This section describes on how to integrate RSA SecurID Access with Salesforce using Relying Party. Relying party uses SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to Salesforce SAML Service Provider (SP).
Configure RSA Cloud Authentication Service
Perform these steps to configure RSA Cloud Authentication Service as a Relying Party SAML IdP to Salesforce .
1. Sign into RSA Cloud Administration Console.
2. Select the Authentication Clients > Relying Parties menu item at the top of the page.
3. Click the Add a Relying Party button on the My Relying Parties page.
4. From the Relying Party Catalog select the +Add button for Service Provider SAML.
5. Enter a name for the Service Provider in the Name field on the Basic Information page.
6. Click the Next Step button.
7. On the Authentication page, select RSA SecurID Access manages all authentication.
8. From the Primary Authentication Method pulldown, select your desired login method either Password or SecurID.
9. From the Access Policy pulldown select a policy that was previously configured.
10. Select Next Step.
11. Select Import Metadata.
12. Select Choose File and select the file Salesforce metadata file you download from Salesforce.
13. Select Save and Finish.
14. On the My Relying Parties page, select the Edit pulldown and select View or Download IdP Metadata.
15. On the top menu click Publish Changes.
Perform these steps to configure Salesforce as a Relying Party SAML SP to RSA Cloud Authentication Service.
1. Login to Salesforce administration console. https://login.salesforce.com
2. From the Setup menu, select Security Controls > Single Sign-On Settings.
3. Under the Federated authentication bullet, click Edit.
4. Mark the SAML Enabled checkbox, and click Save.
5. In the SAML Single Sign-On Settings section, choose New, to configure the setting manually or New from Metadata file if you wish to configure from metadata file.
Note: Choose the IDR_metadata file when configuring for IDR integration or choose Cloud_metadata when configuring for a Cloud IdP integration.
6. If you selected to configure manually, click New and complete form.
a. In the Name field, enter a name for this Authentication Service profile.
b. Click in the API Name field, and Salesforce automatically enters the name from the Name field.
c. In the Issuer field, enter the Identity Provider Entity ID for an IDR integration or https://<rsa_tenant>.auth.securid.com/saml-fe/sso for a Cloud IdP integration.
d. In the Entity ID field, enter an ID that starts with https://, for example, https://<instance>.my.salesforce.com. This must match the Audience (Service Provider Entity ID) field on the RSA SecurID Access.
e. In Identity Provider Certificate, click Browse and select RSA SecurID Access public certificate.
f. In SAML Identity Type, select Assertion contains User’s Salesforce.com username.
g. In SAML Identity Location, select Identity is in the NameIdentifier element of the Subject statement.
h. In Service Provider Initiated Request Binding, select HTTP Redirect for an IDR integration and HTTP POST for a Cloud IdP integration.
i. Click Save.
Note: If your environment requires SP signing select the Download Metadata button and return to the RSA console and edit the connector to import the metadata file which will import the certificate.
7. Browse to Administer > Domain Management > My Domain and click Edit.
8. Mark the check box next to the Authentication Service which corresponds to your RSA SecurID Access configuration and click Save.
Note: Unmark the checkboxes for Logon Form and other services to prevent side door access.
Configuration is complete.
Return to the main page for more certification related information.