Relying Party Configuration - Thycotic Secret Server 10.6 - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on May 22, 2019
Version 1Show Document
  • View in full screen mode

This section contains instructions on how to integrate RSA SecurID Access with Thycotic Secret Server using Relying Party. Relying party uses SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to Thycotic Secret Server SAML Service Provider (SP).

Architecture Diagram

Configure RSA Cloud Authentication Service

Follow the steps in this section to configure RSA Cloud Authentication Service as a Relying Party SAML IdP to Thycotic Secret Server .


1. Logon to the RSA Cloud Administrative Console.

2. Click Authentication Clients > Relying Parties.

3. Click Add a Relying Party.

4. From the Relying Party Catalog, select the +Add button for Service Provider SAML.

5. In the Basic Information section, enter a name and click Next Step.

6. In the Authentication section, do the following:

  1. Under Authentication Details, select RSA SecurID Access manages all authentication.
  2. Select appropriate primary and additional authentication methods.
  3. Click Next Step.

7. On the next page, under the Service Provider Metadata section, enter the following details:

  • Assertion Consumer Service (ACS) URL: https://<SECRET-SERVER-INSTANCE>/SecretServer/SAML/AssertionConsumerService.aspx replacing <SECRET-SERVER-INSTANCE> with the IP address or host name of your Secret Server installation.
  • Service Provider Entity ID: Enter any suitable name for the Service Provider. This name must be the same as the SAML Service Provider Name configured in Secret Server later.

8. Click Show Advanced Configuration.

9. Under User Identity, in the NameID section, select the following parameters:

  • Identifier Type: Email Address
  • Property: mail

10. Then click Save and Finish.

11. Click the Publish Changes button in the top left corner of the page, and wait for the operation to complete.

12. On the My Relying Parties page, do the following:

  1. Select View or Download IdP Metadata from the Edit drop-down list to view and download an XML file containing your RSA SecurID Access IdP’s metadata. You will need this file when you configure Secret Server.
  2. Click Download Metadata File in the View or Download Identity Provider Metadata page to download the file. A file named IdpMetadata.xml should be downloaded.


Configure Thycotic Secret Server

Follow the steps in this section to configure Thycotic Secret Server as a Relying Party SAML SP for the Cloud Authentication Service.


1. Login to Secret Server as an admin, and click Admin > Configuration.

2. On the Configuration page, click the SAML tab.

3. Under SAML General Settings, click Edit.

4. Select the SAML Enabled checkbox, and click Save.

5. Under SAML Service Provider Settings, click Edit.

6. In the Name field enter a name for the Service Provider. This should match with the Service Provider Entity ID configured in the Cloud Authentication Service in Step 7 of previous section. Click Select Certificate....

7. In the Upload Certificate pop-up window, do the following:

  1. Click on Upload Certificate.
  2. Browse and select the certificate to upload.
  3. In the Password field, enter the password of the PFX certificate that you want to use. The certificate can be obtained from the Secret Server instance.
  4. Click OK.

8. Click Save.

9. In the Identity Providers section, click Create New Identity Provider.

10. In the Identity Provider window, click Import IDP from XML Metadata, browse and select the IdpMetadata.xml file generated in Step 12 of the previous section.

11. Click the Edit icon beside the Identity Provider entry.

12. In the Identity Provider window, do the following:

  1. Under the Single Logout section, clear the Enabled check box.
  2. Under Required Settings section, select Single SignOn Service Binding value as HTTPPost from the dropdown.
  3. Click OK.


Note:  For successful authentication, the user record needs to be present in Secret Server. This can be achieved by adding the user record in Secret Server locally or by adding and synchronizing an LDAP Identity Source to Secret Server instance. Detailed steps for adding a user and/or synchronizing Identity Source is available in Thycotic Secret Server's documentation.


Configuration is complete.

For additional integrations, see "Configuration Summary" on page 5.