This article describes how to integrate RSA with PingOne using SAML Relying Party.

Configure RSA Cloud Authentication Service

1. Sign in to the RSA Cloud Administration Console.
2. Navigate to the Authentication Clients menu, and from the dropdown, select Relying Parties.
3. In the Relying Party Catalog, select Add a Relying Party and click Add for Service Provider SAML.
4. On the Basic Information page, enter a name for the application in the Name field and click Next Step.
5. In the Authentication tab, select SecurID manages all authentication.
6. Select Primary Authentication Method and Access Policy as required and click Next Step.
7. Provide the Service Provider details in the following format:
   1. Assertion Consumer Service (ACS) URL: https://auth.pingone.eu/<Environment ID>/saml20/sp/acs
   2. Service Provider Entity ID: This can be obtained from the PingOne environment.

8. In the SAML Response Protection section, select IdP signs assertion within response, and download the certificate by clicking Download Certificate.
9. Under the User Identity section, select Show Advanced Configuration, then configure Identifier Type and Property as follows: 
   1. Identifier Type: Email Address
   2. Property: mail

10. Click Save and Finish.
11. On the My Relying Parties page, click Edit dropdown and select Metadata option to download the metadata.
12. Click Publish Changes to save your settings. After publishing, your application will be enabled for SSO.

Configure PingOne

1. Sign in to the Ping Identity admin console for the environment that uses PingOne.
2. In the left pane, select External IDPs from the Integrations dropdown menu.

3. Select +Add Provider.  
4. Under CUSTOM, select SAML.

5. Enter a custom name for the external identity provider in the Name field, which will be RSA Cloud Authentication Service and optionally add a description. Then, select Continue.

6. Copy PINGONE (SP) ENTITY ID value which will be used in the RSA configuration as the Service Provider Entity ID. Select Continue.
7. Select Import Metadata and then choose the metadata file you downloaded from the RSA platform. Copy the ACS Endpoint value, which will be used in the RSA configuration as the Assertion Consumer Service (ACS) URL. Then, select Continue.

8. After importing the RSA Metadata file. the SSO Endpoint, IDP Entity ID and the certificate fields will be auto-populated. Ensure that the SSO Binding type is set to HTTP POST.

9. Optionally, map any additional attributes needed between RSA as an Identity Provider and PingOne. Select Save and Continue, and you should see RSA listed under External IDPs.

10. In the left pane, go to the Authentication tab.

11. Select +Add Policy. Enter a name for the new policy, and from the Step Type dropdown, select External Identity Provider. Then, choose the configured RSA IDP from the External Identity Provider dropdown, and select Save.

12. In the left pane, go to Applications. Choose the applications that will use RSA as the External Identity Provider for authenticating users.

13. Select an application, and its settings will appear on the right. Ensure that the policy you created earlier assigned in the Policies section for the protected application.

 

User Experience

1. Log in directly to the application protected by Ping One. After the user enters their organization’s email address, they will be redirected to PingOne, which will then automatically redirect them to RSA Cloud Authentication Service for Authentication.

2. The user will authenticate through the RSA Cloud Authentication Service. If successful, they will be logged in and redirected back to the protected application.