Configure RSA Cloud Authentication Service

1. Enable My Page SSO by accessing the RSA Cloud Administration Console > Access > My Page > Single Sign-On (SSO). Ensure it is enabled and protected using two-factor authentication - Password and Access Policy.                                                                                      
2. On the Applications > Application Catalog page, search for Panorama9 and click Add to add the connection.                                    
3. On the Basic Information page, enter a name for the configuration in the Name field and click Next Step.                                               
4. On the Connection Profile page, click the SP-initiated option.
   In the Connection URL field, provide the landing URL -  https://dashboard.panorama9.com.                                                                       
5. Provide the Service Provider details in the following format:
   1. ACS URL: https://dashboard.panorama9.com/saml/consume/<Tenant ID> 
   2. Service Provider Entity ID: https://www.panorama9.com/saml20<Tenent ID >
      Refer to the Configure Panorama9 section to obtain the ACS URL and Service Provider Entity ID.                                                 
6. In the SAML Response Protection section, choose IdP signs assertion within response.
7. Download the certificate by clicking Download Certificate.                                                                                                                            
8. Click Show Advanced Configuration.
9. Under the User Identity section, configure Identifier Type and Property. For example, Identifier Type: Auto Detect and Property: Auto Detect.                                                                                                                                                                
10. Click Next Step.
11. Choose your desired Access Policy for this application and click Next Step > Save and Finish.                                                             
12. On the My Applications page, click the Edit drop-down icon and select Export Metadata to download the metadata.                
13. Click Publish Changes. Your application is now enabled for SSO.                                                                                                                    

Configure Panorama9

1. Log on to Panorama9 as an administrator.
2. Click Extensions.                                                                                                                                                                                            
3. Select Enable extension for Single Sign On.
4. Under the Settings section, provide the following details and click Save. The Consume URL and Issuer values are auto-populated. 
   1. Identity provider login URL: The SingleSignOnService value that can be obtained from the metadata file downloaded from RSA.
   2. Certificate fingerprint: Convert the certificate downloaded from RSA into a fingerprint. Refer to the Notes section on how to convert the certificate into a fingerprint.
   3. Consume URL: Copy the URL, which is used as the ACS URL for RSA configuration.
   4. Issuer: Copy the Issuer URL, which is used as Entity ID for RSA configuration.                                                                                 

   
Notes

1. Install the latest version of OpenSSL for Windows.
2. Open the Windows Command line.
3. Navigate to the directory (where the certificate is present).
4. Run the following commands to view the certificate fingerprint/thumbprint. openssl x509 -noout -fingerprint -sha1 -inform pem -in <Certificate.pem>. Certificate.pem is the file downloaded from RSA.