Configuring a Site for SAML (Web SSO) Authentication

To enable SAML (Web SSO) authentication (Requires ASM)

  1. In the administration interface, connect to EFT and click the Server tab.

  2. On the Server tab, click the Site you want to configure.

  3. In the right pane, click the General tab.

  4. Click SAML (WebSSO), click Configure, then provide the details needed to configure SAML.

    1. Service Provider:

      • Entity ID - The default is the host name value specified for the EFT Site being configured, e.g., MySite. Any string value can be provided, up 255 characters, including UTF-8 encoded characters.

      • Reserved Path - The base address followed by the SSO path, e.g., [hostaddress]/sp/samlv2/sso. (Root path ("/") is not allowed to be the Reserved Path.)

      • Redirect to the SSO service, bypassing the standard login page - When selected, EFT will redirect to the SAML IdP from the WTC login page.

      • If the Redirect check box is selected, it may result in redirect failures under certain conditions and with certain browsers, which can only be overcome by setting the HttpCookieSameSitePolicy Advanced Property to "Lax".

    2. Identity Provider:

    3. Username:

    4. The LDAP User attribute must match the Identifier attribute selected in the Web SSO SAML Configuration dialog box.

    5. Parse the username using the regular expression - Use wildcards to parse the username. For example, to take everything to the left of the @ sign in an email address (typically the username), type or paste the following regular expression into this box: ^(.*)@.* (Refer to https://regex101.com for a Regular Expression quick reference and testing tools.)

    6. Extend username lookup to authentication provider - Specifies that EFT should perform lookup of recipients in both EFT and LDAP. (Query LDAP in addition to users in EFT.) The check box is selected by default for new installations.

    7. To enable Just in Time (JIT) provisioning of users, select the check box, then specify whether users are to be created in the Default Settings Template or the Guest Users Settings Template. If enabled, EFT will auto-provision (create) authenticated users in the Globalscape authentication database if they are not already present on that Site. Workspaces must be enabled for the Guest Users template to show under JIT provisioning.

    8. Under Email (JIT provisioning) specify the location of the email in the assertion:

    9. EFT will not update the email field if it is already populated or is null, other than upon initial provisioning of the user account.

  5. Click OK. Turn on "Trace" for SAMLSSO logger in logging.cfg.