You can automate the use of configured SSO Agent identity providers (IdPs) for user authentication in the user application portal by adding SSO Agent IdPs as authentication sources. You can also change the order in which the portal uses two or more IdPs to verify whether a user is authenticated. Automation ensures that IdPs are used in the proper order and eliminates manual steps for users when accessing applications, avoiding user errors.
When IdPs are configured in RSA SecurID Access, but not added as an authentication source, users may access the application portal by authenticating against a configured identity source, or they can manually select their IdP by clicking a link on the portal authentication page.
- If the user is authenticated (for example, in the Windows domain), the portal creates a session without requiring an additional sign-in.
- If the user is not authenticated, the application portal redirects the user to the identity provider authentication screen, creating a session after the user authenticates.
- If IdP access rules are configured for an IdP, users may be allowed or denied access based on their IP address.
You must add and configure IdPs on the Identity Providers page of the Cloud Administration Console to make them available for adding as authentication sources. When you delete a configured IdP from the Identity Providers page in the Cloud Administration Console, it automatically becomes unavailable for use as an authentication source. The following IdPs may be available as authentication sources:
- Portal (default IdP). Uses the identity router default LDAP user name and password authentication.
- RSA SecurID Access IWA Connector. Uses Integrated Windows Authentication (IWA) to determine whether a user is already authenticated in the Windows domain.
- SAML 2 Generic IdP. Uses the Security Assertion Markup Language (SAML) version 2.0 protocol enabling the portal to interact with a SAML-capable IdP.
Typical Authentication Source Configurations
- Only Portal is listed. In this case, all user authentications require the application portal's default LDAP user name and password authentication. Users may also manually choose from other configured IdPs listed on the application portal sign-in page.
- RSA SecurID Access IWA Connector is listed first followed by Portal. The application portal verifies whether the user is authenticated in the Windows domain authentication status.
- Authenticated users are granted access.
- Unauthenticated users who are in the allowed domain IP address range defined in the integrated Windows authentication IdP configuration are redirected to a Windows domain sign-in screen.
- Unauthenticated users who are in the denied domain IP address range defined in the integrated Windows authentication IdP configuration are redirected to the application portal default sign-in page.
- RSA SecurID Access IWA Connector is listed first followed by SAML 2 Generic, followed by Portal. The portal checks each IdP in the order listed, until the user is authenticated or able to sign in.
Note: The Authentication Sources list must contain at least one IdP. If you need to delete the only IdP on the list, you must first add another Authentication Source, such as the default Portal, to take its place.