To configure Microsoft Azure Active Directory as an IDP for SAML authentication with RSA Identity Governance & Lifecyle, follow the steps below:
Configure Microsoft Azure
- Log into the Microsoft Azure portal as an administrator.
- Select Azure Active Directory from the left-hand menu.
- Select Enterprise Applications from the left-hand menu.
- Click the New Application button and define a new application.
The new application should be of type Non-gallery application.

- Choose a name such as RSA Identity Governance & Lifecycle.
- After the application has been created, select the new application RSA Identity Governance & Lifecycle in the Enterprise applications | All Applications menu.
- Select single sign-on from the left-hand menu.
- Under Basic SAML Configuration:
- AveksaURL - Enter a valid URL for the Reply URL (Assertion Consumer Service URL). This must be the URL ending in /aveksa/main for the hostname (not IP address) and port for the RSA Identity Governance & Lifecycle server. If you are using a proxy or load balancer, the name and port must be the one used by external parties to access the site.
- Enter a value for Identifier (Entity ID). This may be any unique value but it is recommended that this be the same URL string used above.
- Enter a value for Sign on URL.This may be any unique value but it is recommended that this be the same URL string used above.
- Under User Attributes & Claims click the Edit icon.
Under Additional Claims:
- Identify the Claim name that exactly matches http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.
- Click on this entry to edit it.

- Identify a Microsoft AD User attribute that meets the following conditions.
- Uniquely identifies the Microsoft AD user.
- Is collected by the RSA Identity Governance & Lifecycle Identity Collector.
- Uniquely matches the RSA Identity Governance & Lifecyle user to the Microsoft AD user.
- UnifiedUserColumn - Identify a column in the RSA Identity & Governance T_MASTER_ENTERPRISE_USERS table that
- Uniquely identifies the RSA Identity Governance & Lifecycle user.
- Is collected by the RSA Identity Governance & Lifecycle Identity Collector.
- Uniquely matches the Microsoft AD user to the RSA Identity Governance & Lifecycle user.
Most likely the AD attribute will be user.onpremiseaccountname and most likely this will match to the RSA Identity Governance & Lifecycle USER_ID column.
- Edit the Source attribute.
- From the pull down menu select the Microsoft AD User attribute you have chosen.

Do not edit anything else on this screen.
- Click Save.
It is not necessary to make any other changes to the User Attributes & Claims section. Other attributes including the Required Claim attribute are ignored by RSA Identity Governance & Lifecycle.
- Under SAML Signing Certificate:
IDP Certificate - Click the Download link for the Certificate (Base64) and save this file for use in a subsequent step.

- Under Setup RSA Identity Governance & Lifecycle:
IdentityURL- Copy the Login URL for use in a subsequent step.

Configure RSA Identity Governance & Lifecycle
- In the RSA Identity Governance & Lifecycle user interface go to Admin > System > Authentication tab.
- Click Create Authentication Source
CAUTION: After creating or editing an Authentication Source, the RSA Identity Governance & Lifecycle server will need to be restarted for the changes to take effect. Note that if the authentication source is not functional and provisioning has not been made for an alternative authentication source, access to the server may not be possible.
- Select an authentication source name and choose the authentication type SSO SAML from the drown-down menu.
- Click Next. This brings you to the Configuration Information screen.
- Enter a value for the UnfiedUserColumn. This should be the value decided upon in section 9d above. Typically this should be USER_ID.
- Enter a value for the IdentityURL.This should be the URL saved in section 11 above.
- Accept the default value for SAMLAuthenticatorClass of com.aveksa.server.authentication.SAMLAuthenticatorImpl.
- Optionally (not required) enter a LogOffURL.
- Enter the AveksaURL. This should be identical to the value used in section 8a above.
- For the IDP Certificate click the Choose File button and select the certificate file saved in section 10 above.

- Click Finish.
|