BenefitFocus integration with RSA Via Access

Document created by RSA Link Team Employee on Sep 16, 2016
Version 1Show Document
  • View in full screen mode

I was talking with one of our customers the other day, and they were telling me that even though BenefitFocus wasn't yet in the application catalog, they were able to use the SAML template to quickly integrate with this application.  Here's a summary of the configuration settings they used (though of course, the specific URLs will be a little different for each customer):

 

In the Access Administration Console:  Applications > Application Catalog > Create from Template > SAML Direct

 

  • Connection URL:  https://sp.benefitfocus.com/sp/startSSO.ping?PartnerIdpId=YOURIDHERE&TargetResource=YOUR-BF-URL-HERE
    • You'll need to specify your own BenefitFocus PartnerIdpId and URL-encoded BenefitFocus URL as the TargetResource
  • SP-initiated
  • Binding Method for SAML Request:  POST (default)
    • Request not signed (default)
  • Identity Provider URL:  Use default, such as  https://portal.sso.example.com/IdPServlet?idp_id=1q2w3e4r5t6y7
  • Issuer Entity ID:  Use default, such as  1q2w3e4r5t6y7
  • Upload the private.key to sign the SAMLResponse, and the corresponding cert.pem
    • BenefitFocus doesn't need us to include the certificate in the outgoing assertion
  • Service Provider
  • User Identity
    • NameID Identifier Type:  Email Address
      • Select the attribute containing the BenefitFocus ID (for example, the AD ‘employeeID')
  • Advanced Configuration
    • Attribute Extension:  Configure 2 extended attributes:
      • Attribute Name:  employeeID
        • Attribute Source:  User Store
        • Property:  Select the attribute containing the BenefitFocus ID (for example, the AD ‘employeeID')
      • Attribute Name:  sn
        • Attribute Source:  User Store
        • Property:  Select the attribute containing the user’s last name (for example, the AD ’sn')
  • Uncommon Formatting SAML Response Options
    • Sign Outgoing Assertion
      • Assertion within response
      • Use default signature & digest algorithms (rsa-sha1, sha1)
    • Relay State URL Encoding
      • Use default:  Send Relay State URL – encoded by IDP

 

This document was generated from the following discussion: BenefitFocus integration with RSA Via Access

Attachments

    Outcomes