We already introduced you to the basic concepts and benefits of OpenID, SAML, and SSO in general. Today, we finally get our hands dirty as we dive into the JSCAPE MFT Server environment and teach you how to enable OpenID Web SSO there. After that, we'll show you how your users can login using their own OpenID account.
Ready? Let's get started.
Setting Up OpenID Web SSO in JSCAPE MFT Server
Before you set up OpenID Web SSO, make sure you've already enabled your JSCAPE MFT Server for web-based sessions. You can find instructions for enabling web-based sessions in the article How To Set Up A Web File Transfer. Follow all the instructions in that article before the last section (Using the Web file transfer service).
Once you're done with that, you can then proceed to Authentication > Web SSO to start configuring your Web SSO settings for OpenID.
These are the general steps to follow:
1. Go to the Service type drop-down list and select OpenID.
2. In the Identity Provider's Sign-in URL, enter your OpenID provider's URL. In our example, we're using the one from Google: https://www.google.com/accounts/o8/id
Please note that many OpenID providers vary on the unique account id that they provide back to JSCAPE MFT Server for use in generating an account (login). In some cases this may match the login that you use for the identity provider, and in other cases it may be completely different. Thus, make sure you check with your OpenID provider to get the right URL.
You may choose from the list of popular OpenID provider URLs found near the bottom of this article. Alternatively, you can also set up your own OpenID provider. This option is outside the scope of this article though.
3. Specify the Sign-out URL. This is the URL your users will be directed to when they click the Logout button in the JSCAPE MFT Server Web file transfer screen (see screenshot below)
Although you can assign any URL to this setting (for example, entering our blog's URL will take our users there upon logout), the ideal value would be your OpenID provider's logout URL. That is the URL that will logout the user from his current session. For example, Google's Logout URL is https://accounts.google.com/Logout.
There are a couple more settings after that. Although you may leave them to their default values/settings for now, let me just explain briefly what they're for.
Create user if not found using template - If checked, JSCAPE MFT Server will automatically create an account for each new user using the template specified in the drop-down list. In the example shown, the Default template will be used.
Allow non SSO logins - If checked, JSCAPE MFT Server will allow users to login without using Web SSO. On the other hand, if this is unchecked, users will receive a "Non SSO login is not allowed" error whenever they attempt to login without using Web SSO. Non-SSO logins are typically carried out by simply entering the JSCAPE MFT Server's host address on the user's Web browser.
A typical JSCAPE MFT Server Web File Transfer non-SSO login
Once you're done specifying your settings for OpenID Web SSO, click the Apply button.
Logging-in to JSCAPE MFT Server using OpenID SSO
To login using OpenID Web SSO, just enter the server's URL for Web SSO logins into a Web browser using the format:
wherein "hostname" is just the hostname/IP address of your JSCAPE MFT Server and "domainname" is the specific domain on that server where the OpenID Web SSO was enabled.
So, for example, if our host IP address is "192.168.100.103" and our domain is "mftserver1", we enter:
You will then be directed to your OpenID provider's website, where you would have to enter your OpenID login credentials. This is what you'll see if you use Google as your OpenID provider:
Note that, if you're using Google Apps for Business, you'll need to ask your admin to enable your user accounts for OpenID SSO. Ordinary GMail email addresses (with their corresponding passwords of course) can be used straightaway since those are already enabled for OpenID SSO by default.
Google (or whichever OpenID provider you use) may then ask you to confirm whether you really want to use your OpenID to login to JSCAPE MFT Server. Just click Accept to confirm.
And with that, you'll instantly be granted access into JSCAPE MFT Server.
Because you now have Web SSO enabled, you no longer have to login each time at JSCAPE MFT Server if you've already logged in at your OpenID provider. For example, if you're using Google as your OpenID provider and you've already logged-in to GMail, you can simply open a new tab on your browser (or use the same tab), enter the special URL for JSCAPE MFT Server Web SSO logins, and voila! you'll be inside JSCAPE MFT Server in an instant.
Note that JSCAPE MFT Server will create a separate account for a user's Web SSO login sessions. The unique value of that account's ID will be determined by the OpenID provider itself.
But what if a user already has an existing account on your JSCAPE MFT Server, e.g., one he already uses for non-SSO login sessions? Couldn't he link that account to the one he'll be using for his Web SSO logins?
Well, that's pretty tempting, considering that we could easily employ the user's email address as a common identifier. However, doing that would present some vulnerabilities. A malicious individual who has access to the OpenID provider might be able to change his email address to the user's email address. That would then enable the malicious individual to gain access to the user's files at your JSCAPE MFT Server.
URLs of Popular OpenID Providers
✔ StackExchange https://openid.stackexchange.com
✔ Google https://www.google.com/accounts/o8/id
✔ Yahoo https://me.yahoo.com
✔ Flickr http://www.flickr.com/username
✔ LiveJournal http://username.livejournal.com/
✔ Wordpress https://username.wordpress.com/
✔ VerisignLabs https://pip.verisignlabs.com/
✔ MyOpenID https://www.myopenid.com/
✔ MyVidoop https://myvidoop.com/
✔ ClaimID https://claimid.com/username
✔ Technorati https://technorati.com/people/technorati/username/
✔ PayPal https://www.x.com/developers/paypal/documentation-tools/quick-start-guides/standard-openid-integration-paypal-access
OpenID Web SSO is supported in the latest version of JSCAPE MFT Server. If you want to try it out, download the FREE evaluation edition now.