SAML Scope
(Requires AAMM) EFT follows the reference implementation for SAML 2 according to http://docs.oasis-open.org/security/saml/v2.0/ with the following constraints in place.
-
SAML 2.0 only: No support for SAML 1.1 or earlier.
-
Web Profile only: No support for thick client access using SSO.
-
POST binding only: EFT is limited to HTTP's POST method for binding to the IdP endpoint.
-
Auth assertions only: EFT as a Service Provider (SP) is limited to requesting that the identity provider (IdP) authenticate a user principal (subject) and processing of the IdP authentication assertion.
-
Limited identity management providers: EFT's Web SSO support for identifying authorized users (for subsequent authorization and home directory assignment) is limited to LDAP, ODBC, and Globalscape (EFT’s built-in) authentication providers, and thus will be disabled and unavailable for native AD authentication (as native AD will authenticate the user, thus obviating the need for SAML); however, LDAP sync against an AD will be allowed for confirming the user’s identity).
-
No JIT: EFT's Web SSO feature does not support just in time (JIT) provisioning of user accounts, instead relying on accounts already being provisioned in EFT (via one of the above supported identity providers), failing authentication outright or reverting back to normal authentication methods (request login credentials) when a positive mapping of identify assertions to existing user accounts cannot be made, subject to administrator configuration option to this effect.
-
No credentials persistence: When Web SSO is enabled for an EFT Site, and if under Site > Security tab the Persist username and password credentials for use in Event Rule context variables is toggled on (checked) by the administrator, EFT will not be able to persist credentials to its event rules (as there are none).
-
No logout redirect: EFT does not provide support for a logout redirect URL or support the Single Logout Protocol (3.7 in SAML Core 2.0 spec). Instead when the user logs out (from the WTC) EFT will expire their EFT web session and place them on the main logon page, e.g. the WTC logon page. Users can click on the SSO login button or navigate to the SSO reserved path to re-POST to the IdP all over again.