Ping Identity PingFederate 9.3 - Configure Bridge between RSA SecurID Access SAML IdP and Partner Service Providers Configuration - RSA Ready SecurID Access Implementation Guide

2 years ago

Originally Published: 2020-01-27

Follow the instruction steps in this section to apply your SSO Agent and Relying Party configuration to Ping Identity PingFederate Bridge between RSA SecurID Access SAML IdP and Partner Service Providers.

Before you begin: Configure the integration type that your use case will employ. Refer to the Integration Configuration Summary section for more information.

Procedure

1. On the Target Session Mapping page, click Map New Authentication Policy button.

2. On the Authentication Policy Contract page, click the Manage Authentication Policy Contracts button.

3. On the Manage Authentication Policy Contracts page, click Create New Contract button.

4. On the Contract Info page, enter CONTRACT NAME and click Next.

5. On the Contract Attributes page, click Next.

6. On the Summary Page, click Done.

7. On the Manage Authentication Policy Contracts page, click Save.

8. On the Authentication Policy Contract page, select the contract created above from the AUTHENTICATION POLICY CONTRACT drop-down.

9. On the Attribute Retrieval page, click the radio button for USE ONLY THE ATTRIBUTES AVAILABLE IN THE SSO ASSERTION and click Next.

10. On the Contract Fulfillment page, select Assertion from the Source drop-down menu, SAML_SUBJECT from the Value drop-down menu and click Next.

11. On the Issuance Criteria page, click Next.

12. On the Summary page, review the information and click Done.

13. On the Target Session Mapping page, click Next.

14. On the Summary page, review the information and click Done.

15. On the User-Session Creation page, click Next.

16. On the Protocol Settings page, click Configure Protocol Settings button.

17. On the SSO Service URLs page, click Next.

18. On the Allowable SAML Bindings page, check the POST and REDIRECT check-boxes only and click Next.

Note: RSA SecurID Access does not support ARTIFACT and SOAP SAML binding methods.

19. On the Overrides page, click Next.

20. On the Signature Policy page, select the USE SAML-STANDARD SIGNATURE REQUIREMENTS radio button and click Next.

21. On the Encryption Policy page, select the NONE radio button and click Next.

22. On the Summary page, review the information and click Done.

23. On the Protocol Settings page, review the information and click Next.

24. On the Summary page, review the information and click Done.

25. On the Browser SSO page, click Next.

26. On the Credentials page, click Next.

27. On the Activation & Summary page, toggle the Connection Status to Active, make note of the SSO Application Endpoint URL and click Save.

28. On the Service Provider page, under IDP CONNECTIONS, click Manage All button.

29. On the IdP Connections page, locate the IdP Connection just created, open the Select Action menu and click Export Metadata.

Note: If you had set temporary placeholder values during the RSA SecurID Access SAML IdP configuration, then go back and replace them using the PingFederate SAML SP metadata file.

30. In the PingFederate administrative web console, open the Identity Provider tab and click to open the 3rd party application SAML SP connection.

31. Scroll down to the Assertion Creation section and click Authentication Source Mapping.

32. On the Authentication Source Mapping page, click Map New Authentication Policy button.

33. On the Authentication Policy Contract page, choose the contract created above from the AUTHENTICATION POLICY CONTRACT drop-down menu and click Next.

34. On the Mapping Method page, click Next.

35. On the Attribute Contract Fulfillment page, choose Authentication Policy Contract from the Source drop-down menu and subject from the Value drop-down menu. Then click Next.

36. On the Issuance Criteria page, click Next.

37. On the Summary page, review the information and click Save.

38. In the PingFederate administrative web console, open the Identity Provider or Service Provider tab and click Policies.

39. On the Policy page, toggle the button to enable the policy contract created above and configure the authentication policy as shown below:

The first Action branch is configured to HTML form authentication method.
The second Action branch is configured to use RSA SecurID Access IdP connection.
The third Action branch is configured to use an Authentication Policy Contract to take attributes from the IdP connection and send them to the created SAML SP.

40. Click Options on the IdP Connection (second Action branch).

41. On the Incoming User ID pop-up, choose the Adapter from the Source drop-down menu and username from the Attribute drop-down and click Done.

42. Click Contract Mapping on the Policy Contract (third Action branch).

43. On the Attribute Sources & User Lookup page, click Next.

44. On the Contract Fulfillment page, choose the IdP Connection from the Source drop-down menu and choose SAML_SUBJECT from the Value drop-down menu and click Next.