Choosing a Connection Method to Add an SSO Agent Application

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Oct 20, 2017
Version 20Show Document
  • View in full screen mode
 
 

In the Application Catalog, RSA provides connection templates for popular web applications such as Cisco WebEx, Salesforce, and Microsoft Outlook Web Access. These applications require minimal configuration to enable them for single sign-on (SS0) through the application portal. To provide users with SSO access to a protected web application that is not in the Application Catalog, you can configure an application connection using one of the following connector templates: SAML Direct, HTTP Federation Proxy, or Trusted Headers. You can also add a simple bookmark to My Applications. Bookmarks do not require SSO configuration.

Use the following guidelines to decide which method to use for adding an application in RSA SecurID Access.

 

SAML Direct

Use the SAML Direct template to connect RSA SecurID Access with web applications that are enabled for SAML SSO.

In a SAML Direct configuration, the identity router verifies a user's identity through a SAML assertion, and a service provider (such as a SaaS application) consumes that assertion as proof of identity. User access to the application flows through a trust relationship between the identity router and a SAML-enabled web application.

 

HTTP Federation (HFED) Proxy

Use the HFED Proxy template to connect RSA SecurID Access with web applications that do not support SAML and that use sign-in forms to validate user credentials.

In an HFED Proxy configuration, the identity router performs authentication into the protected application server on the user's behalf, using credentials stored on the identity router in a user profile (called a keychain), before directing the user to the requested application page. Users cannot access the web application without authenticating first through the identity router. With HFED Proxy, the identity router serves as a password vault for storing multiple sets of credentials for multiple applications, while requiring users to remember only a single password (the credentials used to sign into the application portal) to access many protected applications.

Note:  If you configure RSA SecurID Access to use SSL when connecting to a protected application using the HFED Proxy method, the web server hosting the application must have a valid SSL certificate signed by a certificate authority (CA) that the identity routers trust. For more information, see Trusted Certificate Authorities for HFED or Trusted Headers Applications.

 

Trusted Headers

Use the Trusted Header template to connect RSA SecurID Access with applications that were developed internally. These applications validate identity through user information encoded in trusted HTTP headers.

In a trusted headers configuration, the identity router acts as a reverse proxy to protect an application from unauthorized or unauthenticated access. The application must be configured to check for headers that it receives from the identity router. Users cannot access the web application without authenticating first through the identity router.

Note:  If you configure RSA SecurID Access to use SSL when connecting to a protected application using the trusted headers method, the web server hosting the application must have a valid SSL certificate signed by a certificate authority (CA) that the identity routers trust. For more information, see Trusted Certificate Authorities for HFED or Trusted Headers Applications.

 

 

You are here
Table of Contents > Web Applications > Choosing a Connection Method to Add an SSO Agent Application

Attachments

    Outcomes