This section describes how to integrate RSA SecurID Access with Ping Identity PingFederate using a SAML SSO Agent.
Configure RSA Cloud Authentication Service
Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Ping Identity PingFederate.
1. Sign into the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Ping Identity PingFederate and click +Add to add the connector.
2. On the Basic Information page, enter a Name for the application and click Next Step.
3. In the Initiate SAML Workflow section, do the following:
- Connection URL: Enter the PingFederate SSO Application Endpoint URL.
- Select the SP-initiated radio button.
- Select the POST radio button under Binding Method for SAML Request.
Note: If PingFederate SSO Application Endpoint URL is not known, enter a temporary place holder value so that you can continue on. After you complete the PingFederate SP configuration, you will be able to retrieve this value from the PingFederate Service Provider > IdP Connection page.
4. In the SAML Identity Provider (Issuer) section, configure the following:
- Identity Provider URL: Keep the default
- Issuer Entity ID: Keep the default or specify your own. If you do change it, make sure that it is reflected in the Identity Provider URL in this section.
- SAML Response Signature: Upload the signing key and corresponding certificate.
5. In the Service Provider section, do the following:
- Assertion Consumer Service (ACS) URL: Enter the PingFederate ACS URL.
- Audience (Service Provider Entity ID): Enter the PingFederate SAML 2.0 Entity ID.
Note: If ACS URL and Audience are not known, enter temporary place holder values so that you can continue on. After you complete the PingFederate SP configuration and export its metadata, you can import it into this application to fill these values automatically.
6. In the User Identity section, configure the following:
- Identifier Type: Select your NameID Identifier type from the drop-down menu. Many options were observed to work during testing.
- Identity Source: Select your NameID Identity Source from the drop-down menu.
- Property: Select the directory attribute which holds the NameID username from the drop-down menu.
7. Click Next Step.
8. On the Access Policy page, select the Access Policy and click Next Step.
9. On the Portal Display page, configure the portal display settings and click Save and Finish.
11. Click Publish Changes.
Configure Ping Identity PingFederate
Perform these steps to configure Ping Identity PingFederate as an SSO Agent SAML SP to RSA Cloud Authentication Service.
1. Logon to PingFederate administrative web console, open the Service Provider tab.
2. Under IDP CONNECTIONS, click Create New.
3. On the Connection Type page, check the BROWSER SSO PROFILES PROTOCOL SAML 2.0 check-box and click Next.
4. On the Connection Options page, check the BROWSER SSO check-box and click Next.
5. On the Import Metadata page, select the FILE radio button, click the Choose File button and browse to the RSA SecurID Access IdP metadata file downloaded from Step 10 of RSA Cloud Authentication Service configuration. Then click Next.
6. On the Metadata Summary page, review the information and click Next.
7. On the General Info page, review the information and click Next.
8. On the Browser SSO page, click Configure Browser SSO button.
9. On the SAML Profiles page, check the IDP-INITIATED SSO and the SP-INITIATED SSO check-boxes and click Next.
10. On the User-Session Creation page, click Configure User-Session Creation button.
11. On the Identity Mapping page, select the ACCOUNT MAPPING radio button and click Next.
12. On the Attribute Contract page, click Next.
Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the SAML SSO Agent configuration to your use case.