This article describes how to integrate RSA Cloud Access Service (CAS) with RSA Mobile Lock Console Security using SAML Relying Party.

Configure CAS

Perform these steps to configure CAS.

Procedure

1. Sign in to RSA Cloud Administration Console. 
2. Navigate to Authentication Clients menu and select Relying Parties.

3. Click Add a Relying Party.
4. In the Relying party catalog section, click Add for Service Provider SAML.

5. On the Basic Information page, enter the name for the application in the Name field and click Next Step.

6. In the Authentication tab, select SecurID manages all authentication. 
7. Select a Primary Authentication Method and an Access Policy as required and click Next Step.

8. Under Data Import method, enter the following values: 
   1.  ACS URL: https://SAP Netweaver domainname/sap/bc/gui/sap/its/webgui
   2. Service Provider Entity ID: The name must match the Issuer Entity ID as configured in the SAP Netweaver.

9. In the Message Protection section for SAML Response Protection:

• • Select IdP signs assertion with response.

10. Scroll down to the User Identity section and select the following information:
    1. Identifier Type > emailAddress
    2. Property > mail

11. In the Identity Provider section, enter Entity ID. 

12. Click Save and Finish.
13. Click Publish Changes. After publishing, your application is now enabled for SSO.

The Configuration is complete.

SAP NetWeaver Configuration

Perform these steps to configure SAP NetWeaver. 

Procedure

1. Start the SAML 2.0 configuration application (transaction SAML2).
2. Click Enable SAML 2.0 Support.

3. Enter the Provider Name and click Next.

Note: The Provider Name must match the Audience (Service Provider Entity ID) as configured in the RSA ID Plus console.

4. Set the Clock Skew Tolerance and click Next.

5. Set the Identity Provider Discovery Selection Mode to Automatic, mark the checkbox for Assertion Consumer Service HTTP POST binding and click Finish.

Note: None of the other Assertion Consumer Service or Single Logout Service bindings are currently supported in RSA ID Plus.

6. Open the Trusted Providers tab, and click Add > Manually.

7. Enter a Name for the new trusted identity provider and click Next.

Note: The Name must match the Issuer Entity ID as configured in the RSA ID Plus Console.

8. In the Primary Signing Certificate section, click Browse and upload the Primary Signing Certificate.
9. Click Next. 

Note: The primary signing certificate must match the certificate uploaded to the RSA ID Plus console.

10. Click Add to add a single sign-on endpoint.

11. Select HTTP POST from the Binding dropdown menu, enter the Location URL and click OK.

Note: The Location URL must match the Identity Provider URL as configured in the RSA ID Plus Console.

12. Click Next.

13. Click Next.

14. Click Next.

15. Click Finish.

16. Click Edit, then Add to add a NameID format.

17. Choose a NameID format and click OK.

Note: The NameID format must match the Identifier Type as configured in User Identity section of the RSA ID Plus console.

18. Click Save and then Enable > OK.

The configuration is complete.