Configuring IdP Authentication for Control-M MFT Enterprise Users

This procedure describes how to configure authentication with an Identity Provider (IdP) for either Control-M MFT Enterprise external users or internal users or both when they log in to File Exchange. This enables you to authenticate multiple users with one configuration in Control-M MFT Enterprise. IdP supports Single Sign-on (SSO) and Multi-factor Authentication (MFA). You must configure MFA on your identity provider. You can configure authentication to one IdP.

BMC recommends that you authenticate both MFT Enterprise and IdP against the same LDAP server.

Begin

  1. From the icon, select MFT Enterprise Configuration.

    The MFT Enterprise window appears.

  2. To authenticate internal users, do the following:

    1. From the Settings drop-down list, select Hub Settings.

      The Hub Settings pane appears.

    2. From the HTTP/S Settings drop-down list, toggle on Enable Identity Provider For Internal Users.

    3. Click to copy the following field values, and paste each value in your IdP application configuration.

      • Single Sign-On URL: Defines the IdP URL or SAML Endpoint, where Control-M MFT Enterprise redirects users to sign in.

        You might need to modify the Hub hostname in the URL to an address that is accessible by the IdP

      • Audience URI : Defines the Service Provider URI suffix that is used to verify Control-M MFT Enterprise.

    4. From your IdP, verify that the internal user appears in the username attribute.

    5. From your IdP, generate the XML metadata file and in the XML Metadata path field, type the XML metadata file path endpoint URL.

  3. To authenticate external users, do the following:

    1. From the Settings drop-down list, select Gateway Settings.

      The Gateway Settings pane appears.

    2. From the HTTP/S Settings drop-down list, toggle on Enable Identity Provider For External Users.

    3. Click to copy the following field values, and paste each value in your IdP application configuration.

      • Single Sign-On URL: Defines the IdP URL or SAML Endpoint, where Control-M MFT Enterprise redirects users to sign in.

        You might need to modify the Gateway hostname in the URL to an address that is accessible by the IdP

      • Audience URI : Defines the Service Provider URI suffix that is used to verify Control-M MFT Enterprise.

    4. From your IdP, verify that the external user appears in the username attribute.

    5. From your IdP, generate the XML metadata file and in the XML Metadata path field, type the XML metadata file path endpoint URL.

    6. After you have completed this procedure, authorize external users to a folder, as described in Creating Groups.

    All Control-M MFT Enterprise users are now authenticated with SAML 2.0.