- What is this Howto about?
- IDP configuration on the Salesforce Side
- Adding a SAML 2.0 IDP definition in Via Access
- Let there be "Copy & Paste" - copying information from SFDC to Via Access and vice versa
- Configuring the Authentication sources for Via Access
- How the login into the IDR portal looks and behaves now
What is this Howto about?
This guide will show you how to get Salesforce and SecurID Access configured in a way that makes SFDC a external identity provider to SecurID Access. This enables users to login to the Via Access portal using existing SFDC credentials.
- SFDC instance with full admin access
- SecurID Access instance with admin access
- Shared user IDs (email addresses) between SFDC and Via Access
- The logon ID format that Via Access expects must be what SFDC is configured to return e.g. eMail address)
IDP configuration on the Salesforce Side
Log into SFDC with an admin account.In the lower left corner you'll then see a menu called "Administration Setup".(If that doesn't show up click on "Setup" on the upper right corner)
Bare-bone IDP setup
Select "Security Controls"->"Identity Provider"You need to click on "Enable Identity Provider".In the following screen select "Create a new Certificate..."Give the certificate a meaningful nameHit "Save" and you'll see a screen with the details of the newly created certificate.You should download it by clicking "Download Certificate" - we'll need it later.Now comes a strange step... either to back to the "Identity Provider" section like before or click "Back to List" on the certificate detail screen.Either way... you'll need to click again on "Enable Identity Provider" and this time select the certificate you just created.Once you clicked "Save" on that screen you are finished with the bare-bone IDP setup. You'll see a summary screen similar to the one below:
Setting up the Connected App (aka SP) definition at SFDC
From now on it's a good idea to have a separate browser window or tab open in the Via Access admin console.This part jumps a bit between Via Access and SFDC so be patient and pay attention.On your Identity Provider Setup screen click on the "Service Providers are now created via Connected Apps. Click here." link - or go to "App Setup"->"Create" ->"Apps" and then click "New" in the "Connected Apps" section of the screen.... I never said it's going to be easy.You'll see a screen like this:Fill in what you know or can make up on your own already:Names, email addresses etc.Provide your IDR portal URL for the "Start URL" in the "Web App Settings" sectionClick on "Enable SAML" in the "Web App Settings" just below the "Start URL" field.Now we need to switch over to Via Access
Adding a SAML 2.0 IDP definition in Via Access
In RSA Via Access to to “users”→”Identity Providers” and click “Add an Identity Provider”.Click "Add" for the "SAML 2.0 IDP"Give it a meaningful name:Click "Next Step"... the "Connection Profile Section" appears.
Let there be "Copy & Paste" - copying information from SFDC to Via Access and vice versa
This is the screen that has the info that you need to either fill in from the SFDC screen or that you need to copy over to SFDC.
Leave the Audience ID as it is and the Audience URL too.
- Copy the Audience ID from Via Access and paste it into the SFDC screen under “Entity ID”
- Copy the Audience URL from Via Access and paste it into the SFDC screen under “ACS URL”.
- Copy the Issuer from SFDC into Via Access “Issuer ID”.
- Copy the “SingleSignOnService” HTTP-Post binding URL from the SFDC Metadata file to the Issuer URL in Via Access
- Upload the Certificate you downloaded earlier from SFDC by hitting “Select File” in the “Certificate” section of RSA Via Access and selecting the downloaded file.
- Note on the SFDC side "Subject Type" was left at the default "Username". As username in SFDC is the email address you need to make sure Via Access is configured to accept the email address for logon. This is done in the "User store" section in the Via Access admin GUI. The "User Tag" must be "mail" (or email... depending on your LDAP schema). If you have it configured to accept sAMAccountName and you then use SFDC which sends eMails by default, you will be logged in but the user can't do anything.
The next screenshot is just FYI. It shows the user store setup of Via Access. Note the "mail" as the User Tag. If you have done that previously you are all set. If not... change it to "mail". The alternative is to configure SFDC to send the content of e.g. sAMAcountName - but that of course requires that this information is in SFDC. This could be e.g. the federationID or a custom attribute in SFDC. For this exercise we just assume everybody uses email as the login ID - which is common now.
Just for clarity... here is a screenshot of my SFDC IDP metadata XML file. Look at the URL I highlighted. That's the ACS (assertion consumption service) URL of SDFC. SFDC supports both POST and redirect binding for AuthNRequests - Via Access supports one POST so you have to copy that one.
In SFDC you now need to grant permissions to the appropriate user profiles to be able to access the "Via Access" Connected App. Without this SFDC will deny access (and with that outbound federation) every time.
On the "Connected App" screen of "Via Access" scroll down to the "Profiles" section and click on "Manage Profiles":
Now you need to select the user profiles you want to be able to federate out to Via Access. In my case I selected both "System Administrator" and "Standard Platform User". This might be different in your environment. Standard Platform Users are the "normal" users and should work for most. The test user I used is an administrator so I had to select that profile too.
Click "Save" and then head back to Via Access.
Configuring the Authentication sources for Via Access
Now you need to add the newly defined SFDC IDP to the Authentication Sources of Via Access.
Click on “Access” → “Authentication Sources” and hit “Add”. Select “Salesforce” and hit “Save”
Now it should look something like this:
Publish the changes to the IDRs.
Then head over to the IDR portal
How the login into the IDR portal looks and behaves now
If you access the portal you'll see a new link at the bottom of the logon box that points to your SFDC IDP
Click it and you'll be redirected to SFDC
You can customize this page (left and right side) in the configuration screen of your custom domain. If you don't have a custom domain the standard SFDC login page will be shown.
Once you logged in you'll be redirected back to Via Access and see your portal page for the user you logged into at SFDC: