Single Sign-On (SSO) is typically configured during the initial installation of MOVEit Automation. However, it can also be set up or modified after installation or following an upgrade, providing flexibility for administrators to adjust authentication settings as needed. Changes to SSO configuration, including enabling or modifying settings, are restricted to users with administrative privileges. Once SSO is configured, administrators can adjust the configuration as needed.

Integration with third-party identity providers is required to configure SSO on MOVEit Automation. MOVEit Automation supports authentication via OpenID Connect (OIDC) and has been tested with the following Identity Providers:Other OIDC-compliant providers are not explicitly validated but are expected to be compatible with the MOVEit Automation authentication framework.

Configuring SSO with Microsoft Entra ID

Prerequisites

Ensure you have access to your organization's pre-configured Entra portal and the MOVEit Automation server. You must have administrative rights to complete the setup.

Required values and token configuration

Log on your organization's Entra portal. Collect the following details from the App Registration for MOVEit Automation within your Microsoft Entra portal:
  • Client ID: is a unique identifier assigned to your application when you register it with the identity provider, located in the app registration overview.
  • Tenant (Directory) ID: is a unique identifier assigned to your organization’s instance. It is used to identify your tenant across cloud services like Microsoft 365, Azure, and MOVEit when integrating with SSO. It is located in the app registration overview.
  • Issuer URL: is a unique identifier for the identity provider and is used by clients to validate tokens. For example, the format for a Microsoft Entra ID Issuer URL is:
    https://login.microsoftonline.com/tenant_id/v2.0
  • Redirect URI: The URI to which the identity provider will send authentication responses. This value must be registered in the Entra App Registration as a single‑page application (SPA) Redirect URI and must exactly match the Redirect URI configured MOVEit Automation.
    For MOVEit Automation, the Redirect URI typically takes the form: 
    https://your-moveit-server
    Where your-moveit-server is the MOVEit Automation Web Admin server address.

Token configuration

To ensure MOVEit Automation receives the correct group and user identity information, update the token configuration as follows:
  1. In the App Registration, go to Token Configuration.
  2. Click Add group claim.
    • In the Edit groups claim panel:
      • Select ID.
      • Choose NetBIOSDomain\sAMAccountName as the format.
    • Click Save.
  3. Click Add optional claim.
    • Choose Token Type: ID.
    • Select the following claim:
      • onprem_sid
    • To save the changes, click Add.
Required Registry Settings for Enabling SSO

To enable SSO in MOVEit Automation, two registry values must be configured on the MOVEit Automation server: HKEY_LOCAL_MACHINE\Software\Standard Networks\MOVEitCentral

To set the registry values using the Windows Registry Editor:
  1. Open the Windows Registry Editor.
  2. Navigate to the MOVEit Automation registry settings: HKEY_LOCAL_MACHINE\Software\Standard Networks\MOVEitCentral.
  3. Add the Web Admin Auth Server URL:
    • Right-click in the right pane and select New > String Value.
    • Enter WebAdminAuthServerUrl.
    • Double-click the new entry and enter the URL of your MOVEit Web Admin interface (for example, https://your-moveit-server.com).
  4. Add the Ignore Certificate Errors Flag. This is only necessary when using a self-signed certificate, which is the default configuration in MOVEit Automation. Self-signed certificates can trigger validation errors. Setting this flag to true allows the system to bypass those errors. This configuration is not required when using a certificate issued by a trusted Certificate Authority..
    • Right-click in the right pane and select New > DWORD (32-bit) Value.
    • Enter WebAdminAuthIgnoreCertErrors.
    • Double-click the new entry and set the Value data to 1 (which means true).
  5. Restart the MOVEit Automation services to apply the settings
Update the MOVEit Automation Configuration

The config.properties file is in the HOME\MOVEit\MOVEit Automation Web Admin\Tomcat\webapps\ROOT\WEB-INF\classes\ directory. Where HOME is the MOVEit Automation directory that is created during installation.

  1. Open the config.properties file in a text editor As Administrator.
  2. Edit the following properties:
    Table 1.

    Property

    Description

    Values

    security.auth.grant-enabled.token-exchange=

    Enables SSO, allowing MOVEit to exchange an external token for an internal session.

    True or False

    security.auth.grant-enabled.password=

    Enables password access, allowing traditional username/password log on.

    True or False

    security.auth.hide-ui-password-login=

    Controls whether the password login option is visible in the UI. If set to true, users will only see the SSO login option.

    True or False

    For more information about the logon options, see SSO log on options.

    security.auth.groups-claim-name=

    Specifies the claim name in the token that contains the user's group memberships. MOVEit uses this to assign roles or permissions.

    For example, groups

    security.auth.username-claim-name=

    Defines the claim that MOVEit should use as the username. This is how the user is identified in MOVEit.

    For example, preferred_username

    security.auth.sid-claim-name=

    Specifies the claim that contains the SID (Security Identifier), often used for mapping to on-prem AD. users

    For example, onprem_sid

    security.auth.oidcClientId=

    The Client ID registered in your identity provider. MOVEit uses this to identify itself during authentication.

    For example, 12345678-90ab-cdef-1234-567890abcdef

    security.auth.oidcIssuerURL=

    The Issuer URL of your identity provider. This tells MOVEit where to validate tokens.

    For example, https://login.microsoftonline.com/tenant_id/v2.0
  3. To save the config.properties file, close the file and restart MOVEit Automation Web Admin service in Services.

Configuring SSO with AD FS

Prerequisites

Ensure you have access to your organization's AD FS server and the MOVEit Automation server. You must have administrative rights to complete the setup.

Create an Application Group in AD FS

To add an application group to your AD FS server:
  1. Open the AD FS Management Console.
  2. Click Application Groups > Add Application Group:
    • Enter a name for the application group.
    • Select Web browser accessing a web application.
    • The Client identified field auto-populates the Client ID.
    • Add the Redirect URI. This is the MOVEit Automation Web Admin URL.
    • Choose access control policy settings based on you organization's requirements and complete the Wizard steps.

Configure Claim Rules

  1. In the the AD FS Management Console, select Application Groups and select the group from the list.
  2. Right-click the group to open the properties. Click group-name-Web Application.
  3. Select the Issuance Transform Rules > Add Rule.
    • Select Send LDAP Attributes as Claims.
    • Name the claim. Take note of this value as it is required in the config properties.
    • Select Active Directory from the Attribute store drop-down list.
    • Select the LDAP Attribute Token Groups Qualified by Domain Name from the drop-down list.
    • Finish and apply the rule.

Update the MOVEit Automation Configuration

The config.properties file is in the HOME\MOVEit\MOVEit Automation Web Admin\Tomcat\webapps\ROOT\WEB-INF\classes\ directory. Where HOME is the MOVEit Automation directory that is created during installation.

  1. Open the config.properties file in a text editor As Administrator.
  2. Edit the following properties:

    Property

    Description

    Values

    security.auth.grantenabled.token-exchange=

    Enables SSO, allowing MOVEit to exchange an external token for an internal session.

    True or False

    security.auth.grantenabled.password=

    Enables password access, allowing traditional username/password log on.

    True or False

    security.auth.hide-uipassword-login=

    Controls whether the password login option is visible in the UI. If set to true, users will only see the SSO login option.

    True or False

    security.auth.groups-claim-name=

    Specifies the claim name, as defined during the creation of the claim rules.

    For example, groups

    security.auth.username-claim-name=

    Defines the claim that MOVEit should use as the username. This is how the user is identified in MOVEit.

    Typically upn for AD FS

    security.auth.sid-claimname=

    The claim for SID.

    Typically sid for AD FS

    security.auth.oidcClientId=

    The Client ID from AD FS application group.

    For example, 12345678-90ab-cdef-1234-567890abcdef

    security.auth.oidcIssuerURL=

    The Issuer URL of your AD FS server.

    For example, https://your-adfs-server/adfs
  3. To save the config.properties file, close the file and restart MOVEit Automation Web Admin service in Services.

Configuring SSO with Okta

Prerequisites

Ensure the following prerequisites are met before configuring SSO with Okta:
  • You have an Okta tenant with administrative access.
  • Okta is integrated with Active Directory or Microsoft Entra ID and is successfully synchronizing.
  • You have administrative access to the MOVEit Automation server.
  • MOVEit Automation Web Admin is installed and accessible.

Create an OIDC Application in Okta

As an Okta administrator, create an application integration for MOVEit Automation:

  1. Go to Applications > Applications and select Create App Integration.
  2. Choose OIDC – OpenID Connect and select Single‑Page Application.
  3. Configure the application with the following settings:
    • Grant type: Authorization Code
    • Sign‑in redirect URIs: Add the MOVEit Automation Web Admin URL(s).
    • Assignments: Grant access to the appropriate users or groups and disable Federation Broker Mode.
  4. Save the application and note the Client ID, which is required later.

Configure SID Mapping in Okta

MOVEit Automation requires the Active Directory SID for an SSO login user to be included in the ID token.

To add the SID Attribute to the Okta User Profile:
  1. Go to Directory > Profile Editor and select the Okta User profile.
  2. Add a new attribute with the following values:
    • Name: onprem_sid
    • Data type: String
    • User permission: Read Only
  3. Save the attribute.
To map the Active Directory SID
  1. In Profile Editor, select the Active Directory User profile.
  2. Open Mappings.
  3. Map the Active Directory attribute objectSid to the Okta user attribute onprem_sid.
  4. Save the mapping.

Add the SID Claim to the OIDC Token

To expose the SID to MOVEit Automation:
  1. Go to Security > API.
  2. Select the default authorization server.
  3. Open the Claims tab and add a new claim with the following values:
    • Name: onprem_sid
    • Include in token type: ID Token
    • Value type: Expression
    • Value: user.onprem_sid
    • Include in: openid
  4. Save the claim.
  5. Use the Token Preview feature to verify that the onprem_sid value appears in the ID token for an Active Directory user.
Configure the Authorization Server
  1. Go to Security > API > Authorization Server > [server] > Access Policies.
  2. Open the default identity provider.
  3. In Access Policies, add a new policy and rule. Leave the rule settings to their default.

Update the MOVEit Automation Configuration

The config.properties file is in the HOME\MOVEit\MOVEit Automation Web Admin\Tomcat\webapps\ROOT\WEB-INF\classes\ directory. Where HOME is the MOVEit Automation directory that is created during installation.

  1. Open the config.properties file in a text editor As Administrator.
  2. Edit the following properties:

    Property

    Description

    Values

    security.auth.grantenabled.token-exchange=

    Enables SSO, allowing MOVEit to exchange an external token for an internal session.

    For Okta SSO, set this to True

    True or False

    For Okta SSO, set this to True

    security.auth.grantenabled.password=

    Enables password access, allowing traditional username/password log on.

    This can be enabled alongside SSO.

    True or False

    security.auth.hide-ui-password-login=

    (Optional) Controls whether the password login option is visible in the UI. If set to true, users will only see the SSO login option.

    True or False

    security.auth.groups-claim-name=

    Specifies the groups claim name, as defined during the creation of the claim rules.

    Value defined in Okta. For example, groups

    security.auth.username-claim-name=

    Defines the claim that MOVEit should use as the username. This is how the user is identified in MOVEit.

    Value defined in Okta. For example, preferred_username

    security.auth.sid-claim-name=

    The claim for SID.

    Value defined in Okta. For example, onprem_sid

    security.auth.oidc-client-id=

    The Client ID from the Okta application.

    Defined in Okta. For example, 12345678-90ab-cdef-1234-567890abcdef

    security.auth.oidc-issuer-url=

    Okta issuer URL.

    Defined in Okta. For example, https://your-org.okta.com/oauth2/default
  3. To save the config.properties file, close the file and restart MOVEit Automation Web Admin service in Services.

Once complete, users can sign in to MOVEit Automation Web Admin using Okta-based SSO.