This section describes how to integrate RSA SecurID Access with Microsoft Office 365 using Relying Party. Relying party uses SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to Microsoft Office 365 SAML Service Provider (SP).
Configure RSA Cloud Authentication Service
Perform these steps to configure RSA Cloud Authentication Service as a relying party SAML IdP to Microsoft Office 365 .
1. Log on to the RSA Cloud Administrative Console and browse to Authentication Clients > Relying Parties and click Add a Relying Party.
2. Click Add in the SAML Service Provider section of the Relying Party Catalog menu.
3. Enter a Name in the Basic Information section and click Next Step.
4. Configure the Authentication settings and click Next Step.
- Select RSA SecurID Access Manages all authentication from the Authentication Details drop-down menu.
- Select the primary authentication method.
- Select the access policy for additional authentication.
5. Select Enter Manually Data Input Method and scroll down to the Service Provider Metadata section.
6. Configure the Service Provider Metadata settings and scroll down to the Message Protection section.
- Enter the following text into the Assertion Consumer Service (ACS) URL field.
- Enter the following text into the Service Provider Entity ID field.
7. Click Download Certificate to download IdP SAML response signing certificate and click Show Advanced options.
8. Configure the User Identity settings and scroll down to the Attribute Extension section.
- Select persistent from the NameID Identifier Type drop-down menu.
- Select objectGUID from the NameID Property drop-down menu.
9. Configure the Attribute Extension settings and click Save and Finish.
- Add an extension with Attribute Name IDPEmail with your Identity Source and Property mail.
- Add an extension with Attribute Name ImmutableID with your Identity Source and Property objectGUID.
10. On the My Relying Parties page, click Edit > View or Download IdP Metadata.
11. Open the IdP metadata XML file, locate and make note of the IDP URL
12. Browse to Users > Identity Sources and click Edit for the Identity Source(s) referenced in the configured Access Policy for Additional Authentication (in step 4).
13. Open the User Attributes tab and verify the following checkboxes are marked. Then click Next Step > Save and Finish.
- Synchronize the selected policy attributes with the Cloud Authentication Service
- mail attribute in Policies column
- objectGUID attribute in Policies column
14. Click Publish Changes and wait for the operation to complete.
15. Browse to Users > Identity Sources and click Edit > Synchronization.
16. Click Synchronize Now and wait for the operation to complete.
Configure Microsoft Office 365
Perform these steps to integrate Microsoft Office 365 with RSA SecurID Access as a relying party SAML SP.
1. Log on to the Windows Azure AD Connect serve and open PowerShell.
2. Enter the following commands to connect to Azure Active Directory. Enter your Office 365 global admin account credentials when prompted.
Note: The username must be in the format <username>@<domain>.onmicrosoft.com
$cred = Get-Credential
Connect-MsolService –Credential $cred
3. Enter the following commands to specify your federated authentication settings.
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\temp\IDPSigningCertificate.pem")
where c:\temp\IDPSigningCertificate.pem is the path to the downloaded Relying party certificate.
$certData = [system.convert]::tobase64string($cert.rawdata)
$domain = <your_domain>
$cloudURL = <RSA IdP URL>
Note: RSA IdP URL can be found in the downloaded IdP metadata file. It is formatted like this: ” https://<company_id>.auth.securid.com/saml-fe/sso”
$logOffURL = https://login.microsoftonline.com
4. Enter the following command to apply the federated authentication settings.
Set-MsolDomainAuthentication –DomainName $domain –FederationBrandName $domain -Authentication Federated –ActiveLogOnUri $cloudURL –IssuerUri $cloudURL -LogOffUri $logOffURL –PassiveLogOnUri $cloudURL –SigningCertificate $certData –PreferredAuthenticationProtocol “SAMLP”
5. Enter the following command to verify the federated authentication settings.
Get-MsolDomainFederationSettings –DomainName $domain | Format-List *
Configuration is complete.
You can revert back to non-federated authentication by entering the following command.
Set-MsolDomainAuthentication –DomainName $domain –Authentication Managed
Return to the Configuration Summary.