THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT v7.4.11 and later

DISCUSSION

When EFT is configured to use SAML (Web SSO) Authentication, you can add the Advanced Properties below so that EFT will bypass the WTC login page and take the user directly to the WTC interface.

Also, ensure the IdP is directed to the EFT Reserved Path (e.g., , e.g., [hostaddress]/sp/samlv2/sso), which may be called the SSO URL in the IdP:

When the Identity Provider (IdP) sends an authentication request to EFT, it sends the SAML Response and the Assertion.

<SAML Response>
    <Assertion>
                
   </Assertion>
</SAML Response>

The IdP can sign the entire SAML Response or just the Assertion, or both, depending on the IdP. For that reason, we have two advanced properties to cover all cases. (This is useful if you have separate certificates for encryption and signing.)

To ignore or enforce the SAML assertion signature or SAML message signature, create the advanced properties below.

Prior to v8.0, add the advanced properties to the registry: 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.4\

Type: DWORD

In v8.0 and later, add the advanced properties to the AdvancedProperties.JSON file.

{
"SamlAssertionSignatureEnforcementLevel":"1",
"SamlMessageSignatureEnforcementLevel":"0"
}

Value name: SamlAssertionSignatureEnforcementLevel

Level of SAML assertion signature enforcement:

0 - required (default)

1 - not required if message signed

2 - enforce if present

3 - ignore result

4 - do not attempt verification.

Restart Required: yes

Backup/Restore: yes

----------------------------

Value name: SamlMessageSignatureEnforcementLevel

Level of SAML message signature enforcement:

0 - required

1 - enforce if present (default)

2 - ignore result

3 - do not attempt verification

Restart Required: yes

Backup/Restore: yes

For example:

• If the assertion is not signed, but the entire response is signed, then you could set SamlAssertionSignatureEnforcementLevel = to 1 (not required if response is signed) and SamlMessageSignatureEnforcementLevel = 0 (required)
• If the response is not signed, but the assertion is signed, then you could set SamlMessageSignatureEnforcementLevel = 2 (ignore result), and  SamlAssertionSignatureEnforcementLevel = to 0 (required).

Refer to the help content and the following articles for information about configuring EFT and the IdP:

• 11321, EFT SAML SSO with Salesforce as IDP

• 11322, Installing and configuring Shibboleth as the backend IDP server for use with EFT SSO

• 11323, Configure SafeNet to accept EFT for SAML IDP access

• 11324, Creating and configuring an ADFS IDP server for use with EFT SAML

• 11330, Adjust clock skew between EFT and IDP server

• 11331, Specify the SAML signature algorithm

• 11332, Specify the SAML digest algorithm

• 11514, SAML SSO Using Okta as the IdP