As part of the process to enable Integrated Windows Authentication (IWA), you must install and configure the RSA SecurID Access IWA Connector on a Windows Server 2008 R2 or Windows Server 2012 R2 server connected to your RSA SecurID Access deployment.
Before you begin
- You must be a Super Admin in the Cloud Administration Console.
- You must have system administrator rights on the server where you want to install IWA.
- The following must be installed and configured on the server where you want to install IWA:
- Windows Server 2008 R2 or Windows Server 2012 R2
- .NET Framework 4.5
- ASP.NET 4.5
- Internet Information Services (IIS) 7 with the following capabilities:
- .NET Framework 4.5
- ASP.NET 4.5
- HTTPS Binding Enabled in IIS with a valid SSL certificate
IIS Role Components:
- Application Development > ASP
- Application Development > ASP.NET 4.5
- Security > Windows Authentication
- Management Tools > IIS6 Management Compatibility
- You must have access to a personal information exchange (.pfx) file generated from matching private key (.key) and certificate (.pem) files. You can issue the certificate and private key using your own company infrastructure, or from the Cloud Administration Console. For instructions, see Generate and Download a Certificate Bundle for Service Providers and Identity Providers for the SSO Agent. You can then use a third-party SSL toolkit to generate the .pfx file. The certificate must not have a password.
- Download the Integrated Windows Authentication Connector Installer.
- On the server where you are installing the RSA SecurID Access IWA Connector, navigate to the RSASecurIDAccessIWASetup.msi file and double-click it to launch the installer wizard.
- When the installer wizard opens, click Next.
- From the Site drop-down list, select Default Web Site.
- In the Virtual Directory field, enter RSASecurIDAccessIWAConnector.
- From the Application Pool drop-down list, select DefaultAppPool.
- Click Next.
- Click Next to start the installation.
- In the Audience URL field, enter an Audience URL for the RSA SecurID Access IWA Connector. This value must match the Audience URL you specify for the IWA IdP in the Cloud Administration Console.Use the format https://<identity_router_URL>/SPServlet?sp_id=<uniqueID>where:
- <identity_router_URL> is either the URL of the identity router, or the virtual hostname of the load balancer for a cluster of identity routers.
- <uniqueID> is a unique identifier for the IWA IdP, for example, RSASecurIDAccessIWA.
- In the Issuer ID field, enter an Issuer ID for the RSA SecurID Access IWA Connector. The Issuer ID must be an alphanumeric string with no special characters. This value must match the Issuer ID you specify for the IWA IdP in the Cloud Administration Console.
- In the Audience ID field, enter an Audience ID for the RSA SecurID Access IWA Connector. The Audience ID must be an alphanumeric string with no special characters. This value must match the Audience ID you specify for the IWA IdP in the Cloud Administration Console.
- From the User Identifier (Name ID) drop-down list, select the Active Directory attribute that the IWA provider will send to the identity router during authentication. This attribute identifies the user to the identity router. Select the value that corresponds to the User Tag specified for the identity source in the Cloud Administration Console. Use the following table to identify the correct value.
Active Directory Value IWA Connector Installer Value sAMAccountName Username cn CommonName userPrincipalName userPrincipalName objectGUID objectGUID distinguishedName distinguishedName objectSid objectSid
- In the Issuer Signing Certificate field, browse to the .pfx certificate and select it.
- Click Submit to save your changes.
- Click Close.
After you finish