Federated identity based authentication is (and should be) the holy grail of all IT Security authentication policies. Something which all IT teams should be looking to introduce to all cloud and third-party hosted solutions. Controversial opinion? I don't think so, but I am happy to be debated on the topic.
In this blog, we will be covering federated identity authentication - particularly, SAMLv2 based authentication - by demonstrating how to connect Progress MOVEit Transfer with Microsoft Azure AD.
Progress MOVEit Transfer is a very popular and widely used managed file transfer solution, which we often blog about. Microsoft Azure AD is Microsoft's cloud based user directory solution, much like its namesake Microsoft Active Directory. Neither of these two solutions are a requirement for SAMLv2, they are simply being used and referred to for demonstration purposes.
It should be no surprise to anyone that over the past five or more years, the uptake in cloud based solutions has been enormous. Consider the use of Office 365 alone!
With client based applications increasing shifting outside the traditional network boundary, management authentication and identity has become a challenge.
These challenges are mostly headaches for users, however we should also consider the security implications for the organisation. Accounts not centrally managed are not managed at all.
You have probably guessed it by this point, but the proposed solution of federating identity, simply means that identities are held centrally; and therefore managed centrally. Outside services then communicate back to the federated identity provider to perform authentication.
Accounts can then be created, managed, secured and disabled from one central point.
Note. That we have really focussed on cloud-based technology here as this is an area which is highly complemented by federated identity solutions. However, federated identity solutions have their roots in extending on-premise authentication servers to other on-premise services. Even those which might be installed and hosted in a partner business.
Security Assertion Mark-up Language (SAML) is a standardised mechanism for exchanging authentication information for federated Identity workflows.
The basic premise is that there exists three entities:
The workflow takes place as follows:
The most important aspect of this workflow is that authentication never takes place between the user and the SP; and therefore the IdP retains full control of the account at all time.
In this blog, we are using popular managed file transfer solution Progress MOVEit Transfer as an SP.
In this example, we are using Microsoft Azure AD as our IdP. We have chosen Azure AD simply because it is the most common IdP that we are asked to work with.
With the steps above completed, the user should now be able to sign into MOVEit using their Microsoft Azure AD credentials. The credentials are never stored by MOVEit and thus all risk and management lies with the IdP system.
For obvious reasons - some of those listed earlier in the blog - federated identity solutions, and particularly SAMLv2 based authentication has become very popular. We are often asked to assist with setting such solutions up; and helping to design authentication workflows which include other security provisions such as multi-factor authentication (MFA).
If you would like assistance with setting up Progress MOVEit Transfer to support SAMLv2 based federated authentication, you can book a call with us.