In MOVEit Transfer, an Authentication Source defines the expected authentication source (LDAP, RADIUS, or WS-Trust) used to verify user credentials. It allows you to specify the settings for accessing that server and the settings for users who successfully authenticate to the server. Each Authentication Source is listed on the Auth Method page of the User Policy settings section. When Enabled, order in the table indicates lookup order.

For more information on how External Authentication works, see MFT Features and Advantages - User Authentication.

Adding an Authentication Source

You add authentication sources from the Security Policy page (SETTINGS > Security Policies > User Auth > Auth Method - Set Authentication Method).

Note: Only Org Admin role users (or SysAdmin acting on behalf as an Org Admin) can add or edit an authentication source.

Specify an Org-Authentication Sequence

To specify and select Authentication Source rules for an Org:

  1. From the Add/Edit External Authentication Sources view, enable an authentication method that requires an external source.

    New authentication method displays in the Add/Edit Authentication Sources... panel.

  2. In the Set Authentication panel, choose External or External Then MOVEit as one of the options.

    For example (from the Set Authentication Method panel):

  3. Stop authentication checking after first failure and deny access. Select or clear this checkbox to determine how failed authorizations are treated.
    • (Selected). If more than one Authentication Sources is available, ignore the rest after an authentication failure (stops chaining). (Network timeouts are not considered failure.)
    • (Clear). If more than one Authentication Sources is available, continue to the next Authentication Source in the list when an attempt with the current source fails (For example, user not found in the current source).
  4. Click Change Authentication Method to apply changes.

External Source Settings

  • Source Name. The name that is used to identify this source. The name is listed in the authentication source list, and in each user's source affinity selection page.
  • Source Type. Type of authentication server:
    • LDAP (Lookup + Authentication) - Incoming usernames and passwords are tried against a remote LDAP server. If authentication is successful, a new user may be created on the fly as a clone of an existing template user. User attributes such as email address and group memberships are carried over from the LDAP server.
    • LDAP (Authentication Only) - Incoming usernames and passwords are tried against a remote LDAP server. If authentication is successful, a new user is created as a clone of an existing template user.
    • RADIUS (Authentication Only) - Incoming usernames and passwords are tried against a remote RADIUS server. If authentication is successful, a new user is created as a clone of an existing template user.
    • WS-Trust (Authentication Only) - Incoming usernames and passwords will be tried against a remote WS-Trust server. If authentication is successful, a new user may be created as a clone of an existing template user.
  • LDAP Server Type (LDAP Only). Type of LDAP server that this authentication source queries. Based on this value, default settings are prefilled in several fields for the newly created authentication source, and configuration hints appropriate to the server type are displayed. Available server types: Microsoft Active Directory, Sun iPlanet, Novell eDirectory, and IBM Domino. Selecting Other will cause no default settings or configuration hints to be shown.
  • WS-Trust Identity Provider (WS-Trust Only). The WS-Trust server that this authentication source queries. In SAML terminology, the server is called an Identity Provider. You might have already set up an Identity Provider for the Single Signon feature. To configure a new identity provider, click Add New Federated Identity Provider. For more information, seeUser Authentication - Single Sign-on.
    Note: If you have set up the Single Signon feature, use the same identity provider that you use for browser-based single signon. This enables users to use the same credentials for single signon through the browser (web interface), and username/password authentication through FTP and SSH clients.
  • Priority. Specifies the position of the new source in the current authentication source list. Options: Highest, Lowest, Middle.

After the new authentication source is added, a link appears at the top of the page. Click the link to go to the settings page for the new source.

Common Settings

The Edit Authentication Source Settings section is common to all authentication source types. Here, the friendly name of the source can be changed, along with the Enabled status.

  • Source Name - Friendly name.
  • Enabled - Select the Yes option to make the authentication source immediately available for use as soon as it is added. Otherwise, select the No option to add the source to the list as temporarily disabled, so you can fine tune the source settings before making it available.

Specific Settings

Subtopics in this section document specific configuration settings for external authentication sources.