You can configure your own connection between a SAML service provider (SP) and the Cloud Authentication Service as the SAML identity provider (IdP). The SP might be a third-party SSO solution or a web application.
Before you begin
- You must be a Super Admin in the Cloud Administration Console.
- Know which access policy to use for additional authentication.
- (Optional) If you want to import SAML SP metadata, obtain the metadata file from the SP. Otherwise, collect the following information from the SP:
- URL for the Assertion Consumer Service (ACS) on the SP
- Entity ID for the SP
- If the SP is signing the SAML requests, obtain the SP certificate that can be used to verify the signature. For more information, see Cloud Authentication Service Certificates.
In the Cloud Administration Console, click Authentication Clients > Relying Parties > Add a Relying Party.
- From the catalog, select Service Provider and click Add.
- On the Basic Information page, complete these fields.
In the Name field, enter a name for the SP.
This name appears in the Event Monitor and in the Authenticate app.
(Optional) In the Description field, enter a description for the SP.
Click Next Step.
On the Authentication page, do the following:
If you want the Cloud Authentication Service to only manage additional authentication, select Service provider manages primary authentication, and RSA SecurID Access manages additional authentication.
If you want the Cloud Authentication Service to manage both primary and additional authentication select RSA SecurID Access manages all authentication.
Primary authentication (for example, password) is the initial identifying information of the user that is requesting access to the application.
If the Cloud Authentication Service is managing primary authentication, in the Primary Authentication Method drop-down list, select the authentication method to use.
In the Access Policy for Additional Authentication drop-down list, select the access policy to apply to SAML requests from this SP if primary authentication succeeds.
- Click Next Step.
On the Connection Profile page, enter the SAML metadata to configure the relationship between the SP and IdP:
To automatically import the SAML metadata from an XML file, click Import Metadata and Choose File to locate the file you want to import. The file has a name similar to SP-metadata.xml.
After you import the file, the fields are populated. You can still manually configure settings on the Connection Profile page. If you re-import the file on this page and save the metadata, however, any manual changes you made previously are overwritten.
- To manually enter the SAML metadata, click Enter Manually and do the following. These settings must match the configuration on the SP.
In the Assertion Consumer Service (ACS) URL field, enter the URL for the Assertion Consumer Service (ACS) on the SP where the SAML response is posted. The SP ACS endpoint accepts SAML responses with assertions, validates assertions, and grants users access to the application. For example: https://ServiceProvider.example.com/ecp_assertion_consumer.
In the Service Provider Entity ID (Audience) field, enter the entity ID that identifies the SP. Typically this is a URL, but a URL is not required. For example, https://ServiceProvider.example.com.
(Optional) If the SP is configured to sign the SAML request, select SP Signs SAML requests and click Choose File to load the SP certificate.
Selecting this option ensures that the IdP only accepts signed requests from the SP and rejects non-signed requests from the SP.
To verify the SAML assertion signature, under IdP signs SAML assertions, click Download Certificate . Place the certificate in the necessary location for the SP.
Click Save and Finish.
(Optional) To publish this configuration and immediately activate it, click Publish Changes.