET request, rather than the assertion itself. MOVEit will then contact the identity provider directly by way of SOAP in order to request the actual assertion, using the provided artifact.

    HTTP-Post is more widely supported and is good enough for most situations, but it is less secure than HTTP-Artifact because the assertion data passes through the client browser, giving that browser an opportunity to access data that may not be appropriate for the client to see. This can be compensated for by using an encryption certificate, but only if the identity provider supports encrypting response messages.

    HTTP-Artifact is more secure since the assertion data never passes through the client browser – only the reference "artifact" does. However, it is less widely supported, and also requires a direct connection between MOVEit and the identity provider, which some firewall rules may not allow from the DMZ network segment.

Set the appropriate Single Logout Interfaces.

This interface determines how the identity provider sends a logout response or request to MOVEit. You can enable multiple interfaces, in which case the identity provider will use the first interface listed whose binding it supports.

Note: Shibboleth does not have sufficient support for single logout and single logout with Shibboleth is not best practice. It is not enabled by default in the Shibboleth Identity Provider, so MOVEit will not show the logout feature in the administrator interface. If it is enabled in the Identity Provider, we recommend you disable it here by clearing the Enabled option for all Single Logout interfaces.
  • HTTP-Post: The HTTP-Post binding means that MOVEit will receive the logout request or response from the identity provider through the client browser using an HTTP POST request. This is enabled by default.
  • HTTP-Redirect: The HTTP-Redirect binding means that MOVEit will receive the logout request or response from the identity provider through the client browser using an HTTP GET request.

Provide the Identity Provider with the Service Provider Metadata File

The service profider metadata file establishes your MOVEit Server organization as the service provider. Identity providers can access this file by the Service Provider Metadata URL.

When configuring the Identity Provider, you can provide this URL directly to the identity provider in the configuration settings. This requires that the identity provider has direct internet access to the MOVEit Server. If that's not the case, you can download the file and then upload it to the identity provider.

Note: This metadata file is updated when you change settings for a certificate, Assertion Consumer Interface, or Single Logout Interface. Make sure your identity provider is updated with the new file.