Configure RSA Cloud Authentication Service

1. Sign in to the RSA Cloud Administration Console with administrator credentials.
2. Enable SSO on the My Page portal by accessing the RSA Cloud Administration Console > Access > My Page > Single Sign-On (SSO). Ensure it is enabled and protected by two-factor authentication using a Password and Access Policy.
3. On the Applications > Application Catalog page, search for Ping Identity PingOne and click Add to add connection.
4. On the Basic Information page, enter a name for the configuration in the Name field.
5. In the Choose where to enable you application section, select Cloud and then click Next Step.
6. In the Connection Profile section, select IdP-initiated option.
7. Provide the Service Provider details in the following format:
   1. Assertion Consumer Service (ACS) URL: https://auth.pingone.eu/<Environment ID>/saml20/sp/acs
   2. Service Provider Entity ID: This can be obtained from the PingOne environment.

8. In the SAML Response Protection section, select IdP signs assertion within response, and download the certificate by clicking Download Certificate.
9. Under the User Identity section, select Show Advanced Configuration, then configure Identifier Type and Property as follows: 
   1. Identifier Type: email Address
   2. Property: mail

10. In the Statement Attributes section, remove all the default attributes.
11. Click Next Step.
12. Choose your desired Access Policy for this application and click Next Step > Save and Finish.
13. On the My Applications page, click the Edit dropdown and select Export Metadata to download the metadata.
14. Click Publish Changes to save your settings. After publishing, your application will be enabled for SSO.

Configure PingOne

1. Sign in to the Ping Identity admin console for the environment that uses PingOne.
2. In the left pane, select External IDPs from the Integrations dropdown menu.

3. Select +Add Provider.  
4. Under CUSTOM, select SAML.

5. Enter a custom name for the external identity provider in the Name field, which will be RSA Cloud Authentication Service and optionally add a description. Then, select Continue.

6. Copy PINGONE (SP) ENTITY ID value which will be used in the RSA configuration as the Service Provider Entity ID. Select Continue.
7. Select Import Metadata and then choose the metadata file you downloaded from the RSA platform. Copy the ACS Endpoint value, which will be used in the RSA configuration as the Assertion Consumer Service (ACS) URL. Then, select Continue.

8. After importing the RSA Metadata file. the SSO Endpoint, IDP Entity ID and the certificate fields will be auto-populated. Ensure that the SSO Binding type is set to HTTP POST.

9. Optionally, map any additional attributes needed between RSA as an Identity Provider and PingOne. Select Save and Continue, and you should see RSA listed under External IDPs.

10. In the left pane, go to the Authentication tab.

11. Select +Add Policy. Enter a name for the new policy, and from the Step Type dropdown, select External Identity Provider. Then, choose the configured RSA IDP from the External Identity Provider dropdown, and select Save.

12. In the left pane, go to Applications. Choose the applications that will use RSA as the External Identity Provider for authenticating users.

13. Select an application, and its settings will appear on the right. Ensure that the policy you created earlier assigned in the Policies section for the protected application.

​​​​​​​

User Experience

1. Log in directly to the application protected by Ping One. After the user enters their organization’s email address, they will be redirected to PingOne, which will then automatically redirect them to RSA Cloud Authentication Service for Authentication.

2. The user will authenticate through the RSA Cloud Authentication Service. If successful, they will be logged in and redirected back to the protected application.