Shibboleth IDP - SAML Relying Party Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Sep 1, 2020
Version 1Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with Shibboleth IDP using Relying Party. Relying party uses SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to Shibboleth IDP acting as a SAML Service Provider (SP).

Architecture Diagram

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as a relying party SAML IdP to Shibboleth IDP .

Procedure

1. Sign into the RSA Cloud Administration Console and browse to Authentication Clients > Relying Parties and click Add a Relying Party.

2. From the Relying Party Catalog, select the +Add button for Service Provider SAML.

3. In the Basic Information section, enter a name and click Next Step.

4. In the Authentication section, do the following:

  1. Under Authentication Details, select RSA SecurID Access manages all authentication.
  2. Select appropriate primary and additional authentication methods. 
  3. Click Next Step.

5. On the Connection Profile page, under the Service Provider Metadata section, enter the following details:

  1. Assertion Consumer Service (ACS) URL: Enter https://<Shibboleth-Hostname>/idp/profile/Authn/SAML2/POST/SSO, where <Shibboleth-Hostname> is the hostname as configured in your Shibboleth IDP. The hostname can be found in the file idp-metadata.xml file located in the folder <Shibboleth-Install-Location>\IdP\metadata\ (on the Windows Server where Shibboleth IDP is installed). 
  2. Service Provider Entity ID: Enter https://<Shibboleth-Scope>/idp, where <Shibboleth-Scope> is the scope as configured in Shibboleth IDP. The scope can be found in the idp.properties file located in the folder <Shibboleth-Install-Location>\IdP\conf\ (on the Windows Server where Shibboleth IDP is installed).

Note:  <Shibboleth-Install-Location> refers to the directory where Shibboleth IDP is installed. In Windows, by default it is the directory "C:\Program Files (x86)\Shibboleth". Any step which mentions <Shibboleth-Install-Location> should be replaced with the actual path to the directory where Shibboleth IDP is installed in your system.

6. Click Show Advanced Configuration.

7. Under User Identity, in the NameID section, select the Identifier Type as unspecified and Property as sAMAccountName. Then click Save and Finish.

8. Click the Publish Changes button in the top left corner of the page, and wait for the operation to complete.

9. On the My Relying Parties page, click on the drop down icon beside the Edit button of the relying party configured above and click View or Download IdP Metadata.

10. On the View or Download Identity Provider Metadata page, click on Download Metadata File. The file is downloaded with the name IdPMetadata.xml. Once the file is downloaded, click the Cancel button to return to the My Relying Parties page. This file needs to be uploaded to Shibboleth IDP according to Step 2 of Shibboleth IDP configuration.

 

Configure Shibboleth IDP

Perform these steps to integrate Shibboleth IDP with RSA SecurID Access as a Relying Party SAML SP.

Procedure

Note:  <Shibboleth-Install-Location> refers to the directory where Shibboleth IDP is installed. In Windows, by default it is the directory "C:\Program Files (x86)\Shibboleth". Any step which mentions <Shibboleth-Install-Location> should be replaced with the actual path to the directory where Shibboleth IDP is installed in your system.

1. Log in to the server where Shibboleth IDP is installed.

2. Copy the metadata file downloaded in Step 10 of RSA Cloud Authentication Service configuration and put it in the folder <Shibboleth-Install-Location>\IdP\metadata\.

3. Edit the <Shibboleth-Install-Location>\IdP\conf\metadata-providers.xml file to add another MetadataProvider entry as shown below pointing to the metadata file copied above.

<MetadataProvider id="CAS-Relying-Party" xsi:type="FilesystemMetadataProvider" metadataFile="<Shibboleth-Install-Location>\IdP\metadata\IdpMetadata.xml" />

4. Edit the <Shibboleth-Install-Location>\IdP\conf\authn\saml-authn-config.xml file to add a new bean as shown below -

<bean id="shibboleth.authn.SAML.discoveryFunction" parent="shibboleth.Functions.Constant" c:target="https://rsa-sid-pe-01.auth-dev.securid.com/saml-fe/sso" />

The value for "target" is same as the Issuer Entity ID value which can be obtained from the "IdpMetadata.xml" file downloaded in Step 10 of RSA Cloud Authentication Service configuration.

5. Edit the <Shibboleth-Install-Location>\IdP\conf\c14n\subject-c14n.xml file to do the following -

  1. Uncomment the SAML2ProxyTransform bean

    <ref bean="c14n/SAML2ProxyTransform" />

  2. Add a new "value" inside the "list" element in the bean with id="shibboleth.ProxyNameTransformPredicate". The "value" should be the Issuer Entity ID as obtained from the "IdpMetadata.xml" file downloaded in Step 10 of RSA Cloud Authentication Service configuration. The code looks as shown below -

    <value>https://rsa-sid-pe-01.auth-dev.securid.com/saml-fe/sso</value>

6. Edit the <Shibboleth-Install-Location>\IdP\conf\saml-nameid.xml file to add another bean under the SAML 2 NameID Generation block as shown below -

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
p:attributeSourceIds="#{ {'sAMAccountName'} }" />

7. Edit the <Shibboleth-Install-Location>\IdP\conf\idp.properties file to add the SAML and/or MFA flows in idp.authn.flows parameter. Any new flow can be added to the end of the string using the pipe (|) character.

idp.authn.flows=Password|SAML|MFA

8. Edit the <Shibboleth-Install-Location>\IdP\conf\relying-party.xml file to add the authentication flow to the required SPs (those that need to be protected using RSA SecurID Access) by adding / modifying the "p:authenticationFlows" parameter for the respective beans as shown below -

<bean parent="SAML2.SSO" p:encryptAssertions="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:authenticationFlows="SAML"/>

Note:  The supported flows for RSA SecurID Access are SAML and MFA. Repeat the above step for each application which needs to be protected using RSA SecurID Access.

9. (Optional Step) - This step is only required if MFA authentication flow is used for any SPs protected by RSA SecurID Access according to Step 8 above.

Edit the <Shibboleth-Install-Location>\IdP\conf\authn\mfa-authn-config.xml file to add the SAML flow as required to an existing MFA transition map as shown below -

<util:map id="shibboleth.authn.MFA.TransitionMap">
<!-- Run authn/Flow1 first. -->
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
</entry>
<!-- If that returns "proceed", run authn/Flow2 next. -->
<entry key="authn/Password">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/SAML" />
</entry>
</util:map>

Note:  If Password is configured as the Primary authentication method in Step 4(b) of RSA Cloud Authentication Service configuration, then RSA SecurID Access will prompt for and validate both the LDAP Password and any additional factors configured (like Approve or Biometric) even if the password has already been validated by Shibboleth IDP. So it is recommended to not use a password method before invocation of RSA SecurID Access when Password is configured as Primary authentication method in RSA Cloud Authentication Service to avoid two prompts asking for LDAP username and password (one from Shibboleth and another from RSA SecurID Access). This is applicable only when MFA Flow is configured in Shibboleth IDP.

10. Save all the configuration files and restart the Shibboleth IDP service. Wait for about 30 seconds after the service start up before proceeding.

Configuration is complete.

Return to the main page for more certification related information.

 
You are here
Shibboleth IDP - SAML Relying Party Configuration - RSA Ready SecurID Access Implementation Guide

Attachments

    Outcomes