SSO Agent - SAML Configuration - Cisco ISE RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Dec 3, 2018Last modified by RSA Information Design and Development Employee on Jan 2, 2019
Version 2Show Document
  • View in full screen mode

This section contains instructions on how to integrate RSA SecurID Access with Cisco ISE using a SAML SSO Agent.

Architecture Diagram

RSA Cloud Authentication Service

To configure a SAML Service Provider in RSA Identity Router, you must deploy the connector for Cisco ISE in the RSA Cloud Administration Console. During configuration of the IdP you will need some information from the SP. This information includes (but is not limited to) Assertion Consumer Service URL and Service Provider Entity ID.


1. Logon to the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for Cisco ISE  and click +Add to add the connector.

2. Enter a Name and click Next Step.

3. Configure the Initiate SAML Workflow section and scroll down to the SAML Identity Provider section.

• Set Connection URL to match the Identity Provider URL from the SAML Identity Provider section.

• Set Binding Method for SAML request to POST.

4. Configure the SAML Identity Provider (Issuer) section and scroll down to the Service Provider section.

Identity Provider URL: Leave the default value.

Issuer Entity ID: Leave the default value.

SAML Response Signature: Upload the private key and corresponding certificate that SecurID Access will use to sign the SAML response.

5. Configure the Service Provider section and scroll down to the User Identity section.

If you don’t know your ACS URL or SP Entity ID, fill in temporary place holder values so that you can continue to the next step. After you complete the SAML SP configuration and apply it to an ISE portal, you will be able to download the metadata file which contains these values. When you have the file, return to this page and use the Import Metadata function to fill the correct ACS URL and SP Entity ID values automatically.

6. Configure the User Identity section and click Next Step.

Identifier Type: Select your NameID identifier type from the drop-down menu. Email and unspecified are both known to work with Cisco ISE.

Property: Select the identity source property which contains your NameID.

7. Configure your Access Policy and click Next Step

8. Configure the Portal Display settings and click Save and Finish.

Display in Portal: Uncheck if integrating with Guest Access portal since it does not support SAML IdP-initiated access. Leave the checkbox marked if you are integrating with My Devices Portal and you would like to allow SAML IdP-initiated access.

9. Browse to Applications > My Applications, locate the Cisco ISE application, expand options and click Export Metadata.

10. Click Publish Changes.


Cisco ISE

Follow the steps in this section to integrate Cisco ISE with RSA SecurID Access as a SAML SSO Agent.


1. Login to Cisco ISE Administrative Console and browse to Administration > Identity Management > External Identity Sources > SAML Id Providers and click Add.

2. Enter an Id Provider Name and open the Identity Provider Config tab.

3. Click to Import Identity Provider Config File. Browse to the RSA SecurID Access metadata file you downloaded in the IdP configuration section of this guide. Click Save.

Note: You must configure Guest Access Portal and/or My Devices Portal as a SAML SP before you can export the metadata.


Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the SAML SSO Agent configuration to your use case.