Salesforce - SSO Agent - SAML Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Nov 30, 2018Last modified by RSA Information Design and Development Employee on Nov 8, 2020
Version 5Show Document
  • View in full screen mode

This section describes how to integrate RSA SecurID Access with Salesforce using a SAML SSO Agent.

Architecture Diagram

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Salesforce .


1. Sign into RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Salesforce and click +Add to add the connector.

2. Enter a name for the application in the Name field on the Basic Information page and click the Next Step button.

3. Navigate to Initiate SAML Workflow section.

a. In the Connection URL field, verify the default setting.

b. Choose IDP-initiated.

Note:  The following IDP-initiated configuration works for SP-initiated Salesforce connections as well.

4. Scroll down to SAML Identity Provider (Issuer) section.

a. Take note of the Identity Provider URL.

b. Take note of the Issuer Entity ID.

c. Select Choose File and upload the private key.

d. Select Choose File to import the public signing certificate.

e. Select the checkbox for Include Certificate in Outgoing Assertion.

5. Scroll down to the Service Provider section.

6. In the Assertion Consumer Service (ACS) URL field replace <DOMAIN> with your account domain or if in a developer environment replace with <DOMAIN>-dev-ed.

Note:  The string following so= is the Salesforce Organization ID; which can be found on your Salesforce Administrator > Company Profile > Company Information page.

7. In the Audience (Service Provider Issuer ID) field replace <DOMAIN> with your account domain or if in a developer environment replace with <DOMAIN>-dev-ed.

8. Scroll down to the User Identity section. Verify the settings are correct for your environment. In this example the username to be presented in email format and the user account will be validated against the User Store selected.

9. Click Next Step.

10. On the User Access page, select Allow All Authenticated Users user policy from the available options.

11. Click Next Step.

12. On the Portal Display page, select Display in Portal.

13. Click Save and Finish.

14. Click Publish Changes. Your application is now enabled for SSO.

15. Navigate to Applications > My Applications.

16. Locate Salesforce in the list and from the Edit option, select Export Metadata.


Configure Salesforce

Perform these steps to configure Salesforce as an SSO Agent SAML SP to RSA Cloud Authentication Service.


1. Login to Salesforce administration console.

2. From the Setup menu, select Security Controls > Single Sign-On Settings.

3. Under the Federated authentication bullet, click Edit.

4. Mark the SAML Enabled checkbox, and click Save.

5. In the SAML Single Sign-On Settings section, choose New, to configure the setting manually or New from Metadata file if you wish to configure from metadata file.

Note:  Choose the IDR_metadata file when configuring for IDR integration or choose Cloud_metadata when configuring for a Cloud IdP integration.

6. If you selected to configure manually, click New and complete form.

a. In the Name field, enter a name for this Authentication Service profile.

b. Click in the API Name field, and Salesforce automatically enters the name from the Name field.

c. In the Issuer field, enter the Identity Provider Entity ID for an IDR integration or https://<rsa_tenant> for a Cloud IdP integration.

d. In the Entity ID field, enter an ID that starts with https://, for example, https://<instance> This must match the Audience (Service Provider Entity ID) field on the RSA SecurID Access.

e. In Identity Provider Certificate, click Browse and select RSA SecurID Access public certificate.

f. In SAML Identity Type, select Assertion contains User’s username.

g. In SAML Identity Location, select Identity is in the NameIdentifier element of the Subject statement.

h. In Service Provider Initiated Request Binding, select HTTP Redirect for an IDR integration and HTTP POST for a Cloud IdP integration.

i. Click Save.

Note:  If your environment requires SP signing select the Download Metadata button and return to the RSA console and edit the connector to import the metadata file which will import the certificate.

Note:   The value in API Name field needs to begin with an alphabet. In some cases after importing the metadata, if this field has a value that does not begin with an alphabet, it can be modified to a suitable value which is accepted by Salesforce. The API Name is not related to any other configurations on the Salesforce side or the RSA Cloud Authentication Service side.

7. Browse to AdministerDomain ManagementMy Domain and click Edit.

8. Mark the check box next to the Authentication Service which corresponds to your RSA SecurID Access configuration and click Save.

Note:  Unmark the checkboxes for Logon Form and other services to prevent side door access.


Configuration is complete.


Return to the main page for more certification related information.

You are here
Salesforce - SSO Agent - SAML Configuration - RSA Ready SecurID Access Implementation Guide