Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • B2B Data Exchange 10.2.1
  • All Products

Table of Contents

Search

  1. Preface
  2. Introduction
  3. Pre-Installation Notes
  4. Installation and Configuration
  5. Customizing Installation Settings
  6. Product Administration
  7. Upgrade Overview
  8. Active-Passive: Backups and Replication
  9. Active-Active: Clustering and Automatic Failover
  10. Uninstalling Managed File Transfer

Informatica Managed File Transfer Installation Guide

Informatica Managed File Transfer Installation Guide

Back Next

Enable SAML Authentication for Web Users

Enable SAML Authentication for Web Users

Security Assertion Mark-Up Language (SAML) is an XML based open standard for authorization and authentication between an Identity Provider and a Service Provider. During authentication, a SAML assertion transfers from Identity Providers to Service Providers. Service Providers use XML statements contained in assertions to make access-control decisions.
You can configure Informatica Managed File Transfer as a Service Provider to authenticate Web Users using an Identity Provider, such as ADFS, OpenAM, Shibboleth, Salesforce.com, SimpleSAMLphp, and more. Managed File Transfer supports SAML v2.0 Web Browser SSO Profile, with HTTP POST and HTTP Redirect bindings. A Web User account must exist before it can be authenticated using SAML. If Managed File Transfer cannot process the SAML assertion, the Web User will be directed to the File Transfer Portal Login page.
Use the following procedure to enable SAML authentication for Web Users.
  1. To launch
    Managed File Transfer
    , type the URL on the machine where you installed
    Managed File Transfer
     using the format
    https://[hostname]:[https-portnumber]/informaticamft
     or
    http://[hostname]:[http-portnumber]/informaticamft
    .
    • [hostname]
       is the host name or IP address of the
      Managed File Transfer
       server
    • [portnumber]
       is the port number of the
      Managed File Transfer
       server. The default port for HTTP is 8000 and the default port for HTTPS is 8002, for example, http://myserver:8000 or https://myserver:8002.
  2. Login as an Admin user.
  3. To import the certificate, perform the following steps:
    1. From the main menu bar, select
      Encryption
       and click the
      SSL Certificate Manager
       link.
    2. Select the
      Default Trusted Certificates
       key store and click
      Open
      .
    3. On the toolbar, click
      Import Certificate
      .
    4. Browse for the certificate file and click
      Import
      .
    5. Specify an
      Alias
       to identify the certificate.
  4. To create a Private Key to exchange between
    Managed File Transfer
     and the SAML provider, perform the following steps:
    1. From the
      Managed File Transfer
       main menu bar, select
      Encryption
       and click the
      SSL Certificate Manager
       link.
    2. Click
      Open Key Store
      .
    3. For the
      Choose Key Store Type
       setting select
      Default Private Keys
       and then click
      Open
      .
    4. Fill in the
      Key Type
      ,
      Key Size
      ,
      Signature Algorithm
      ,
      Alias
      ,
      Common Name
      , and other fields.
  5. To create a Web User in
    Managed File Transfer
    , perform the following steps:
    1. From the main menu bar, select
      Users
      , and then click the
      Web Users
       link.
    2. In the
      Web Users
       page, click the
      Add Web User
       link in the page toolbar.
    3. Choose the
      Web User Template
       to apply security settings for the Web User, and then click
      Continue
      .
    4. Enter the Web User information.
    5. To add the Web User account, click
      Save
       .
  6. To set the File Transfer Portal preferences in
    Managed File Transfer
    , perform the following steps:
    1. From the main menu bar, select
      Services
       and then click the
      Service Manager
       link.
    2. Select to edit the
      HTTPS/AS2
       Service.
    3. Select
      Preference
      File Transfer Portal
      .
    4. In the
      General
       tab, select
      Enabled
      . For the
      Site URL
       field enter the IP address, and for the port, use the HTTPS Listener port.
  7. To set the SAML preferences, perform the following steps:
    1. Select
      SAML Single Sign-On
      .
    2. In the
      General
       tab, select
      Enabled
       and
      Force Identity Provider Login
      .
    3. In the
      General
       tab, you can define the following parameters:
      Enabled
      Enable SAML Single Sign-On (SSO).
      Force Identity Provider Login
      When enabled, all authentication requests to the File Transfer Portal must go through the Identity Provider. When disabled, Web Users can authenticate to the File Transfer Portal by accessing the login page URL.
      Logout Redirect URL
      The alternate URL to forward the Web User to when they log out of the File Transfer Portal. By default,
      Managed File Transfer
       directs a Web User to the File Transfer Portal Login page when they log out.
    4. In the
      Identity Provider
       tab, you can define the following parameters:
      Entity ID
      The ID given to the Identity Provider as the trusted ID. This ID is also used as the expected certificate alias of the Identity Provider's certificate within the default trusted certificates key store.
      Binding
      Select the type of protocol method for the Identity Provider.
      • HTTP POST - Posts a form that contains the message body.
      • HTTP Redirect - Sends the message body as query parameters.
      Post URL
      When the HTTP POST binding is selected, you must enter the URL used to post authentication requests to.
      Redirect URL
      When the HTTP Redirect binding is selected, you must enter the URL used to send the message body as query parameters.
      Server Time Offset
      If the Identity Provider and Managed File Transfer system time are not in sync, you can specify a time offset which will be applied to the assertion's time window (in seconds). This is sometimes necessary when the Identity Provider is not within the same network as Managed File Transfer and you cannot control the servers time.
      Import Metadata
      Managed File Transfer can import the Identity Provider settings, including the Identity Provider certificate, from a SAML Metadata XML file.
      1. Click the
        Choose File
         button and browse to the Metadata file.
      2. If the Metadata file contains a certificate, it will be added to the Default Trusted Certificates Key Store using the entity ID as the certificate alias. If the certificates already exists, you can choose Replace Certificate If Exists to overwrite the existing certificate.
      3. Click the
        Import Metadata
         button to parse the Metadata file and populate the Identity Provider settings.
    5. In the
      Service Provider
       tab, specify the following parameters:
      Entity ID
      The ID given to Managed File Transfer as the trusted ID. Typically this is the host name defined for Managed File Transfer (similar to the Site URL).
      Private Store Certificate Alias
      The alias of the certificate located in the Default Private Key Store used to sign requests and decrypt assertions. Click the icon to browse and select the certificate.
      Require Signed Response
      Determines if Managed File Transfer requires the response to be signed. Typically the response and/or the assertion is signed to establish trust between the Identity Provider and Managed File Transfer.
      Require Signed Assertion
      Determines if Managed File Transfer requires the assertion to be signed. Typically the response and/or the assertion is signed to establish trust between the Identity Provider and Managed File Transfer.
      Require Encrypted Assertion
      Determines if Managed File Transfer requires the assertion to be encrypted when it is received. This is typical when SSL is not used for communication between Managed File Transfer and Identity Provider.
    6. In the
      Username
       tab, you can define the following parameters:
      Username Location
      Select the NameID or Attribute where the user name is found.
      NameID
      The NameID element.
      NameID Format
      The format of the NameID element within the SAML response.
      Managed File Transfer
       will validate the NameID format before authenticating the SAML assertion.
      Managed File Transfer
       supports the following SAML Core V2.0 options:
      • Unspecified
      • X509SubjectName
      • Windows Qualified Domain Name
      • Email Address
      • Persistent
      • Transient
      • Kerberos
      • Entity
      Attribute Name Format
      The format of the attribute element that identifies a username within the SAML response.
      Managed File Transfer
       will validate the attribute format before authenticating the SAML assertion.
      Managed File Transfer
       supports the following SAML Core V2.0 options:
      • Basic
      • Uniform Resource Identifier
      Attribute Name
      The attribute name within the assertion XML that identifies the username.
      Parse Username Value
      When enabled, the value retrieved from the assertion can be parsed using a regular expression pattern.
      Username Pattern
      Specify a regular expression to parse a user a username value from the attribute.
      NameID Example: The x509SubjectName NameID element format for user kharris is 'uid=kharris,ou=marketing,o=example,dc=example,dc=com.' To identify kharris using the uid, use uid=(.*),o=.* for the regular expression.
      Attribute Example 2: The username 'kharris' will be parsed from the email address attribute from the SAML assertion. To identify the username, you can use the ([^@]+) regular expression to parse 'kharris' from 'kharris@example.com.'6
      Test Response
      Allows you to submit a sample assertion response to validate the current configuration.
      Base64 Encoded
      If the assertion is Base64 encoded, enabling this option will decode the assertion before validating.
      SAML Response
      Copy your sample assertion to this field.
      Validate
      Click the Validate button to validate the sample assertion against the SSO settings configured on the SAML tab. Managed File Transfer will attempt to find the user and verify they are authorized for the File Transfer Portal.
      It is suggested that you set the global log level to debug while configuring SAML Single Sign-On. The SAML request and response messages will be written to the log, and can be validated using the Test Response option.
    7. In the Service Provider tab, click
      Export Metadata
      .
      Managed File Transfer
       creates a file named
      Service Provider.xml
      .
  8. On the SAML provider machine, you can add the Service Provider
    Managed File Transfer
    , as a relying party in the Identity Provider by importing the metadata file generated in the preceding step.
0 COMMENTS
We’d like to hear from you!