IBM Security Access Manager 9.0 - SSO Agent - SAML Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Jul 30, 2019
Version 1Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with IBM Security Access Manager using a SAML SSO Agent.

Architecture Diagram

IBM Security Access Manager Service Provider Configuration

Perform these steps to create a SAML 2.0 Service Provider in IBM Security Access Manager.

Procedure

1. Login to local management interface of the appliance.

2. Browse to Secure Federation > Manage > Federations.

3. Click Add to create a new federation.

4. On the Create New Federation window, on the Federation Protocol screen, specify a name in the Federation Name field, for Select the protocol for this federation, select SAML 2.0  and click Next.

5. On the Template screen, select SAML 2.0 and click Next.

6. On General Information screen, specify a name for Company Name, for Identify your role, select Service Providerand click Next.

 

7. On the Point of Contact Server screen,

  •  For Point of Contact field, specify url in the following format:

     https://<isam_hostname>:<port_number>/<junction name>

          where:

  • isam_hostname is the host name of the reverse proxy server.
  • port_number is the port number of the reverse proxy server.

  • junction_name is the name of the junction that will be created for this federation.
  • Click Next.

 

8. On the Profile Selection screen, leave Web Browser Single Sign on selected and click Next.

9. On the Single Sign-on settings screen,

  1. From Supported bindings, deselect HTTP Artifact.
  2. From The default NameID format drop-down list, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
  3. Select Require outgoing SAML authentication requests to be signed check box and click Next.

 

10. On the Signature Options screen,

  1. From Certificate Database drop-down list, select rt_profile_keys.
  2. From Certificate Label drop-down list, select server.
  3. Click Next.

 

11. On the Encryption options screen,

  1. From Certificate Database drop-down list, select rt_profile_keys.
  2. From Certificate Label drop-down list, select server.
  3. Click Next.

 

12. On the SAML Message Settings screen, leave the default settings and click Next.

13. On the Identity Mapping screen, leave the default settings and click Next.

14. On the SAML Message Extension screen, leave the default settings and click Next.

15. On the Summary screen, click OK.

16. Deploy changes.

17. Select the federation created above and Click Export. This will export the saml metadata file. Use this metadata for configuring IBM Security Access Manager as a service provider to SSO Agent though RSA Cloud Administration Console.

RSA Cloud Authentication Service Identity Provider Configuration

Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to IBM Security Access Manager.

Procedure

1. Sign into the Cloud Administration Console and browse to Applications > Application Catalog, search for IBM Security Access Manager and click +Add to add the connector.

2. On the Basic Information page, specify a name for the application in the Name field, and click Next Step.

3. On the Connection Profile page, click Import Metadata to browse and select the metadata file downloaded from IBM Security Access Manager.

4. Click Save on the Import SAML Metadata page.

5. For Connection URL, specify URL in the following format

https://<isam_hostname>:<port_number>/<junction_name>/sps/<federation_name>/saml20/logininitial

where:

  • isam_hostname is the host name of the reverse proxy server.
  • port_number is the port number of the reverse proxy server.
  • junction_name is the name of the junction configured for the federation.
  • federation_name is the name of the federation that was created on the service provider

Example:

https://vm2006.pe.rsa.net/isam/sps/saml20sp/saml20/logininitial

6. Under SAML Response Signature section,

  1. Click Generate and Download and download certificateBundle.zip file. Open the zip file and extract cert.pem and private.key files.

  2. Click Choose File on the left of the Generate Certificate Bundle and upload private key.
  3. Click Choose File underneath Generate Certificate Bundle and upload public signing certificate.
  4. Select Include Certificate in Outgoing Assertion checkbox.

7. Under Service Provider section, review Assertion Consumer Service (ACS) URL and Audience(Service Provider Entity ID) field values.

Format for

Assertion Consumer Service (ACS) URL:

https://<isam_hostname>:<port_number>/<junction_name>/sps/<federation_name>/saml20/login

Audience(Service Provider Entity ID):

https://<isam_hostname>:<port_number>/<junction_name>/sps/<federation_name>/saml20

where:

  • isam_hostname is the host name of the reverse proxy server.
  • port_number is the port number of the reverse proxy server.
  • junction_name is the name of the junction configured for the federation.
  • federation_name is the name of the federation that was created on the service provider.

 

8. Under User Identity Section,

  1. From Identifier Type drop-down list, select Email Address
  2. From Property drop-down list, select either mail or sAMAccountName as the value based on the type of property IBM Security Access Manager is configured to accept.

9. Click Next Step.

10. On the User Access page, configure the Access Policy settings and click Next Step.

11. On the Portal Display page, click Save and Finish.

12. Click Publish Changes at the top of the page.

13. Locate the IBM Security Access Manager in the list of applications and from the Edit drop-down list, select Export Metadata . Use the metadata file to configure RSA SecurID Access as a Federation Partner in IBM Security Access Manager.

 

IBM Security Access Manager Federation Partner Configuration

Perform these steps to configure RSA Cloud Authentication Service as a Federation Partner for IBM Security Access Manager.

Procedure

1. On the local management interface, browse to Secure Federation > Manage > Federations.

2. Select the federation instance and click Partners.

3. On the Partner window, click Add.

4. On the Create New Partner window, on the Metadata screen, click Browse to browse the IDP metadata file and click Next.

5. On the Single Sign-on Settings screen, for Default target URL, specify some default application URL enabled for access through federation and click Next.

6. On the SOAP SSL Configuration Settings screen, leave the default settings and click Next.

7. On the Identity Mapping screen, leave the default settings and click Next.

8. On the SAML Message Extension screen, leave the default settings and click Next.

9. On the Summary Page, review the configuration values and click OK.

10. Click Close on the Partner window.

11. Deploy changes.

 

 

Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the SAML SSO Agent configuration to your use case.

 

Attachments

    Outcomes