Configure settings to identify your company and provide Secure Sockets Layer (SSL) private keys and certificates to protect the RSA SecurID Access Application Portal. A Protected Domain Name is required only for SSO Agent deployments. Certificates are required when the SSO Agent is enabled on the identity router, or any time the Cloud Authentication Service is integrated with RSA Authentication Manager, even if the SSO Agent is disabled.
The first time you sign in to the Cloud Administration Console and access your account information, the Company Name and Company ID fields are preconfigured. Edit these settings to your company specifications.
Note: The Company Information page used in this task also displays the Customer Support ID, which is required when you register with RSA Customer Support.
Before you begin
- You must be a Super Admin for the Cloud Authentication Service.
- Complete the RSA SecurID Access Solution Architecture Workbook. Plan the protected domain name carefully. Once added, it is difficult to change. See the RSA SecurID Access Cloud Authentication Service Planning Guide for details and examples. This name is not required for deployments that do not use the SSO Agent.
- Obtain the private key, public certificate, and certificate chain required to configure SSL protection for the RSA SecurID Access Application Portal. You generate the private key using your own infrastructure, and you must submit a certificate signing request (CSR) to a trusted Certificate Authority (CA) to obtain the public certificate and certificate chain. Certificates are not required for deployments that do not use the SSO Agent. The specific instructions to generate the private key and CSR vary by CA. Ensure that:
- The private key, in RSA format, is 2048-bit or greater and is not password-protected.
- The certificate and certificate chain files are in x509 PEM format. If you are prompted for a certificate format based on web server type, choose Apache.
- The common name specified in the CSR uses the protected domain name, such as *.portal.example.com.
- Understand the following information before you upload the public certificate. The SSO Agent uses hostnames that depend on the methods used to connect to applications.
- For SAML-based applications, all user traffic goes to the portal hostname (for example, https://portal.sso.example.com/...).
- For HTTP-Federation (HFED) or Trusted Headers applications, the identity router uses a unique proxied hostname within the protected domain name (PDN) for each application webserver hostname (for example, https://www-appname-com.sso.example.com/... and https://another-app.sso.example.com).
- If you want to enable just-in-time synchronization for all identity sources, see Identity Sources for the Cloud Authentication Service.
- In the Cloud Administration Console, click My Account > Company Settings and select the Company Information tab.
- In the Protected Domain Name field, enter the Protected Domain Name value from the RSA SecurID Access Solution Architecture Workbook. This is a unique domain name for your deployment, such as sso.example.com. Deployments that use the SSO Agent must have a protected domain name in order to publish changes to the identity router.
- Upload the following files:
- The Private Key that matches the public certificate. Ensure that the private key is not password protected.
- The Public Certificate that was issued from the certificate authority (CA) for your domain. Use a wildcard certificate.
- The Certificate Chain that was provided by the CA, which is valid for your public certificate.
- In the Company ID field, enter the Company ID that users provide when registering the RSA SecurID Authenticate on their devices.
The Company ID must have fewer than 255 characters and may only contain alphanumeric characters with no spaces. This value must be unique across all RSA customers.
Note: After you change the Company ID, you must instruct users to provide the new value when registering the RSA SecurID Authenticate. Devices that are already registered are not affected.
- (Optional) In the Just-in-Time Synchronization field, click Enabled. This feature ensures that the cloud identity source is updated every time a user registers a device or authenticates. New users are added to the cloud identity source. Enablement affects all identity sources.
- Click Save Settings.