Shibboleth IDP - SAML SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Sep 1, 2020
Version 1Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with Shibboleth IDP using a SAML SSO Agent.

Architecture Diagram

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Shibboleth IDP.

Procedure

Note:  The Shibboleth IDP SAML SSO Connector will be available very soon in the Application Catalog. Currently to use this integration, a connector can be created from the Generic SAML Direct Template available. To do this -
1(a). Sign into the RSA Cloud Administration Console and browse to Applications > Application Catalog, click +Create From Template.

1(b). In the Choose Connector Template dialog, click on Select button next to SAML Direct template.

Then follow the same steps from Step 2 below.

1. Sign into the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Shibboleth IDP and click +Add to add the connector.

2. On the Basic Information page, enter a name for the application in the Name field, and click Next Step.

3. In the Initiate SAML Workflow section, in the Connection URL field, enter the 3rd Party SP URL which generates the SAML AuthnRequest to Shibboleth IDP.

4. In the SAML Identity Provider (Issuer) section, do the following:

  1. Note the Issuer Entity ID. This will be required in Steps 4 and 5(b) of Shibboleth IDP configuration.
  2. Click Generate Cert Bundle to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
  3. Select the first Choose File and upload the RSA SecurID Access private key.
  4. Select the second Choose File and upload the RSA SecurID Access public certificate.

5. In the Service Provider section, do the following:

  1. In the Assertion Consumer Service (ACS) URL field, replace <Shibboleth-Hostname> with the hostname as configured in your Shibboleth IDP. The hostname can be found in the file idp-metadata.xml file located in the folder <Shibboleth-Install-Location>\IdP\metadata\ (on the Windows Server where Shibboleth IDP is installed). The ACS URL will be of the form https://<Shibboleth-Hostname>/idp/profile/Authn/SAML2/POST/SSO.
  2. In the Audience (Service Provider Entity ID) field, replace <Shibboleth-Scope> with the scope as configured in Shibboleth IDP. The scope can be found in the idp.properties file located in the folder <Shibboleth-Install-Location>\IdP\conf\ (on the Windows Server where Shibboleth IDP is installed). The Entity ID will be of the form https://<Shibboleth-Scope>/idp.

Note:  <Shibboleth-Install-Location> refers to the directory where Shibboleth IDP is installed. In Windows, by default it is the directory "C:\Program Files (x86)\Shibboleth". Any step which mentions <Shibboleth-Install-Location> should be replaced with the actual path to the directory where Shibboleth IDP is installed in your system.

6. In the User Identity section, select unspecified from the Identifier Type drop-down list, select the name of your user identity source and select the property value as sAMAccountName. Then click Next Step.

7. On the User Access page, select the access policy the identity router will use to determine which users can access the 3rd party application protected by Shibboleth IDP service provider. Click Next Step.

8. On the Portal Display page, configure the portal display and other settings. Click Save and Finish.

9. Click Publish Changes in the top left corner of the page, and wait for the operation to complete.

10. On the My Applications page, click on the drop down icon beside the Edit button of the application configured above and click Export Metadata. The file is downloaded with the name <ApplicationName>-idp-metadata.xml where <ApplicationName> is the name given in Step 2 above. This file needs to be uploaded to Shibboleth IDP according to Step 2 of Shibboleth IDP configuration.

Note:  If the metadata file gets downloaded with an extra ".xml" in its name, remove the extra ".xml" before proceeding further.

 

Configure Shibboleth IDP

Perform these steps to integrate Shibboleth IDP with RSA SecurID Access as a SAML SSO Agent.

Procedure

Note:  <Shibboleth-Install-Location> refers to the directory where Shibboleth IDP is installed. In Windows, by default it is the directory "C:\Program Files (x86)\Shibboleth". Any step which mentions <Shibboleth-Install-Location> should be replaced with the actual path to the directory where Shibboleth IDP is installed in your system.

1. Log in to the server where Shibboleth IDP is installed.

2. Copy the metadata file downloaded in Step 10 of RSA Cloud Authentication Service configuration and put it in the folder <Shibboleth-Install-Location>\IdP\metadata\.

3. Edit the <Shibboleth-Install-Location>\IdP\conf\metadata-providers.xml file to add another MetadataProvider entry as shown below pointing to the metadata file copied above.

<MetadataProvider id="CAS-SSO-Agent" xsi:type="FilesystemMetadataProvider" metadataFile="<Shibboleth-Install-Location>\IdP\metadata\Shibboleth_IDP-idp-metadata.xml" />

4. Edit the <Shibboleth-Install-Location>\IdP\conf\authn\saml-authn-config.xml file to add a new bean as shown below -

<bean id="shibboleth.authn.SAML.discoveryFunction" parent="shibboleth.Functions.Constant" c:target="shib-idp-test" />

The value for "target" is same as the Issuer Entity ID value obtained from Step 4(a) of RSA Cloud Authentication Service configuration.

5. Edit the <Shibboleth-Install-Location>\IdP\conf\c14n\subject-c14n.xml file to do the following -

  1. Uncomment the SAML2ProxyTransform bean

    <ref bean="c14n/SAML2ProxyTransform" />

  2. Add a new "value" inside the "list" element in the bean with id="shibboleth.ProxyNameTransformPredicate". The "value" should be the Issuer Entity ID as obtained from Step 4(a) of RSA Cloud Authentication Service configuration. The code looks as shown below -

    <value>shib-idp-test</value>

6. Edit the <Shibboleth-Install-Location>\IdP\conf\saml-nameid.xml file to add another bean under the SAML 2 NameID Generation block as shown below -

<bean parent="shibboleth.SAML2AttributeSourcedGenerator"
p:omitQualifiers="true"
p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
p:attributeSourceIds="#{ {'sAMAccountName'} }" />

7. Edit the <Shibboleth-Install-Location>\IdP\conf\idp.properties file to add the SAML and/or MFA flows in idp.authn.flows parameter. Any new flow can be added to the end of the string using the pipe (|) character.

idp.authn.flows=Password|SAML|MFA

8. Edit the <Shibboleth-Install-Location>\IdP\conf\relying-party.xml file to add the authentication flow to the required SPs (those that need to be protected using RSA SecurID Access) by adding / modifying the "p:authenticationFlows" parameter for the respective beans as shown below -

<bean parent="SAML2.SSO" p:encryptAssertions="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:authenticationFlows="SAML"/>

Note:  The supported flows for RSA SecurID Access are SAML and MFA. Repeat the above step for each application which needs to be protected using RSA SecurID Access.

9. (Optional Step) - This step is only required if MFA authentication flow is used for any SPs protected by RSA SecurID Access according to Step 8 above.

Edit the <Shibboleth-Install-Location>\IdP\conf\authn\mfa-authn-config.xml file to add the SAML flow as required to an existing MFA transition map as shown below -

<util:map id="shibboleth.authn.MFA.TransitionMap">
<!-- Run authn/Flow1 first. -->
<entry key="">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
</entry>
<!-- If that returns "proceed", run authn/Flow2 next. -->
<entry key="authn/Password">
<bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/SAML" />
</entry>
</util:map>

Note:  RSA SecurID Access will prompt for and validate both the LDAP Password and any additional factors configured (like Approve or Biometric) even if the password has already been validated by Shibboleth IDP. So it is recommended to not use a password method before invocation of RSA SecurID Access to avoid two prompts asking for LDAP username and password (one from Shibboleth and another from RSA SecurID Access). This is applicable only when MFA Flow is configured in Shibboleth IDP.

10. Save all the configuration files and restart the Shibboleth IDP service. Wait for about 30 seconds after the service start up before proceeding.

Configuration is complete.

Return to the main page for more certification related information.

 
You are here
Shibboleth IDP - SAML SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide

Attachments

    Outcomes