MyFileGateway LDAP Support

Hi Scott,

We've discussed this use case internally with our development and deployment experts. We have the following observations:

• Our product supports authentication using LDAP, but not authorizations -- which we don't support from any external system. Your use case seems to point to authorization use cases vs. authentication.

• If you are using LDAP for authentication, SFG just maps the user from LDAP to our system and they get corresponding permissions. We don't take the permissions from LDAP, but from the internal app configuration (i.e. mailbox access, read/write, etc.).

• Our core SFG UI doesn't allow setting up multiple users to share multiple mailboxes - but B2Bi allows this under the covers. B2Bi lets you do almost anything in regards to access to mailboxes where SFG is more constrained for simplicity sake.

• It's really more deployment specific use case and process and procedure that allows these multiple users to share multiple mailboxes. You'll need to consider changing the add/remove user process on the LDAP server that is working with SFG mailbox access to achieve the use case you're describing

• Having multiple users share access is typically not a best-practice security use case and comes with risks where scenarios could happen where a user has access when they shouldn't. Over time roles and responsibilities could change causing access being granted to users when it shouldn't be. B2Bi/SFG is a toolkit that can be configured to do anything you want, but comes with the risks above when configured this way.

Let us know if you have any additional questions or if we've misunderstood your use case. Thanks again.

Hi Mark,

Thanks for the response.

We have MyFileGateway mailboxes mapped to different groups of users for example Marketing and Finance mailboxes, assigned to these mailboxes are multiple users that we assign manually. The ideal scenario would be to map LDAP OU's (i.e. one for Finance, another for Marketing) to these mailboxes and any new joiners and leavers that were under that OU would have access with their LDAP credentials to access the mailboxes mentioned.

I hope that makes sense. Happy to clarify if it doesn't.

Thank you for taking the time to provide your ideas to IBM. I truly value our relationship with you and appreciate your willingness to share details about your experience, your recommendations and ideas.

I need a little more information to understand your idea. Can you describe your use case in more detail? i.e. what would you want an administrator to do in order to onboard your external uses to MyFG.

We do have support for LDAP in SFG when configuring user accounts. General setup instructions for LDAP with SFG: https://www.ibm.com/docs/en/b2b-integrator/6.2.0?topic=gateway-implementing-ldap-in-sterling-file

And in the add partner screen, there is an option for "external" authentication type that would leverage LDAP, once configured correctly. See screenshot.

I'm looking forward to your response. Once I can develop a clear picture of your request, I'll be able to let you know if we can add your idea to our future offering roadmap.

Great idea, and could potentially lead the way to implementing ad-hoc file transfers for external participants (with limited life accounts). How can we get this accelerated?

Great idea, maintaining My FG account manually is currently heavy, LDAP support would bring good value to our customers