Entra ID Example using SAML

This section describes how to integrate MFT Server Web SSO using SAML with Microsoft Entra ID. This example provides step-by-step instructions on how to set up the application in Microsoft Entra admin center and in the MFT Server Manager interface. When complete, an MFT Server user will be able to log in to the MFT Server Web Client application using Microsoft Entra ID.

 

The images provided under the Entra ID Instructions are taken from the Microsoft Entra admin center. Most images are snippets and not the complete page.

 

MFT Server supports SAML version 2.0.

 

MS Entra ID Instructions

 

Integrating JSCAPE Web SSO (SAML) with Entra ID requires adding an application from the Microsoft Entra admin center app gallery. The application that will be added is called Microsoft entra SAML Toolkit, which comes from Microsoft. The steps below will show how to add said application and configure it to work when signing in to the MFT Web Client.

 

  1. Log in to your Microsoft Entra admin center.

  2. On the left-side menu, click on Applications > Enterprise applications.

     

     

  3. On the Enterprise applications screen, click on New application.

     

     

  4. On the Browse Microsoft Entra Gallery screen, enter Microsoft Entra SAML Toolkit in the Search application field, then click on the Microsoft Entra SAML Toolkit application when it appears in the results list.

     

     

  5. Enter an appropriate name in the Name field (in this example, the name is JSCAPE MFT SSO SAML). Next, click on the Create button. It may take a few seconds for the application to be added. Wait until the next screen appears.

     

     

  6. Click on Single sign-on item under the Manage section found on the left-hand side .

     

     

  7. Click on the SAML tile under Select a single sign-on method screen.

     

     

  8. On the Set up Single Sign-On with SAML screen, click on the Edit button to the right of the Basic SAML Configuration section.

     

     

  9. On the Basic SAML Configuration screen, replace the default value with "https://jscapehost/sso/jscapedomain/login" URL under Identifier (Entity ID) list. Replace "jscapehost" and "jscapedomain" accordingly to what is appropriate for your ActiveMFT environment. Enter the same URL into the Reply URL (Assertion Consumer Service URL) and Sign on URL fields. Click the Save button.

     

     

  10. It may be necessary to manually close the Basic SAML Configuration screen if it does not automatically close after clicking on the Save button. Click on the X button to do this.

     

     

  11. Once you are back on the Set up Single Sign-On with SAML screen, click on the Edit button to the right of the User Attributes & Claims heading.

     

     

  12. On the User Attributes & Claims screen, click on the value beside the Unique User Identifier (Name ID) claim name. The default value is user.userprincipalname [nameid-format:emailAddress] and it will become user.mail [nameid-format:persistent] after making changes on the next screen.

     

     

  13. On the Manage claim screen, change the Name identifier format dropdown field from Email address to Persistent and change the Source attribute dropdown field from user.userprincipalname to user.mail then click on the Save button.

     

     

  14. Click on the SAML-based Sign-on link once you are back on the User Attributes & Claims screen.

     

     

  15. On the SAML-based Sign-on screen, click on the Download link beside Certificate (Raw) field under the SAML Signing Certificate section. The resulting certificate file will be used in the succeeding JSCAPE Configuration section of this article.

     

     

  16. Click on the Copy to clipboard icon to the left of the Login URL field, located under the Set up <NAME> section. NAME will be whatever you entered in step 5. The Login URL will be used in the JSCAPE Instructions section located below.

     

     

  17. The final step requires that you add users and/or groups to the application. Click on the Users and groups item under the Manage section, then click on the Add user/group button. Proceed to add users/groups.

     

     

JSCAPE Instructions

 

  1. Launch the MFT Server Administrative UI. Navigation to the Keys > Host Keys module, then click on the Import button and select Import File.

     

  2. On the Import Public Key dialog, enter an appropriate alias in the Key alias field. It could be anything. Click on the Choose File button and find the certificate file you downloaded in step 15, then click on the OK button.

     

  3. Open the appropriate domain and go to the ACCOUNTS > Authentication > Web SSO tab. Choose SAML from the Service type dropdown list.

     

  4. Under the IDENTITY PROVIDER section, the Sign-in URL should be set to the Login URL copied from step 17. The Sign-out URL should be set to "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0". The Verification certificate dropdown list should be set to the certificate imported in step 2. The Name ID format dropdown list should be set to persistent. The rest of the fields can be left to their default values. Click on the Apply button.

 

 

Test SSO login by accessing the URL: https://jscapehost/sso/jscapedomain/login

 

Replace "jscapehost" and "jscapedomain" accordingly.