Introduction to SAML (Web SSO) Authentication
The SAML SSO feature in EFT will look up accounts to match the user-id configuration, and if found, it will associate the IdP-authenticated users with said pre-provisioned accounts. EFT can also optionally perform what’s called Just In Time (JIT) provisioning, where it can create an account in a pre-designated Settings Template, for authenticated users, if they do not already exist in EFT. When a positive mapping of identify assertions to existing user accounts cannot be made, Web SSO authentication will fail or revert to normal authentication and request login credentials. (See Web SSO Error Handling).
In the Web SSO SAML Configuration dialog box, you can specify to use the Email Attribute Name in JIT or LDAP after an IDP- or SP-initiated login to create an account in EFT.
The "persist credentials" feature will not work for accounts that login via Web Single Sign-on (SSO), because there will be no credentials to persist. Instead, you would have to manually specify those credentials for each rule. If you leave the persist credentials feature enabled (or if was already enabled), then EFT will use an empty (NULL) password.
Some users will be able to login normally (if desired), thus the "persist credentials" feature *could* work in those cases, which is why it isn't automatically disabled when SSO is enabled.
-
Web SSO support in EFT is limited to LDAP, ODBC, and Globalscape-authenticated Sites; Web SSO is disabled and unavailable for AD-authenticated Sites.
-
SAML 2.0 Service Provider-initiated Web Single Sign-on with POST bindings is currently the only profile supported on EFT. EFT uses the OpenSAML library SAML 2.0. EFT does not support SAML 1.0 or 1.1.
-
When EFT is installed in an HA environment, SAML needs to have the IDP's public key saved in the HA shared drive.
-
EFT Login Security options do not apply to SSO failed logins. Login security controls, such as password complexity and failed logins, are within the responsibility of the Identity Provider (IdP) and are not controlled by EFT. (Refer to Banning an IP Address that Uses an Invalid Account and Disabling or Locking out an Account after Invalid Password Use for details of those options.)