000036933 - Differences to be aware of when configuring RSA SecurID Access Cloud IdP vs IDR IdP

Document created by RSA Customer Support Employee on Nov 14, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036933
Applies ToRSA Product Set:  SecurID Access
IssueThe SecurID Access Cloud Authentication Service offers two ways to configure an Identity Provider (IdP) for SAML applications:
  1. Configure the IDR IdP as described in Add a SAML Application
  2. Configure the Cloud IdP as described in Add a Relying Party.
The cloud IdP configuration process is simpler (fewer options) while the IDR IdP is more configurable. Configuration differences may not be readily apparent.

ResolutionThe differences between the two options are listed below:
Cloud IdPIDR IdP
Creates its own signing certificateAdmin generates and uploads signing certificate
Assertion signatures use the SHA-256 hashing algorithmAssertion signatures use the SHA-1 hashing algorithm by default.  Other algorithms including SHA-256 can be configured.
Assertion signing is performed on the“Assertion within response”Assertion signing defaults to “Entire SAML response” but can be configured to be “Assertion within response”
The User Identity NameID type is auto-detectedYou must specify the User Identity NameID type
Extended Attributes are automatically hunted for in all Identity Sources by defaultExtended Attributes must be configured with the specific Identity Source where they can be found
IdP URL is found only in the IdP metadata fileIdP URL is auto populated in the configuration page
3rd party Service Provider must support SP-initiated SAMLSupports IdP-initiated or SP-initiated SAML
Identity Source User Attributes page must have "Synchronize the selected policy attributes with the Cloud Authentication Service" checked.This checkbox is not applicable
NotesThe IDR IdP supports single sign-on to protected applications. 

The cloud IdP provides primary and/or additional multi-factor authentication for SaaS applications but does not provide single sign-on.