IBM Security Access Manager 9.0 - Relying Party Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Jul 30, 2019
Version 1Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with IBM Security Access Manager using relying party. Relying party uses SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to IBM Security Access Manager SAML Service Provider (SP).

Architecture Diagram

 

IBM Security Access Manager Service Provider Configuration

Perform these steps to create a SAML 2.0 Service Provider in IBM Security Access Manager.

Procedure

1. Login to local management interface of the appliance.

2. Browse to Secure Federation > Manage > Federations.

3. Click Add to create a new federation.

4. On the Create New Federation window, on the Federation Protocol screen, specify a name in the Federation Name field, for Select the protocol for this federation, select SAML 2.0  and click Next.

5. On the Template screen, select SAML 2.0 and click Next.

6. On General Information screen, specify a name for Company Name, for Identify your role, select Service Provider and click Next.

 

7. On the Point of Contact Server screen,

  •  For Point of Contact field, specify url in the following format:

     https://<isam_hostname>:<port_number>/<junction name>

          where:

  • isam_hostname is the host name of the reverse proxy server.
  • port_number is the port number of the reverse proxy server.

  • junction_name is the name of the junction that will be created for this federation.
  • Click Next.

 

8. On the Profile Selection screen, leave Web Browser Single Sign on selected and click Next.

9. On the Single Sign-on settings screen,

  1. From Supported bindings, deselect HTTP Artifact.
  2. From The default NameID format drop-down list, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
  3. Select Require outgoing SAML authentication requests to be signed check box and click Next.

 

10. On the Signature Options screen,

  1. From Certificate Database drop-down list, select rt_profile_keys.
  2. From Certificate Label drop-down list, select server.
  3. Click Next.

 

11. On the Encryption options screen,

  1. From Certificate Database drop-down list, select rt_profile_keys.
  2. From Certificate Label drop-down list, select server.
  3. Click Next.

 

12. On the SAML Message Settings screen, leave the default settings and click Next.

13. On the Identity Mapping screen, leave the default settings and click Next.

14. On the SAML Message Extension screen, leave the default settings and click Next.

15. On the Summary screen, click OK.

16. Deploy changes.

17. Select the federation created above and Click Export. This will export the saml metadata file. Use this metadata for configuring IBM Security Access Manager as a Relying Party through RSA Cloud Administration Console.

 

RSA Cloud Authentication Service Identity Provider Configuration

Perform these steps to configure RSA Cloud Authentication Service as a relying party SAML IdP to IBM Security Access Manager.

Procedure

1. Sign into the RSA Cloud Administration Console and browse to Authentication Clients > Relying Parties and click Add a Relying Party.

2. From the Relying Party Catalog, select the +Add button for Service Provider SAML.

3. On the Basic Information page, specify a name for the Service Provider in the Name field and click Next Step.

4. On the Authentication page,

  1. Under Authentication Details, select RSA SecurID Access manages all authentication.
  2. Select appropriate primary and additional authentication methods.

  3. Click Next Step.

5. On the Connection Profile page, under Data Input Method section,

  1. Select Import Metadata.
  2. Click Choose File and select the metadata file downloaded from IBM Security Access Manager.

6. Under User Identity section,

  1. From the Identifier Type drop-down list, select Email Address.
  2. From the Property drop-down list, select either mail or sAMAccountName as the value based on the type of property IBM Security Access Manager is configured to accept.

7. Click Save and Finish.

8. Locate the IBM Security Access Manager in My Relying Parties list. From the Edit drop-down list, select View or Download IdP Metadata and download the metadata file and use it to configure RSA SecurID Access as a Federation Partner in IBM Security Access Manager.

9. Click Publish Changes at the top of the page.

 

IBM Security Access Manager Federation Partner Configuration

Perform these steps to configure RSA Cloud Authentication Service as a Federation Partner for IBM Security Access Manager.

Procedure

1. On the local management interface, browse to Secure Federation > Manage > Federations.

2. Select the federation instance and click Partners.

3. On the Partner window, click Add.

4. On the Create New Partner window, on the Metadata screen, click Browse to browse the IDP metadata file and click Next.

5. On the Single Sign-on Settings screen, for Default target URL, specify some default application URL enabled for access through federation and click Next.

6. On the SOAP SSL Configuration Settings screen, leave the default settings and click Next.

7. On the Identity Mapping screen, leave the default settings and click Next.

8. On the SAML Message Extension screen, leave the default settings and click Next.

9. On the Summary Page, review the configuration values and click OK.

10. Click Close on the Partner window.

11. Deploy changes.

 

Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the Relying Party configuration to your chosen use case.

 

Attachments

    Outcomes