Using an external SAML Version 2 SSO Agent identity provider (IdP), the identity router can automatically authenticate users who access protected applications while they are authenticated to the SAML IdP. This allows the users to bypass the portal logon page when accessing the RSA SecurID Access Application Portal or a custom portal to access SAML-enabled applications. As part of the process to configure this functionality, you must add a SAML 2 generic identity provider.
Before you begin
- You must be a Super Admin in the Cloud Administration Console.
- At least one identity router must be deployed and configured.
- At least one identity source must be connected to the identity router.
- A SAML 2-capable IdP must be available in your environment .
- Obtain the certificate.pem file from the IdP administrator. The identity router uses this certificate to validate signed assertions from the IdP.
- In the Cloud Administration Console, click Users > Identity Providers.
- Under SSO Agent Identity Providers, click Add.
- Click Add to add the SAML 2 Generic IdP provider type.
- In the Name field, enter a name for the new IdP or leave the default name. This name appears as a tooltip when users hover their mouse over the icon for this IdP on the application portal logon page. Choose a user-friendly name, and inform users that they can click the icon to authenticate using this IdP.
- (Optional) In the Description field, enter a description for the identity provider.
- Click Next Step.
- In the Audience ID field, enter an Audience ID for the SAML 2 identity provider. The Audience ID must be an alphanumeric string with no special characters.This value must match the Audience ID you specify on the SAML 2 identity provider.
- In the Audience URL field, enter an Audience URL for the SAML 2 identity provider. This value must match the Audience URL you specify on the SAML 2 identity provider.Use the following format: https://<identity_router_URL>/SPServlet?sp_id=<SP_ENTITY_ID>, where <identity_router_URL> is the URL of the identity router, or is the virtual IP address if you have a high-availability environment, and <SP_ENTITY_ID> is a unique identifier for the SAML 2 identity provider, for example, RSASecurIDAccessSAML2.
- In the Issuer ID field, enter the idp_id (IdP identifier) string. The Issuer ID string, sometimes called the IdP Entity ID, will be provided to you by the IdP administrator. An example string is 7k3hslw5u8pw2.
- In the Issuer URL field, enter the URL for the identity router, appended with an idp_id string that matches the unique idp_id that was automatically generated when the IdP was created. For example, https://mydomain.example.com/IdPServlet?idp_id=7k3hslw5u8pw2.
- As appropriate for your IdP, select the following actions to be applied to IdP requests.
Option Description Passive Sign-in When selected, the identity router sends a passive authentication request that does not require user interaction. Instead of sending a sign-in request, the IdP checks the user authentication state (for example, Kerberos tokens) in the browser. If the IdP cannot authenticate the user passively, the user is redirected back to the identity router without an assertion of identity. At least two IdPs and the portal must be defined as authentication sources to enable this behavior. Transform NameID to Lowercase Select this option when the identity router must translate incoming NameIDs to lower case.
Note: This option is useful when the IdP sends names in upper case or mixed case characters while users type their user names in all lower-case characters.
Sign Request Select this option if the IdP requires signed authentication requests. The identity router must have a private key to use this method. The corresponding certificate must reside on the IdP where it is used to verify the signed request.
- If you chose Sign Request and the warning No Private Key Loaded appears, you must select a private key file to sign the request. If you have an existing private key and a corresponding certificate, click Select File to upload the private key and provide the IdP administrator with the certificate to validate the signed identity request. Otherwise, perform these steps to generate a certificate bundle and use the private key and certificate from the bundle.
- Click Generate Certificate Bundle.
- Save the certificateBundle.zip zip file to a secure location in your file system.
- Open the zip file and extract the files cert.pem and private.key. You can ignore other items in the bundle as these are not used for SAML identity requests and responses.
- Click Select File (located to the right of the Sign Request checkbox) and select the private key file you just extracted (for example, private.key). Click OK to upload the key.
- Give the certificate (for example cert.pem) to the SAML IdP to validate the signed identity requests. The IdP administrator uses separate procedures to manage IdP keys and certificates. See the IdP documentation for instructions.
- Upload the certificate file you received from the IdP administrator (for example certificate.pem) to validate signed identity assertions from the IdP. Click Select File (located to the left of the Generate Certificate Bundle button). Select the certificate file you received from the IdP administrator and click OK.
- Click Next. The IdP access rule page displays.
- Specify parameters for one or more IP address ranges within your network that will authenticate using this IdP. If you do not set any IdP access policy rules, the portal applies the default rule allowing users from any IP address to access the IdP for authentication.
- From the Attribute drop-down list, select IpAddress.
- From the Operation drop-down list, select In Range.
- In the Value field, enter an IP address range such as 10.0.0.0/8.
- From the Effect drop-down list, select Allow Access or Deny Access.
- From the Policy Combination drop-down list, select the Policy Combination to apply to rule evaluation.
Policy Combination Option Description Deny Overrides (Default) Deny takes precedence over allow. Rule processing stops as soon as a deny is matched. This is the most restrictive option. Permit Overrides Allow takes precedence over deny. Rule processing stops as soon as an allow rule is matched. This is the least restrictive option. First Applicable Rule processing stops as soon as any rule is matched.
- (Optional) Click Add and repeat steps a through d to specify additional IP ranges.
- Click Next. The Portal Display page displays.
- In the IdP Icon section, leave the default icon, or click Change Icon to upload a new icon for the SAML IdP.
- Click Save and Finish to exit the wizard.
- (Optional) Click Publish Changes to activate the settings immediately.
After you finish
To ensure that IdP access rules are enforced, add the IdP as an authentication source. See Authentication Sources for information about adding authentication sources.