Web Single Sign-on
|Top Previous Next|
Single Sign-on (SSO) is a method by which users can login to one service (identity provider) and automatically be granted access to other services (service provider) without the need to login separately to these other services. An example of this would be logging into Google Apps and automatically being granted access to your MFT Server account without the need for a separate login. In the example screenshot below (Figure 396), Google Apps would serve as the identity provider and your MFT Server instance as the service provider. MFT Server provides support for web based SSO using SAML, OpenID and OpenID Connect compliant identity providers. Please consult the documentation of your identity provider for details on how to enable/configure SSO.
To perform a web SSO login use the following URL format:
For example, if your hostname is 126.96.36.199 and the administrative port is 11443, the URL would look as follows:
If you have already authenticated with your identity provider then you will be automatically logged into MFT Server. If not, then you will be redirected to the Sign-in URL for your identity provider. After authenticating with your identity provider you will be automatically logged into MFT Server.
SSO applies only to web based sessions.
OpenID Connect Example (Google Identity Platform)
The example provided below is for connecting with the Google Identity Platform. Sensitive information has been masked in the screenshot below.
Authorization URL - The URL used for signing into the identity provider.
Token verification URL - The URL for verifying tokens.
Client ID - Your client ID for connecting with identity provider.
Client secret - Your client secret for connecting with identity provider.
Create user if not found using role - This allows for Admins to be created automatically upon successful authentication. If selected, an Admin will be created automatically (if it does not exist already) using the specified role. The Name and Login properties for the account created will automatically be set to the openid.identity attribute value.
Convert username before creation to - If enabled, the username supplied will be converted to specified case before passing username to specified role..
Allow non SSO logins - If enabled, an Admin may login using either SSO or other authentication service.