This section describes how to integrate RSA SecurID Access with Okta SSO using Relying Party. Relying party uses SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to Okta SSO SAML Service Provider (SP).
Configure RSA Cloud Authentication Service
Perform these steps to configure RSA Cloud Authentication Service as a relying party SAML IdP to Okta SSO .
1. Sign into the RSA Cloud Administration Console and browse to Authentication Clients > Relying Parties and click Add a Relying Party.
2. From the Relying Party Catalog, select the +Add button for Service Provider SAML.
3. In the Basic Information section, enter a name and click Next Step.
4. In the Authentication section, do the following:
a. Under Authentication Details, select RSA SecurID Access manages all authentication.
b. Select appropriate primary and additional authentication methods.
c. Click Next Step.
a. Assertion Consumer Service (ACS) URL: Enter https://<mycompany>.okta.com/sso/saml2/<IdP-ID-from-Okta>, where <mycompany> is the Okta subdomain and <IdP-ID-from-Okta> is obtained from Step 10 of Configure Okta SSO.
Note: If these values are not available while doing this configuration, keep placeholder values which can be updated once configuration on Okta side is complete and actual values are available.
6. In the Message Protection section, click Download Certificate and save the certificate. This certificate is required in Step 6 of Configure Okta SSO.
7. Click Show Advanced Configuration.
8. Under Attribute Extension section, click on +Add button and add the following three attributes:
a. Attrbute Name: firstName, Attribute Source: Identity Source, Property: givenName
b. Attrbute Name: email, Attribute Source: Identity Source, Property: mail
c. Attrbute Name: lastName, Attribute Source: Identity Source, Property: sn
Note: These attributes are required to enable JIT user provisioning in Okta.
9. Click Save and Finish.
10. Click the Publish Changes button in the top left corner of the page, and wait for the operation to complete.
a. Select View or Download IdP Metadata from the Edit drop-down list to view and download an XML file containing your RSA SecurID Access IdP’s metadata.
b. Click Download Metadata File in the View or Download Identity Provider Metadata page to download the file. A file named IdpMetadata.xml should be downloaded.
c. Open the IdpMetadata.xml file in any text editor and find the value of entityID. This will be required in Step 6 of Configure Okta SSO
Configure Okta SSO
Perform these steps to integrate Okta SSO with RSA SecurID Access as a Relying Party SAML SP.
1. Log in to your Okta’s administrator account at the URL https://<mycompany>.okta.com/login/default.
2. On the Okta Admin console, click Security > Identity Providers.
3. On the Identity Providers page, click Add Identity Provider > Add SAML 2.0 IdP.
4. In the Edit Identity Provider pop-up, under General Settings, enter a suitable Name for the Identity Provider.
5. In the Edit Identity Provider pop-up, under Authentication Settings, do the following:
a. IdP Username: Select Idpuser.subjectNameId from the drop-down.
b. Match against: Select Okta Username or Email from the drop-down.
a. IdP Issuer URI: Enter the Entity ID as obtained from Step 11 of Configure RSA Cloud Authentication Service.
b. IdP Single Sign-On URL: Enter the Entity ID as obtained from Step 11 of Configure RSA Cloud Authentication Service.
c. IdP Signature Certificate: Enter the certificate obtained in Step 6 of Configure RSA Cloud Authentication Service.
7. In the Edit Identity Provider pop-up, click on Show Advanced Settings
8. In the Edit Identity Provider pop-up, under SAML Protocol Settings, do the following:
a. Request Binding: Select HTTP POST from the drop-down.
b. Clear the Request Signature check-box.
c. Response Signature Verification: Select Response or Assertion from the drop-down.
d. Response Signature Algorithm: Select SHA-1 from the drop-down.
9. Click Add Identity Provider button.
10. In the Identity Providers list, expand the Identity Provider entry just created, and copy the values for Assertion Consumer Service URL and Audience URI. These values will be required in Step 5 of Configure RSA Cloud Authentication Service.
11. On the Identity Providers page, click on the Routing Rules tab.
12. Click the Add Routing Rule button.
13. In the Add Rule pop-up, do the following:
a. Rule Name: Enter a suitable name for the routing rule.
b. Use this identity provider: Select the Identity Provider created above from the drop-down
c. Click Create Rule.
14. In the Activate Rule? pop-up, click Activate.
Configuration is complete.
For additional integrations, see "Configuration Summary" section.