Configure Advanced Settings for a SAML Connection

Document created by RSA Information Design and Development on Jul 13, 2016Last modified by RSA Information Design and Development on Sep 15, 2017
Version 19Show Document
  • View in full screen mode
 

Advanced configuration settings for a connection between a SAML-enabled web application and RSA SecurID Access are optional. Complete these settings only if you are adding a connection to a SAML application with a non-standard configuration.

Before you begin 

  • You must be a Super Admin for the Cloud Administration Console to perform this task.
  • This topic assumes you have configured the minimum required settings on the Connection Profile page in the wizard to add a SAML connection, as described in Add a SAML Application.

Procedure 

  1. On the Connection Profile page of the wizard, scroll to the bottom and click Show Advanced Configuration.
  2. In the Attribute Extension section, specify one or more NameID attributes. Each extended attribute can either map to a single identity source/attribute pair, or, with attribute hunting, map to multiple identity source/attribute pairs.
    Field Description

    Attribute Source

    • Select Identity Source to specify an Attribute Name that maps to a selected Identity Source and Property (attribute) pair.
    • Attribute Name and Property value pair.

    Attribute Name

    Enter the name of the extended attribute.

    Identity Source

    Select an identity source.

    Property

    Select an attribute from the selected identity source.

    Manage

    (Attribute hunting only) To specify multiple identity source/attribute pairs to map to the extended attribute specified in the Attribute Name column, do this:
    1. Click the pencil icon.
    2. In the Attribute Hunting Details dialog box, select a Identity Source and Property (attribute) pair to map to the specified attribute.
    3. To map additional identity source and property pairs to the attribute, click ADD.
  3. In the NameID Modification section, specify options to modify the name identifier to use the format that the service provider expects. Select all that apply.
                                    
    Option Description

    Change Case

    Change the NameID string to all Upper case or all Lower case letters.

    Add Prefix

    Enter a prefix for the NameID.

    Add Suffix

    Enter a suffix for the NameID.

    Remove String

    Enter a regular expression to delete matching characters in the NameID. For example, if NameID is an email address (such as jdoe@example.com), the regular expression <userinput>@(.*)$</userinput> removes the @ character and the domain name (the result is jdoe).

    Concatenate Attributes

    Enter user attributes to append their values to the NameID.

  4. Specify Uncommon SAML Response Formatting Options to include in the outgoing SAML response.
    1. For Sign Outgoing Assertion, select one of the following options for signing the SAML response:
      • Entire SAML response (default)
      • Assertion within response
    2. Select hash code algorithms:
      • Signature Algorithm – The algorithm used to sign the outgoing assertion.
      • Digest Algorithm – The digest or hash code algorithm that is used while signing the outgoing assertion.
    3. Select Encrypt Assertion to encrypt the SAML assertion with the public key on the IdP so that it can only be decrypted by the private key loaded in the SSO settings on the SP.
    4. Select the encryption parameters, as requested by the SP, to apply to the Encryption Algorithm and the Encryption Key Transport.
    5. Select Send encoded URL in outgoing assertion to specify that the identity router URL encodes the Relay State in the SAML response that the SP receives.
    6. Select Include Issuer NameID Format to override the default format of the SAML Issuer Entity ID, and then select one of the following formatting options:
      • Unspecified
      • Email Address
      • X.509 Subject Name
      • Windows Domain Qualified Name
      • Kerberos Principal Name
      • Entity Identifier
      • Transient Identifier
      • Persistent Identifier
    This step completes the optional, advanced Connection Profile settings for the SAML configuration. Do one of the following:
    • If you have completed all required steps in the configuration wizard as described in Add a SAML Application, perform the remaining steps in this procedure.
    • If you have not completed the required User Access or Portal Display pages of the wizard, return to step 10 in Add a SAML Application, and complete the steps in that topic.
  5. When you finish making changes, and no other changes are required on other pages, go to the last page of the wizard and click Save and Finish.
  6. (Optional) To publish this configuration and immediately activate it on the identity router, click Publish Changes.

Results 

After saving the SAML application configuration, you can export the IdP metadata from My Applications, and send it to the SP administrator. For instructions on exporting SAML metadata, see Export SAML Metadata From an Application on the Identity Router.

 

 

Previous Topic:Add a SAML Application
You are here
Table of Contents > Web Applications > Configure Advanced Settings for a SAML Connection

Attachments

    Outcomes