You can configure your own connection between a SAML service provider (SP) and the Cloud Authentication Service as the SAML identity provider (IdP). The SP might be a third-party SSO solution or a web application.
Before you begin
- You must be a Super Admin in the Cloud Administration Console.
- Know which access policy to use for additional authentication.
- (Optional) If you want to import SAML SP metadata, obtain the metadata file from the SP. Otherwise, collect the following information from the SP:
- URL for the Assertion Consumer Service (ACS) on the SP
- Entity ID for the SP
- If the SP is signing the SAML requests, obtain the SP certificate that can be used to verify the signature. For more information, see Cloud Authentication Service Certificates.
In the Cloud Administration Console, click Authentication Clients > Relying Parties > Add a Relying Party.
- From the catalog, select Service Provider and click Add.
- On the Basic Information page, complete these fields.
In the Name field, enter a name for the SP.
This name appears in the Event Monitor and in the Authenticate app.
(Optional) In the Description field, enter a description for the SP.
Click Next Step.
On the Authentication page, do the following:
If you want the Cloud Authentication Service to only manage additional authentication, select Service provider manages primary authentication, and RSA SecurID Access manages additional authentication.
If you want the Cloud Authentication Service to manage both primary and additional authentication select RSA SecurID Access manages all authentication.
Primary authentication (for example, password) is the initial identifying information of the user that is requesting access to the application.
If the Cloud Authentication Service is managing primary authentication, in the Primary Authentication Method drop-down list, select the authentication method to use.
In the Access Policy for Additional Authentication drop-down list, select the access policy to apply to SAML requests from this SP if primary authentication succeeds.
- Click Next Step.
On the Connection Profile page, enter the SAML metadata to configure the relationship between the SP and IdP:
To automatically import the SAML metadata from an XML file, click Import Metadata and Choose File to locate the file you want to import. The file has a name similar to SP-metadata.xml.
After you import the file, the fields are populated. You can still manually configure settings on the Connection Profile page. If you re-import the file on this page and save the metadata, however, any manual changes you made previously are overwritten.
- To manually enter the SAML metadata, click Enter Manually and do the following. These settings must match the configuration on the SP.
In the Assertion Consumer Service (ACS) URL field, enter the URL for the Assertion Consumer Service (ACS) on the SP where the SAML response is posted. The SP ACS endpoint accepts SAML responses with assertions, validates assertions, and grants users access to the application. For example: https://ServiceProvider.example.com/ecp_assertion_consumer.
In the Service Provider Entity ID field, enter the entity ID that identifies the SP. Typically this is a URL, but a URL is not required. For example, https://ServiceProvider.example.com.
(Optional) If the SP is configured to sign the SAML request, select SP signs SAML request and click Choose File to load the SP certificate.
Selecting this option ensures that the IdP only accepts signed requests from the SP and rejects non-signed requests from the SP.
To verify the SAML assertion signature, under IdP Signs, select if the IdP signs the Assertion within response or Entire SAML response. Then click Download Certificate. Place the certificate in the necessary location for the SP.
- For Identifier Type, select the format of the NameID. The format must correspond to how the SAML application identifies users.
Option Description Auto Detect The IdP automatically detects the format included in the SAML assertion.
The NameID has the form of an email address.
The NameID has the form specified for the contents of the <ds:X509SubjectName> element in the XML Signature Recommendation [XMLSig].
The NameID is a persistent opaque identifier for a user that is specific to the IdP and SP. This identifier uses pseudo-random values that do not correspond with the user's actual identifier (for example, username). A persistent NameID remains the same each time the user authenticates.
The NameID has transient semantics that the SP treats as a temporary value. This value can identify a user without mapping to the user's actual account name. A transient NameID is different each time the user authenticates.
The SP interprets the content of the element.
Select or enter the Property (attribute) to use as the NameID value.
If you select Auto Detect, the IdP automatically detects the property included in the SAML assertion.
|Enter the name of the extended attribute.|
|Select an attribute from the identity source, or manually enter the attribute.|
Click Save and Finish.
(Optional) To publish this configuration and immediately activate it, click Publish Changes.
After you finish
To collect the information needed to configure the service provider to connect with the Cloud Authentication Service, view or download the IdP metadata. For more information, see Manage Relying Parties.