SSO Agent - SAML Configuration - Thycotic Secret Server 10.6 - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on May 22, 2019
Version 1Show Document
  • View in full screen mode

This section contains instructions on how to integrate RSA SecurID Cloud Authentication Service with Thycotic Secret Server using a SAML SSO Agent.

Architecture Diagram

Configure RSA Cloud Authentication Service

Follow the steps in this section to configure the Cloud Authentication Service as an SSO Agent SAML IdP to Thycotic Secret Server.


1. Logon to the Cloud Administration Console and do the following:

  1. Click Applications > Application Catalog.
  2. Search for Thycotic Secret Server and click +Add to add the connector.

2. On the Basic Information page, enter a name for the application in the Name field, and click Next Step.

3. In the Initiate SAML Workflow section, do the following:

  1. For the Connection URL, replace the placeholder <SECRET-SERVER-IP> with the IP address or host name of your Secret Server instance.
  2. Select the SP-initiated radio button
  3. Select Binding Method for SAML Request as POST.

4. Scroll down to SAML Identity Provider (Issuer) section and perform following steps:

  1. Click Generate Cert Bundle to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
  2. Select the first Choose File and upload the RSA SecurID Access private key.
  3. Select the second Choose File and upload the RSA SecurID Access public certificate.

5. In the Service Provider section, do the following:

  1. Enter https://<SECRET-SERVER-IP>/SecretServer/SAML/AssertionConsumerService.aspx in the Assertion Consumer Service (ACS) URL field after replacing the placeholder <SECRET-SERVER-IP> with the IP address or host name of your Secret Server instance.
  2. In the Audience (Service Provider Entity ID) field, enter any suitable name for the Service Provider. This will have to be same as the SAML Service Provider Name configured in Secret Server later.

6. In the User Identity section, select Email Address from the Identifier Type drop-down list, select the name of your user identity source and select the property value as mail. Click Next Step.

7. On the User Access page, select the access policy the identity router will use to determine which users can access the Secret Server service provider. Click Next Step.

8. On the Portal Display page, configure the portal display and other settings. Click Save and Finish.

9. Click Publish Changes in the top left corner of the page, and wait for the operation to complete.

10. Search for Thycotic Secret Server in the list of applications, and select Export Metadata from the Edit drop-down list to download an XML file containing your RSA SecurID Access IdP’s metadata. You will need this file when you configure Secret Server.


Configure Thycotic Secret Server

Follow the steps in this section to configure Thycotic Secret Server as an SSO Agent SAML SP to the Cloud Authentication Service.


1. Login to Secret Server as an admin, and click Admin > Configuration.

2. On the Configuration page, click the SAML tab.

3. Under SAML General Settings, click Edit.

4. Check the SAML Enabled checkbox, and click Save.

5. Under SAML Service Provider Settings, click Edit.

6. In the Name field, provide a name for the Service Provider. This should match with the Service Provider Entity ID configured in the Cloud Authentication Service in Step 5 of the previous section. Click Select Certificate....

7. In the Upload Certificate pop-up window, do the following:

  1. Click on Upload Certificate.
  2. Browse and select the certificate to upload.
  3. In the Password field, enter the password of the PFX certificate that you want to use. The certificate can be obtained from the Secret Server instance.
  4. Click OK.

8. Click Save

9. In the Identity Providers section, click Create New Identity Provider.

10. In the Identity Provider window, click Import IDP from XML Metadata, browse and select the metadata file generated in PESID0016,INTEGRATION_CONFIGURATION_SSO_AGENT_SAMLStep 10 of the previous section.

11. Click the Edit icon beside the Identity Provider entry.

12. In the Identity Provider window, do the following:

  1. Under the Single Logout section, clear the Enabled check box.
  2. Click OK.

Note:  For successful authentication, the user record needs to be present in Secret Server. This can be achieved by adding the user record in Secret Server locally or by adding and synchronizing an LDAP Identity Source to Secret Server instance. Detailed steps for adding a user and/or synchronizing Identity Source is available in Thycotic Secret Server's documentation.


Configuration is complete.

For additional integrations, see "Configuration Summary" on page 5.