This article describes how to integrate Salesforce with RSA Cloud Access Service (CAS) using My Page SSO.

Configure CAS

Perform these steps to configure CAS using My Page SSO.

Procedure

1. Sign in to the RSA Cloud Administration Console and browse to Applications > Application Catalog.
2. Click Create from Template, and then click the Select next to SAML Direct.
   
3. On the Basic Information page, choose Cloud.
4. Enter the name for the application and click Next Step.
   
5. On the Connection Profile page, navigate to the Initiate SAML Workflow section and choose IdP-initiated.
6. Under Data Input Method, choose Import Metadata and click Choose File to import the metadata downloaded from Salesforce to populate the ACS URL and Service Provider Entity ID.
   
7. In the Message Protection section, select IdP signs entire SAML response.
8. Click Download Certificate.
   
9. Under the User Identity section:
   1. Identifier Type: unspecified
   2. Property: mail
      
      
10. In the Statement Attributes section, enter the following Authentication Context.
    mfa
    Note: The Authentication Context value is explicitly recognized by Salesforce as a secure authentication method and indicates that a contracted mobile-based two-factor authentication flow was performed by the Identity Provider. 
    Reference: Salesforce SFDCAV Device Activation Function Guide: Changes to Device Activation for Single Sign-On (SSO) Logins
    If you want to bypass the Device Activation, the device needs to pass the Authentication context values as mfa.
    
11. On the User Access page, choose the access policy you want to use to determine which users can access the application, and then click Next Step.
    
12. On the Portal Display page, configure the portal display and other settings, and then click Next Step.
    
13. On the Fulfillment page, configure your preferred settings or leave the Fulfillment toggle disabled as it is, and then click Save and Finish.
14. Click Publish Changes and wait for the operation to be completed.
    After publishing, your application is now enabled for SSO. 
15. Navigate to the newly created application from My Application.
16. In the Edit drop-down list, choose Export Metadata. This metadata will be used later in the Salesforce configuration.
    

Configure Salesforce

Perform these steps to configure Salesforce.
Procedure 

1. Log in to the Salesforce tenant with an administrator account.
2. Click the gear icon and click Open Advanced Setup.
   
3. In the left pane, search for Single Sign-On Settings under the Identity section and click it. 
   
4. Click Edit and select the SAML Enabled checkbox, if not selected already, and then click Save.
   
5. Choose the metadata file downloaded from RSA and click Create.
   
6. Add the downloaded IdP certificate and click Save.
   
7. Click Download Metadata.
   
8. Navigate to My Domain under Company Settings.
9. Click Edit under Authentication Configuration, select the checkbox with your configuration name, and then click Save. 
   

The configuration is complete.