Okta SSO - SAML Relying Party Configuration as a step-up for Okta applications - RSA Ready SecurID Access Implementation Guide
2 years ago
Originally Published: 2021-11-07

This section describes how to integrate RSA SecurID Access with Okta SSO using Relying Party as a step-up for Okta applications. Relying party uses SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to Okta SSO SAML Service Provider (SP).

Architecture Diagram

jaink9_0-1636318013601.png

 

Before we begin

Please enable Custom IDP option in your Okta instance. Once enabled, Idp Factor will be visible under Security > Multifactor > Factor Types.

Any application already configured with Okta for 'front-door' or primary authentication. In this case we will work with Salesforce.

Also, the user in RSA Cloud Authentication Service should match with the user used for primary authentication between Okta and the application.

Create RSA as a custom IDP in Okta

Procedure

  1. Sign into your Okta instance and browse to Security > Identity Providers and click Add Identity Provider.

    jaink9_1-1636318143037.png

     

  2. From the Add Identity Provider drop down select Add SAML 2.0 Idp.

  3. Fill the following entries in Add Identity Provider window.

    jaink9_2-1636318258582.png

     

    1. In General Settings section, fill a name for IDP.

    2. In Authentication Settings section, select Factor only from the Idp Usage drop down.

    3. In SAML Protocol Settings section fill https://URL in both IdP Issuer URI and IdP Single Sign-On URL.

      Note: Both these fields needs to be updated once we create a relying party connector in RSA Cloud Authentication Service.

    4. In same SAML Protocol Settings section, add a dummy certificate in IdP Signature Certificate.

      Note: This certificate needs to be replaced with the certificate generated in the relying party connector in RSA Cloud Authentication Service.

    5. Click Add Identity Provider button.

  4. Once the Identity Provider is added, expand it and note the Assertion Customer Service URL and Audience URI. These values will be needed while creating the relying party in RSA Cloud Authentication Service.

    jaink9_3-1636318348078.png

     

  5. From the expanded screen of Identity Provider click on Configure link, and from the drop down, click Download Certificate. This certificate will be required while configuring relying party in RSA Cloud Authentication Service.

    jaink9_4-1636318398046.png

     

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as a relying party SAML IdP to Okta SSO .

Procedure

1. Sign into the RSA Cloud Administration Console and browse to Authentication Clients > Relying Parties and click Add a Relying Party.

jaink9_5-1636318436786.png

 

2. From the Relying Party Catalog, select the +Add button for Service Provider SAML.

jaink9_6-1636318464924.png

 

3. In the Basic Information section, enter a name and click Next Step.

jaink9_7-1636318512614.png

 

4. In the Authentication section, do the following:

  1. Under Authentication Details, select Service provider manages primary authentication, and RSA SecurID Access manages additional authentication.

  2. Select appropriate policy in Access Policy for Additional Authentication.

  3. Click Next Step.

    jaink9_8-1636318555924.png

     

5. On the next page, under the Service Provider Metadata section, enter the following details:

  1. Assertion Consumer Service (ACS) URL: Enter the Assertion Customer Service URL obtained from Step-4 in the Create RSA as a custom IDP in Okta section.

  2. Service Provider Entity ID: Enter the Audience URI obtained from Step-4 in the Create RSA as a custom IDP in Okta section.

    jaink9_9-1636318623365.png

     

6. In the Message Protection section, do the following:

  1. Choose the certificate downloaded from Step 5 of Create RSA as a custom IDP in Okta.

  2. Click Download Certificate and save the certificate. This certificate is required in Step 3.5 of Create RSA as a custom IDP in Okta.

7. Click Show Advanced Configuration.

jaink9_10-1636318668774.png

 

8. Under User Identity section, select unspecified for Identifier Type and mail for Property field.

9. Click Save and Finish.

10. Click the Publish Changes button in the top left corner of the page, and wait for the operation to complete.

jaink9_11-1636318718422.png

 

11. On the My Relying Parties page, do the following:

a. Select View or Download IdP Metadata from the Edit drop-down list to view the XML metadata. Find the value of entityID. This will be required in Step 3.3 of Create RSA as a custom IDP in Okta.

jaink9_12-1636318783682.png

 

jaink9_0-1636318908315.png

 

Re-configure RSA as a custom IDP in Okta

  1. Sign into your Okta instance and browse to Security > Identity Providers and expand the identity provider already created in Create RSA as a custom IDP in Okta.

  2. Click Configure link and select Configure Identity Provider from the drop down.

    jaink9_1-1636318979754.png

     

  3. In the SAML Protocol Settings section enter the following:

    1. In the IdP Issuer URI field enter the entityID obtained from Step 11.a of the Configure RSA Cloud Authentication Service section.

    2. In the IdP Single Sign-On URL field enter the entityID obtained from Step 11.a of the Configure RSA Cloud Authentication Service section.

    3. In IdP Signature Certificate field browse and select the certificate obtained in Step 6.b of the Configure RSA Cloud Authentication Service section.

    4. Click Update Identity Provider button.

    jaink9_2-1636319046090.png

     

Configure Sign On Policy for the application in Okta

  1. In the Okta instance navigate to Applications > Applications > select your application from the list (in this case Salesforce).

  2. Click Sign On tab and scroll down to Sign On Policy section.

    jaink9_3-1636319100429.png

     

  3. Click Add Rule.

  4. On the App Sign On Rule window, enter a name in Rule Name field.

    jaink9_4-1636319159327.png

     

  5. In the Actions section, click on Prompt for factor checkbox. Under that click on Every sign on radio button.

    jaink9_5-1636319200362.png

     

  6. Click Save.

Test Okta application for step-up with RSA IDP

  1. Open your application (configured in Okta), in our case Salesforce.

    jaink9_6-1636319268551.png

     

  2. Click on login using Okta. You will be redirected to Okta for primary authentication.

    jaink9_7-1636319306313.png

     

  3. Enter your Okta credentials for your application/Salesforce and click Sign In.

  4. You'll be prompted to Enroll for multifactor. This seems to be enforced through Okta.

  5. Once enrolled, you will be prompted to authenticate with the RSA IDP created in Create RSA as a custom IDP in Okta section. Click verify.

    jaink9_8-1636319345134.png

     

  6. User is presented with the factor authentication in accordance to the enrolled authenticators with RSA Cloud Authentication Service.

    jaink9_9-1636319407912.png

     

  7. After successful primary and secondary authentication, user logs on to Salesforce application.

    jaink9_10-1636319453060.png

     

For additional integrations, see "Configuration Summary " section.

 

Related Articles

Trending Articles

Don't see what you're looking for?