Single-Sign-On (SSO) Support for the WTC

Integrated Windows Authentication for Single Sign On (SSO)

EFT allows for Single Sign-On (SSO) support for HTTP/S connections when Integrated Windows Authentication (IWA) is explicitly enabled. The change will apply to all Sites in EFT that use Active Directory authentication. Currently, Internet Explorer (IE) is the only browser that fully supports IWA. Users connecting with other browsers must still go through the normal login page.

Form-based login as implemented in the normal login page is generally considered superior for interactive user connections because it facilitates true session management. However, IWA is a legitimate alternative for use within internal corporate networks. With IWA enabled, EFT defers the user authentication to Active Directory and IE, resulting in a single sign-on user experience. Users whose credentials are accepted by AD are not prompted for a username and password, and are instead logged directly into the EFT client web interface without any further input.

The downside to IWA is that in skipping the normal login page, the user misses out on a few of the functions accessed from that page, such as providing alternate credentials or choosing whether to load the Web Transfer Client (WTC), though an administrator may still disable WTC access for an individual user or entire Settings Template if necessary. Additionally, the user must close their browser to end the session rather than using a logout button. In an environment where SSO is a requirement, these functions may not be important or even desired.

NOTE:

When IWA is enabled, the SSO functionality only applies to AD Sites for interactive users connecting with IE. No other scenario is affected.
When navigating to the WTC, the fully qualified domain name of the EFT host must be used.
EFT must be added as a Trusted Site in the browser.
User Authentication\Logon in the security settings for Trusted Sites (in IE) must be set to Automatic logon with current user name and password. (By default, Automatic logon only in Intranet zone is selected, but using this setting will cause Windows to prompt the user for their AD credentials before going on to the WTC.)

To enable this functionality, the following registry entries must be created and set appropriately:

32 bit:

HKLM/SOFTWARE/Globalscape Inc./EFT 4.0/EFTClient/

64 bit:

HKLM/SOFTWARE/Wow6432Node/Globalscape Inc./EFT 4.0/EFTClient/

DWORD: use_registry

1 = enabled

32 bit:

HKLM/SOFTWARE/Globalscape Inc./EFT 4.0/EFTClient/

64 bit:

HKLM/SOFTWARE/Wow6432Node/Globalscape Inc./EFT 4.0/EFTClient/

DWORD: enable_iwa

1 = enabled

This help file is for EFT v6.5. For other versions, please refer to http://help.globalscape.com/help/index.html.

(If the Index and Contents are hidden, click Show in the top left corner.)

If this help topic did not help you, search the Knowledgebase or pose your question in the Globalscape User Forum.
For the most up-to-date information, to view version history, updates, and activation instructions; or to download a PDF of this user guide, visit the Support Center at http://www.globalscape.com/support.
For information about Globalscape, visit www.globalscape.com, subscribe to our newsfeed, or follow us on Twitter.

Last modified: 16 July 2018 16:25:29