Single Sign-on (SSO) allows users to connect to the MOVEit without having to enter a username and password each time.

For SSO, you can use either of the following:
  • A local service provider to verify identity.
  • A federated service provider that verifies identity and manages access.

MOVEit can use a third-party identity provider (IdP) (for example, Microsoft Active Directory (AD) or 365 AD now referred to as Entra) to authenticate, authorize, and manage users. The single sign-on feature allows MOVEit to authenticate a user without requiring sign-on, provided that user is already authorized (for example, by the third-party user directory) using their network or corporate account.

Note: MOVEit can use Open ID Connect services, which is built on OAuth 2.0.

This topic describes:

  • How to set up MOVEit Server as the Local Service Provider/Relying Party to communicate with the user database.
  • How to add a Federated Identity Provider, which provides the user authentication information. You can add multiple Identity Providers. An identity provider can be used for either SAML or OIDC-based sign-on.

Configure Local Service Provider/Relaying Party Settings

You can use SETTINGS > Security Policies > User Auth > Single Sign-on to:
  • Identify the MOVEit Server and organization as the Service Provider.
  • Configure OIDC communications and determine how MOVEit will receive responses from the Identity Provider.
Figure 1. Settings (single sign-on) View (shown with OIDC configured)

Add Federated Identity Providers

These settings add the identity providers (for example, an Active Directory Federated Services (ADFS) server) to which MOVEit Server can send an authentication request. The identity provider can be configured to offer two types of service: SAML single sign-on (available from the web browser) and WS-Trust (available as an external authentication method to other types of clients).

Note: If you are already using an external source for user authentication, we recommend that you use the same user store as your identity provider.

The SETTINGS (Single Sign-on) page displays the list of identity providers available (if any) to this organization.

  1. To add a new provider, click Add Identity Provider. The Add OIDC Identity Provider page opens.

    Note: IdPs that support OIDC, such as Microsoft Entra, provide an IdP URL, and credentials including a Client ID and a Client Secret.
  2. For the OIDC IdP, you must provide the Client ID and Client Secret for this MOVEit Transfer system provided to you when you registered MOVEit Transfer with the IdP (for example, when you registered with 365 Entra).
  3. Provide the URL for the IdP. (If you are using Microsoft 365, it will include your tenant ID). If you are using Microsoft 365 Entra as you IDP, you can find more details at the learn.microsoft.com site.
  4. Click Save.

The entry for the identity provider is created and added to the list of identity providers on the Settings (Single Sign on) page.

Editing an Identity Provider

You can edit an identity provider and define whether and how a user account in the identity provider is created as a user in MOVEit.

To edit an identity provider, click the pencil button to the right of the entry.

Edit OIDC Identity Provider (view)

These settings identify the identity provider and configure how it will communicate with the service provider (MOVEit). See your identity provider's documentation for requirements.

Identity Provider URL: Open ID (OIDC) URL.

Client ID: Unique application ID generated when you register MOVEit Transfer with the 365 Identity and Access Manager (Entra) (formerly Active Directory) through the Azure Management Portal.

Client Secret: Key shared by the Azure Management Portal when you register MOVEit Transfer with the Entra Identity and Access Management (IAM) Service (formerly Azure Active Directory). For more information on how to generate a ClientSecret, you can refer to the Microsoft Learn site.

Friendly Name: Display name for this org-specific SSO resource.

Edit Federated Identity Provider User Settings

These settings configure how MOVEit will use the user information from the identity provider to create or modify the user account in MOVEit.

These settings will depend on which user attributes are available from your Identity Provider. You need to coordinate with the Identity Provider administrator.

Login Name: Template setting for new user's login name (if added to MOVEit).

Full Name: Template setting for new user's full name (if added to MOVEit).

Email: Template setting for new users email address (if added to MOVEit).

Auto-create account sign-on:

The Login name, Full name, and Email template settings determine what values will be used for the new user's login name, full name, and email address fields if they are added to the MOVEit user account.

Auto-create account on sign-on: By default, when a new user successfully signs on, an account will be created in MOVEit. If you want to disable it, click No

Create user as a clone of: Lets you (the administrator) select an existing user as a template for users created by this authentication source. When this setting is enabled, the selected user will be cloned to create the new user account.

Edit Federated Identity Provider Group Settings

These settings configure how MOVEit will use group information from the identity provider to add a group setting for the new MOVEit user.

Group membership behavior: This setting determines how group memberships will be dealt with. When set to Ignore Differences, identity provider group memberships will be ignored, except in the case of the Group Check Mask setting. When set to Report Differences, differences between MOVEit group memberships and identity provider group memberships will be reported in the log. When set to Correct Differences, differences between MOVEit group memberships and identity provider group memberships will be corrected, if possible. MOVEit groups will NOT be added automatically, only group memberships. Groups existing on the identity provider but not on the MOVEit server will be noted as errors.

Group membership attribute: Select from the list of object properties to set the name of the group, if a group exists on the identity provider.

Attribute name: As with the user settings, if an Identity Provider does not advertise the available group attributes in the metadata file, you can use the Attribute name box to manually enter an attribute name for the group settings. Refer to the Identity Provider documentation for the appropriate schema and values to use.

Group Mask: These settings determine which groups will be included when syncing identity provider and MOVEit group memberships. The rule can be set to include groups except those matching one or more of the masks or ignore groups except those matching one or more of the masks. The mask list can be one or more group name masks, separated by commas. Group name masks may contain the multiple-character wildcard (*), and/or the single-character wildcard (?)

Group Check Mask: These settings operate similarly to the Group Mask settings but determine the group memberships used by the system to determine if a user should be allowed to sign on or be automatically created (or mentioned in the error reports if the source is configured to not do auto-creation of users). By default, this setting is set to allow all users, regardless of group memberships. The rule can also be set to deny users except those in groups matching one or more of the masks, or to allow users except those in groups matching one or more of the masks. As with the Group Mask setting, the mask list can be one or more group name masks, separated by commas. Group name masks may contain the multiple-character wildcard (*), and/or the single-character wildcard (?).

Click Save to make your changes to the identity provider.

Make SSO Mode Required or Optional for All Org Users

Figure 2. Edit SSO Authentication Mode (optional shown)