This section describes how to integrate RSA SecurID Access with PingFederate using SAML Relying Party.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as a Relying Party to PingFederate. 

Procedure 

1. Sign in to RSA Cloud Administration Console.
2. Select the Authentication Clients > Relying Parties..

3. Click the Add a Relying Party button on the My Relying Parties page.

4. From the Relying Party Catalog, click the Service Provider SAML Add button.

5. Enter the Name for the Service Provider in the Name field on the Basic Information page.

6. Click Next Step.
7. On the Authentication page, select SecurID Access manages all authentication.
8. From 2.0 Access Policy for Authentication dropdown list, select a policy that was previously configured.

9. Click Next Step.
10. Select the Enter Manually button on the Connection Profile page.

11. Go to the Service Provider section and enter the following details:
    1. ACS URL: It will be in this format https://<BASE_URL>/sp/ACS.saml2. This represents the base URL of the PingFederate server. Replace <BASE_URL> with the actual domain of your PingFederate setup.
    2. Audience (Service Provider Entity ID): The format will be <SAML 2.0 ENTITY ID> which can be retrieved from the PingFederate administrative console. Refer to the notes for detailed steps.

Note:  If ACS URL and Audience are not known, enter temporary place holder values so that you can continue. After you complete the PingFederate SP configuration and export its metadata, you can import it to fill these values automatically.

12. Go to the Message Protection section and select IdP signs entire SAML response.
13. Click Save and Finish.
14. Locate the application created in Relying Parties page and click the dropdown arrow next to Edit > Metadata > Download Metadata File.
15. Click Publish Changes and wait for the operation to be completed.

16. After publishing, your application is now enabled for SSO. 

Configure PingFederate

Perform these steps to configure PingFederate. 

1. In the PingFederate administrative console, go to Authentication > Integration > IdP Connections, and then click Create Connection.

2. On the Connection Type tab, select Browser SSO Profiles. Then in the Protocol list, select SAML 2.0, and click Next.

3. On the Connection Options tab, click Next.

4. On the Import Metadata tab, click File, and then click Choose File.
5. Locate and select metadata file from the RSA Cloud Authentication Service configuration, click Open. Then, click Next to proceed.

6. On the Metadata Summary tab, click Next.

7. On the General Info tab, The General Info tab is filled out by the metadata. Review the Partner’s Entity ID and Connection Name. Click Next.

8. On the Browser SSO tab, click Configure Browser SSO.

9. On the SAML Profiles tab, check the IDP-Initiated SSO and the SP-Initiated SSO checkboxes. Then click Next.

10. On the User-Session Creation tab, click Configure User-Session Creation.

11. On the Identity Mapping tab, click Account Mapping and then click Next.

12. On the Attribute Contract tab, click Next.

Note: From this point onward, the configuration process splits into two distinct paths. Choose one path from each configuration based on your specific needs to proceed.

Configure using an Adapter Instance

Perform these steps to configure PingFederate using Adapter Instance. 

1. On the Target Session Mapping tab, click Map New Adapter Instance.

2. On the Adapter Instance tab, click Manage Adapter Instances.

3. On the SP Adapters page, click Create New Instance.

4. On the Type tab, enter Instance Name and Instance ID, select OpenToken SP Adapter from the Type dropdown list and click Next.

5. On the Instance Configuration tab, enter the Password and Confirm Password field values (This is used to generate the encryption key and is not referenced elsewhere). Then click Next.

6. On the Actions tab, click Next.

7. On the Extended Contract page, click Next.

8. On the Target App Info tab, leave the Application Name and URL fields blank. Then click Next.

9. On the Summary tab, click Save.
10. On the SP Adapters page, click Done.
11. On the Adapter Instance tab, from the Adapter Instance dropdown list, select the adapter name created previously and click Next.

12. On the Adapter Data Store tab, keep the default selection of Use only the Attributes Available in the SSO Assertion, and then click Next.

13. On the Adapter Contract Fulfillment tab, set the following details:
    1. Select Assertion from the Source dropdown menu.
    2. Select SAML_SUBJECT from the Value dropdown menu.

Note: These selections map the attributes from the inbound assertion to the connection attributes.

14. Click Next to proceed.

15. On the Issuance Criteria tab, click Next.

16. To complete the adapter configuration, click Done on the Adapter Mapping Summary tab. Then, on the Target Session Mapping tab.
17. Review the User-Session Creation Summary tab, and then click Done.
18. On the User Session Creation tab, click Next.

19. On the Protocol Settings tab, click Configure Protocol Settings.

Note: The Protocol Settings tab shows the currently configured values from the metadata.

20. On the SSO Service URLs tab, review the Endpoint URLs extracted from the metadata. Click Next.

21. On the Allowable SAML Bindings tab, ensure only Post and Redirect are selected, and then click Next.

22. On the Overrides tab, click Next.
23. On the Signature Policy tab, use the default selection of Use SAML-Standard Signature Requirements where the IdP will sign the response. Click Next.

24. On the Encryption Policy tab, keep the default selection of None. Click Next.

25. On the Protocol Settings Summary tab, review and click Done.
26. On the Protocol Settings tab, click Next.
27. On the Browser SSO Summary tab, review the settings and click Done.
28. On the Browser SSO tab, click Next.

29. On the Credentials tab, verify the IdP signing certificate is available, and then click Next.

Note: The signing public key was included because you imported metadata. 

30. On the Activation and Summary tab, ensure the Connection Status is Active, make note of the SSO Application Endpoint URL and click Save.

31. On the IdP Connections page, locate the IdP Connection created, open the Select Action list and click Export Metadata.

Note: If temporary placeholder values were used during the RSA Cloud Authentication Service configuration, return and update them with the values from the PingFederate metadata file

Configuration completed.

Configure using an Authentication Policy Contract

Perform these steps to configure PingFederate using an Authentication Policy Contract. 

1. On the Target Session Mapping tab, click Map New Authentication Policy.

2. On the Authentication Policy Contract tab, click Manage Policy Contracts.

3. On the Policy Contracts page, click Create New Contract.

4. On the Contract Info tab, enter Contact Name and click Next.
5. On the Contract Attributes page, click Next.
6. On the Authentication Policy Contract Summary Page, click Save.
7. On the Policy Contracts page, click Done.
8. On the Authentication Policy Contract tab, select the contract created previously from the Authentication Policy Contract dropdown list. Click Next.
9. On the Attribute Retrieval tab, select Use Only the Attributes Available in the SSO Assertion and click Next.

10. On the Contract Fulfillment tab, set the following and then click Next:

1. 1. Select Assertion from the Source dropdown list.
   2. Select SAML_SUBJECT from the Value dropdown list.

11. On the Issuance Criteria tab, click Next.

12. To complete the configuration, click Done on the Authentication Policy Mapping Summary tab. Then, on the Target Session Mapping tab, click Next.
13. On the User-Session Creation Summary tab, review the information and click Done to return to the User-Session Creation tab.
14. On the User Session Creation tab, click Next.

15. On the Protocol Settings tab, click Configure Protocol Settings.

Note: The Protocol Settings tab shows the currently configured values from the metadata.

16. On the SSO Service URLs tab, review the Endpoint URLs extracted from the metadata. Click Next.

17. On the Allowable SAML Bindings tab, ensure only Post and Redirect are selected, and then click Next.

18. On the Overrides tab, click Next.
19. On the Signature Policy tab, use the default selection of Use SAML-Standard Signature Requirements where the IdP will sign the response. Click Next.

20. On the Encryption Policy tab, keep the default selection of None. Click Next.

21. On the Protocol Settings Summary tab, review and click Done.
22. On the Protocol Settings tab, click Next.
23. On the Browser SSO Summary tab, review the settings and click Done.
24. On the Browser SSO tab, click Next.

25. On the Credentials tab, verify the IdP signing certificate is available, and then click Next.

Note: The signing public key was included because you imported metadata. 

26. On the Activation and Summary tab, ensure the Connection Status to Active, make note of the SSO Application Endpoint URL and click Save.

27. On the IdP Connections page, locate the IdP Connection created, open the Select Action list and click Export Metadata.

Note: If temporary placeholder values were used during the RSA Cloud Authentication Service configuration, return and update them with the values from the PingFederate metadata file

28. In the PingFederate administrative console, navigate to Applications > SP Connections and click the 3rd party application SAML SP connection.

29. Go to the Assertion Creation section and click Authentication Source Mapping.

30. On the Authentication Source Mapping tab, click Map New Authentication Policy.
31. On the Authentication Policy Contract tab, choose the contract created previously from the Authentication Policy Contract dropdown list and click Next.
32. On the Mapping Method page, click Next.

33. On the Attribute Contract Fulfillment tab, choose Authentication Policy Contract from the Source dropdown list and subject from the Value dropdown list. Then click Next.

34. On the Issuance Criteria page, click Next.
35. On the Summary page, review the information and click Save.
36. In the PingFederate administrative web console, navigate to Authentication > Policies and then click Add Policy.

37. On the Policy page, enable the policy contract created previously.

38.  Configure the authentication policy as shown in the following information:

1. 1. The first Action branch is configured to HTML form authentication method.
   2. The second Action branch is configured to use RSA ID Plus IdP connection that was previously configured.
   3. The third Action branch is configured to use an Authentication Policy Contract to take attributes from the IdP connection and send them to the created SAML SP.

39. Click Options on the IdP Connection (second Action branch).
40. On the Incoming User ID pop-up, choose the Adapter from the Source dropdown menu and username from the Attribute dropdown and click Done.

41. Click Contract Mapping on the Policy Contract (third Action branch).
42. On the Attribute Sources & User Lookup page, click Next.
43. On the Contract Fulfillment tab, choose the IdP Connection from the Source dropdown list and choose SAML_SUBJECT from the Value dropdown list and click Next.

45. On the Issuance Criteria tab, click Next.
46. On the Summary tab, review the information and click Done.
47. On the Policy page, click Done.
48. On the Policies page, click Save to complete the configuration process.

Configuration completed. 

Notes

• To access and verify the required settings, go to System > Server > Protocol Settings, then under the Federation Info tab, note the Base URL used in the RSA Cloud Authentication Service configuration. Additionally, verify that the SAML 2.0 Entity ID field contains a valid and unique value, as it will also be used in the RSA Cloud Authentication Service configuration.