Certified: April 10, 2025
Solution Summary
This guide describes Okta integration with RSA ID Plus to provide a Third-Party Identity Provider (IdP) authentication using SAML 2.0.
Use Case
Okta can be integrated with RSA as an IdP for Cloud Authentication Service and My Page.
Before you begin
- Make sure that all changes are correct and saved on the Okta side before saving any changes on the RSA side. When the changes are saved on the RSA side, the feature will be enabled and if it does not work, then all super administrators and administrators will be locked out. Enabling the authentication through a third-party IdP disables the regular password authentication by default. The configuration must work through the IdP to gain access to the Cloud Administration Console.
- Before saving the changes on the RSA side, open a tab in your browser and log on to the Cloud Administration Console as a super administrator to create another session. You can use this session to increase the Inactivity Timeout (My Account > Company Settings > Sessions and Authentication) to ensure that the session does not time out before the configuration is complete (Make sure to change the setting back after the authentication has been tested). Additionally, you can use the second session to disable the changes on the RSA side if test authentications through third-party IdP fail. If the super administrators are unable to log on with Okta, then log a case with RSA Support to turn off the third-party IdP configuration so that you can log on again with the Cloud-based password. Unless you need immediate Cloud Admin Console access to fix a production authentication down situation, the normal turnaround for such a change by RSA may be up to two business days.
- After this is successfully configured, if Okta becomes unavailable for some reason, then you will have no access to the Cloud Admin Console until Okta is available again. During a continued outage, you may contact RSA Support to turn off the third-party IdP feature on your tenant.
Note the following warnings regarding this integration and the potential risk of locking out all administrators:
- Before saving changes in RSA, open a new browser tab, log in to the Cloud Admin Console as a super admin, and increase the inactivity timeout under My Account > Company Settings > Sessions and Authentication. This prevents session timeouts during configuration. After testing, reset the timeout.
- If third-party IdP authentication fails, use this session to make changes. If you lose access and can't log in with Okta, contact RSA Support to turn off the IdP configuration. It may take up to two business days to restore access, but urgent requests are handled as quickly as possible.
Configuration Summary
This section contains instruction steps that show how to configure Okta as an IdP for RSA Cloud Authentication Service and My Page. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components. All RSA and Okta components must be installed and working prior to the integration. This section of the guide includes links to the appropriate sections for configuring both sides for each use case.
Integration Configuration
- Okta - IdP for Cloud Authentication Service - RSA Ready Implementation Guide
- Okta - IdP for My Page - RSA Ready Implementation Guide
RSA Terminology Changes
The following table describes the differences in the terminologies used in the different versions of RSA products and components.
| Previous Version | New Version | Examples/Comments |
| Company ID | Organization ID | |
| Account | Credential | |
| Token | OTP Credential | SecurID OTP Credential |
| Tokencode | OTP/Access Code | SecurID OTP, SMS OTP, Voice OTP Emergency Access Code, Disable Access Code |
| Hardware Token | Hardware Authenticator | |
| Device Serial Number | Binding ID | |
| Device | Credential/Authenticator | |
| Device Registration Code | Registration Code | |
| Authenticate App | Authenticator App |
Certification Details
RSA Cloud Authentication Service
RSA My Page
Okta
Known Issues
Once configuration is complete, if Okta becomes unavailable in the future, you will not be able to access the Cloud Administration Console until Okta is restored. In case of an extended outage, contact Support to request disabling the third-party IdP feature of your tenant.
