This section describes how to integrate RSA SecurID Access with F5 BIG-IP APM using relying party. Relying party uses SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to F5 BIG-IP APM SAML Service Provider (SP).
Configure RSA Cloud Authentication Service
Perform these steps to configure RSA Cloud Authentication Service as a relying party SAML IdP to F5 BIG-IP APM .
1. Sign into the RSA Cloud Administrative Console and browse to Authentication Clients > Relying Parties and click Add a Relying Party.
2. From the Relying Party Catalog, select the +Add button for Service Provider SAML.
3. In the Basic Information section, enter a name and click Next Step.
4. In the Authentication section, do the following:
- Under Authentication Details, select RSA SecurID Access manages all authentication.
- Select appropriate primary and additional authentication methods.
- Click Next Step.
- Assertion Consumer Service (ACS) URL: https://<VIRTUAL-SERVER>/saml/sp/profile/post/acs replacing <VIRTUAL-SERVER> with the IP address or host name of the Virtual Server as configured in F5.
- Service Provider Entity ID: Enter https://<VIRTUAL-SERVER> replacing <VIRTUAL-SERVER> with the IP address or host name of the Virtual Server as configured in F5.
7. Click Show Advanced Configuration.
8. Under User Identity, in the NameID section, select the following parameters:
- Identifier Type: Email Address
- Property: mail
9. Then click Save and Finish.
10. Click the Publish Changes button in the top left corner of the page, and wait for the operation to complete.
Configure F5 BIG-IP APM
Perform these to configure F5 BIG-IP APM as a Relying Party SAML SP to RSA Cloud Authentication Service.
1. Sign into the BIG-IP Configuration Utility and click System > Certificate Management > Traffic Certificate Management > SSL Certificate List > Import.
2. Select Certificate from the Import Type drop-down list.
- Certificate Name: Click the New radio button and enter a suitable name for the certificate.
- Certificate Source: Click the Upload File radio button. Then click Choose File button and select the certificate downloaded in Step 6 of CAS configuration.
4. Click Import.
5. Click Access > Federation > SAML Service Provider > External IdP Connectors.
6. Click Create.
- Name: Suitable name for this IdP Connector.
- IdP Entity ID: Enter https://rsa-blr-pe.auth-demo.securid.com/saml-fe/sso.
8. On the Create New SAML IdP Connector pop-up window, under Single Sign On Service Settings, do the following:
- Single Sign On Service URL: Enter https://rsa-blr-pe.auth-demo.securid.com/saml-fe/sso.
- Single Sign On Service Binding: Select POST from the drop-down list.
9. On the Create New SAML IdP Connector pop-up window, under Assertion Settings, select Identity Location as Subject from the drop-down list.
10. On the Create New SAML IdP Connector pop-up window, under Security Settings, select the certificate imported in Step 3 above from the IdP's Assertion Validation Certificate drop-down list.
11. Click OK.
12. Click Access > Federation > SAML Service Provider > Local SP Services.
13. Click Create.
- Name: Enter a suitable name for the SAML SP service.
- Entity ID: Enter https://<VIRTUAL-SERVER> replacing <VIRTUAL-SERVER> with the IP address or host name of your Virtual Server as configured in F5. This should be same as the Service Provider Entity ID as enter in CAS configuration Step 5.
15. Click OK.
16. On the Local SP Services page, click the check-box corresponding to the Service Provider just created.
17. Click on Bind/Unbind IdP Connectors at the bottom of the page.
18. On the Edit SAML IdPs that use this SP pop-up window, click Add New Row.
19. From the SAML IdP Connectors drop-down list select the Connector created in Step 7 above. Then click Update. Then click OK.
Next Step: Proceed to Access Profile use case configuration section to apply this integration type to an access profile.