Ingo Schubert

How to setup Salesforce.com as an IDP for SecurID Access

Blog Post created by Ingo Schubert Employee on Oct 28, 2015

 

What is this Howto about?

This guide will show you how to get Salesforce and SecurID Access configured in a way that makes SFDC a external identity provider to SecurID Access. This enables users to login to the Via Access portal using existing SFDC credentials.

 

Pre-conditions

  • SFDC instance with full admin access
  • SecurID Access instance with admin access
  • Shared user IDs (email addresses) between SFDC and Via Access
  • The logon ID format that Via Access expects must be what SFDC is configured to return e.g. eMail address)

IDP configuration on the Salesforce Side

Log into SFDC with an admin account.In the lower left corner you'll then see a menu called "Administration Setup".(If that doesn't show up click on "Setup" on the upper right corner)

Bare-bone IDP setup

Select "Security Controls"->"Identity Provider"SFDC_as_IDP_25.pngYou need to click on "Enable Identity Provider".In the following screen select "Create a new Certificate..."SFDC_as_IDP_26.pngGive the certificate a meaningful nameSFDC_as_IDP_3.pngHit "Save" and you'll see a screen with the details of the newly created certificate.You should download it by clicking "Download Certificate" - we'll need it later.SFDC_as_IDP_4.pngNow comes a strange step... either to back to the "Identity Provider" section like before or click "Back to List" on the certificate detail screen.Either way... you'll need to click again on "Enable Identity Provider" and this time select the certificate you just created.SFDC_as_IDP_5.pngOnce you clicked "Save" on that screen you are finished with the bare-bone IDP setup. You'll see a summary screen similar to the one below:SFDC_as_IDP_1.png

Setting up the Connected App (aka SP) definition at SFDC

From now on it's a good idea to have a separate browser window or tab open in the Via Access admin console.This part jumps a bit between Via Access and SFDC so be patient and pay attention.On your Identity Provider Setup screen click on the "Service Providers are now created via Connected Apps. Click here." link - or go to "App Setup"->"Create" ->"Apps" and then click "New" in the "Connected Apps" section of the screen.... I never said it's going to be easy.You'll see a screen like this:SFDC_as_IDP_27.pngFill in what you know or can make up on your own already:Names, email addresses etc.Provide your IDR portal URL for the "Start URL" in the "Web App Settings" sectionClick on "Enable SAML" in the "Web App Settings" just below the "Start URL" field.SFDC_as_IDP_28.pngNow we need to switch over to Via Access

Adding a SAML 2.0 IDP definition in Via Access

In RSA Via Access to to “users”→”Identity Providers” and click “Add an Identity Provider”.SFDC_as_IDP_8.pngClick "Add" for the "SAML 2.0 IDP"SFDC_as_IDP_9.pngGive it a meaningful name:SFDC_as_IDP_10.pngClick "Next Step"... the "Connection Profile Section" appears.

Let there be "Copy & Paste" - copying information from SFDC to Via Access and vice versa

This is the screen that has the info that you need to either fill in from the SFDC screen or that you need to copy over to SFDC.

Leave the Audience ID as it is and the Audience URL too.

  • Copy the Audience ID from Via Access and paste it into the SFDC screen under “Entity ID”
  • Copy the Audience URL from Via Access and paste it into the SFDC screen under “ACS URL”.
  • Copy the Issuer from SFDC into Via Access “Issuer ID”.
  • Copy the “SingleSignOnService” HTTP-Post binding URL from the SFDC Metadata file to the Issuer URL in Via Access
  • Upload the Certificate you downloaded earlier from SFDC by hitting “Select File” in the “Certificate” section of RSA Via Access and selecting the downloaded file.
  • Note on the SFDC side "Subject Type" was left at the default "Username". As username in SFDC is the email address you need to make sure Via Access is configured to accept the email address for logon. This is done in the "User store" section in the Via Access admin GUI. The "User Tag" must be "mail" (or email... depending on your LDAP schema). If you have it configured to accept sAMAccountName and you then use SFDC which sends eMails by default, you will be logged in but the user can't do anything.

SFDC_as_IDP_12.png

SFDC_as_IDP_13.png

 

The next screenshot is just FYI. It shows the user store setup of Via Access. Note the "mail" as the User Tag. If you have done that previously you are all set. If not... change it to "mail". The alternative is to configure SFDC to send the content of e.g. sAMAcountName - but that of course requires that this information is in SFDC. This could be e.g. the federationID or a custom attribute in SFDC. For this exercise we just assume everybody uses email as the login ID - which is common now.

SFDC_as_IDP_30.png

 

 

Just for clarity... here is a screenshot of my SFDC IDP metadata XML file. Look at the URL I highlighted. That's the ACS (assertion consumption service) URL of SDFC. SFDC supports both POST and redirect binding for AuthNRequests - Via Access supports one POST so you have to copy that one.

SFDC_as_IDP_17.png

 

In SFDC you now need to grant permissions to the appropriate user profiles to be able to access the "Via Access" Connected App. Without this SFDC will deny access (and with that outbound federation) every time.

 

On the "Connected  App" screen of "Via Access" scroll down to the "Profiles" section and click on "Manage Profiles":

SFDC_as_IDP_22.png

 

Now you need to select the user profiles you want to be able to federate out to Via Access. In my case I selected both "System Administrator" and "Standard Platform User". This might be different in your environment. Standard Platform Users are the "normal" users and should work for most. The test user I used is an administrator so I had to select that profile too.

 

SFDC_as_IDP_23.png

 

Click "Save" and then head back to Via Access.

 

Configuring the Authentication sources for Via Access

 

Now you need to add the newly defined SFDC IDP to the Authentication Sources of Via Access.

Click on “Access” → “Authentication Sources” and hit “Add”. Select “Salesforce” and hit “Save”

SFDC_as_IDP_14.png

Now it should look something like this:

SFDC_as_IDP_15.png

Publish the changes to the IDRs.

Then head over to the IDR portal

How the login into the IDR portal looks and behaves now

If you access the portal you'll see a new link at the bottom of the logon box that points to your SFDC IDP

SFDC_as_IDP_19.png

Click it and you'll be redirected to SFDC

SFDC_as_IDP_29.png

 

You can customize this page (left and right side) in the configuration screen of your custom domain. If you don't have a custom domain the standard SFDC login page will be shown.

 

Once you logged in you'll be redirected back to Via Access and see your portal page for the user you logged into at SFDC:

SFDC_as_IDP_24.png

 

-> Success!

Outcomes