This section describes how to integrate RSA SecurID Access with Okta SSO using a SAML SSO Agent.
Configure RSA Cloud Authentication Service
Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Okta SSO.
1. Sign into the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Okta and click +Add to add the connector.
2. On the Basic Information page, specify the application name and click Next Step.
Note: The following SP-initiated configuration works for both SP-initiated and IDP-initiated connections.
3. On the Connection Profile page, under Initiate SAML Workflow section, do the following:
a. Connection URL: Replace <mycompany> with the Okta subdomain
b. Select the SP-initiated radio button.
a. Note the Identity Provider URL and Issuer Entity ID. These will be required in Step 6 of Configure Okta SSO
b. Click Generate Cert Bundle to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
c. Select the first Choose File and upload the RSA SecurID Access private key.
d. Select the second Choose File and upload the RSA SecurID Access public certificate. This public certificate will also be required in Step 6 of Configure Okta SSO
a. Assertion Consumer Service (ACS) URL: Enter https://<mycompany>.okta.com/sso/saml2/<IdP-ID-from-Okta>, where <mycompany> is the Okta subdomain and <IdP-ID-from-Okta> is obtained from Step 10 of Configure Okta SSO.
Note: If these values are not available while doing this configuration, keep placeholder values which can be updated once configuration on Okta side is complete and actual values are available.
6. On the Connection Profile page, under User Identity section, select unspecified from the Identifier Type drop-down list, select the name of your user identity source and select the property value as mail.
7. On the Connection Profile page, under Attribute Extension section, select the name of the user identity source for all the extended attributes. These attributes are required to enable JIT user provisioning in Okta.
8. Scroll to the bottom of the page and click Next Step.
9. On the User Access page, select the access policy the identity router will use to determine which users can access the Okta service provider. Click Next Step.
10. On the Portal Display page, configure the portal display and other settings. Click Save and Finish.
11. Click Publish Changes in the top left corner of the page, and wait for the operation to complete.
Configure Okta SSO
Perform these steps to integrate Okta SSO with RSA SecurID Access as a SAML SSO Agent.
1. Log in to your Okta’s administrator account at the URL https://<mycompany>.okta.com/login/default.
2. On the Okta Admin console, click Security > Identity Providers.
3. On the Identity Providers page, click Add Identity Provider > Add SAML 2.0 IdP.
4. In the Edit Identity Provider pop-up, under General Settings, enter a suitable Name for the Identity Provider.
5. In the Edit Identity Provider pop-up, under Authentication Settings, do the following:
a. IdP Username: Select Idpuser.subjectNameId from the drop-down.
b. Match against: Select Okta Username or Email from the drop-down.
a. IdP Issuer URI: Enter the Issuer Entity ID as configured in Step 4 of Configure RSA Cloud Authentication Service.
b. IdP Single Sign-On URL: Enter the Identity Provider URL as configured in Step 4 of Configure RSA Cloud Authentication Service.
c. IdP Signature Certificate: Enter the certificate obtained in Step 4 of Configure RSA Cloud Authentication Service.
7. In the Edit Identity Provider pop-up, click on Show Advanced Settings
8. In the Edit Identity Provider pop-up, under SAML Protocol Settings, do the following:
a. Request Binding: Select HTTP POST from the drop-down.
b. Clear the Request Signature check-box.
c. Response Signature Verification: Select Response or Assertion from the drop-down.
d. Response Signature Algorithm: Select SHA-1 from the drop-down.
9. Click Add Identity Provider button.
10. In the Identity Providers list, expand the Identity Provider entry just created, and copy the values for Assertion Consumer Service URL and Audience URI. These values will be required in Step 5 of Configure RSA Cloud Authentication Service.
11. On the Identity Providers page, click on the Routing Rules tab.
12. Click the Add Routing Rule button.
13. In the Add Rule pop-up, do the following:
a. Rule Name: Enter a suitable name for the routing rule.
b. Use this identity provider: Select the Identity Provider created above from the drop-down
c. Click Create Rule.
14. In the Activate Rule? pop-up, click Activate.
Configuration is complete.
For additional integrations, see "Configuration Summary" section.