THE INFORMATION IN THIS ARTICLE APPLIES TO:
- EFT v7.3.3 - 126.96.36.199
- EFT v8.0 adds advanced properties to an AdvancedProperties.json file instead of the registry. Refer to the EFT v8 help for information about editing the AdvancedProperties.json file.
When EFT is configured to use SAML (Web SSO) Authentication, you can add the Advanced Properties below so that EFT will bypass the WTC login page and take the user directly to the WTC interface.
Also, ensure the IdP is directed to the EFT Reserved Path (e.g., , e.g., [hostaddress]/sp/samlv2/sso), which may be called the SSO URL in the IdP:
When the Identity Provider (IdP) sends an authentication request to EFT, it sends the SAML Response and the Assertion.
The IdP can sign the entire SAML Response or just the Assertion, or both, depending on the IdP. For that reason, we have two advanced properties to cover all cases. (This is useful if you have separate certificates for encryption and signing.)
To ignore or enforce the SAML assertion signature or SAML message signature, create the advanced properties below.
Prior to v8.0, add the advanced properties to the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\
In v8.0 and later, add the advanced properties to the AdvancedProperties.JSON file.
Value name: SamlAssertionSignatureEnforcementLevel
Level of SAML assertion signature enforcement:
0 - required (default)
1 - not required if message signed
2 - enforce if present
3 - ignore result
4 - do not attempt verification.
Restart Required: yes
Value name: SamlMessageSignatureEnforcementLevel
Level of SAML message signature enforcement:
0 - required
1 - enforce if present (default)
2 - ignore result
3 - do not attempt verification
Restart Required: yes
- If the assertion is not signed, but the entire response is signed, then you could set SamlAssertionSignatureEnforcementLevel = to 1 (not required if response is signed) and SamlMessageSignatureEnforcementLevel = 0 (required)
- If the response is not signed, but the assertion is signed, then you could set SamlMessageSignatureEnforcementLevel = 2 (ignore result), and SamlAssertionSignatureEnforcementLevel = to 0 (required).
Refer to the help content and the following articles for information about configuring EFT and the IdP: