This article describes how to integrate RSA Cloud Authentication Service with PingOne using SAML IDR SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as IDR SSO to PingOne.
Procedure

1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog. Search for Ping Identity PingOne and select Add to add the connector.

2. On the Basic Information page, select Identity Router.

3. Enter the name for the application in the Name field and click Next Step.
4. Navigate to Initiate SAML Workflow section. In the Connection URL field, enter the value of the Identity Provider URL found on the same page.
5. Select SP-initiated and for the Binding Method for SAML Request, choose POST. 

6. Scroll down to the SAML Identity Provider (Issuer) section. 
   1. The Identity Provider URL is automatically generated. 
   2. The Identity Provider Entity ID is automatically generated.
   3. Select Generate Cert Bundle, set a common name for your company certificate, and then select Generate and Download.
   4. Select Choose File and upload the private key from the generated certificate bundle.
   5. Select Choose File and upload the certificate from the generated certificate bundle. 

7. In the Service Provider section, enter the following details:
   1. Assertion Consumer Service (ACS) URL: https://auth.pingone.eu/<Environment ID>/saml20/sp/acs
   2. Service Provider Entity ID: This can be obtained from the PingOne environment. 

8.  In the User Identity section, configure Identifier Type, Identity Source, and Property as follows:
   1. Identifier Type: Email Address
   2. Identity Source: Select your user identity source.
   3. Property: mail

9. In the Statement Attributes, remove all the default attributes.
10. Click Next Step.
11. On the User Access page, select the access policy that the identity router will use to determine which users can access the application.
12. Click Next Step.
13. On the Portal Display page, configure the portal display and other settings. Then click Save and Finish.
14. On the My Applications page, click the Edit dropdown and select Export Metadata to download the metadata.
15. Click Publish Changes to save your settings. After publishing, your application will be enabled for SSO.

Configure PingOne

1. Sign in to the Ping Identity admin console for the environment that uses PingOne.
2. In the left pane, select External IDPs from the Integrations dropdown menu.

3. Select +Add Provider.  
4. Under CUSTOM, select SAML.

5. Enter a custom name for the external identity provider in the Name field, which will be RSA Cloud Authentication Service and optionally add a description. Then, select Continue.

6. Copy PINGONE (SP) ENTITY ID value which will be used in the RSA configuration as the Service Provider Entity ID. Select Continue.
7. Select Import Metadata and then choose the metadata file you downloaded from the RSA platform. Copy the ACS Endpoint value, which will be used in the RSA configuration as the Assertion Consumer Service (ACS) URL. Then, select Continue.

8. After importing the RSA Metadata file. the SSO Endpoint, IDP Entity ID and the certificate fields will be auto-populated. Ensure that the SSO Binding type is set to HTTP POST.

9. Optionally, map any additional attributes needed between RSA as an Identity Provider and PingOne. Select Save and Continue, and you should see RSA listed under External IDPs.

10. In the left pane, go to the Authentication tab.

11. Select +Add Policy. Enter a name for the new policy, and from the Step Type dropdown, select External Identity Provider. Then, choose the configured RSA IDP from the External Identity Provider dropdown, and select Save.

12. In the left pane, go to Applications. Choose the applications that will use RSA as the External Identity Provider for authenticating users.

13. Select an application, and its settings will appear on the right. Ensure that the policy you created earlier assigned in the Policies section for the protected application.

User Experience

1. Log in directly to the application protected by Ping One. After the user enters their organization’s email address, they will be redirected to PingOne, which will then automatically redirect them to RSA Cloud Authentication Service for Authentication.

2. The user will authenticate through the RSA Cloud Authentication Service. If successful, they will be logged in and redirected back to the protected application.