This section describes how to integrate Shibboleth with RSA Cloud Authentication Service using SAML Relying Party.

Configure RSA Cloud Authentication Service

1. Sign in to RSA Cloud Administration Console. 
2. Click Authentication Clients > Relying Parties.                                                                                                                                                
3. On the My Relying Parties page, click Add a Relying Party.                                                                                                                              
4. On the Relying Party Catalog page, click Add for Service Provider SAML.                                                                                                   
5. On the Basic Information page, enter a name for the Service Provider in the Name field.
6. Click Next Step.
7. On the Authentication page, click the SecurID manages all authentication option.
8. In the Primary Authentication Method list, select your desired login method as either Password or SecurID.
9. In the Access Policy list, select a policy that was previously configured.                                                                                         
10. On the Connection Profile page, under the Service Provider Metadata section, enter the following details:
    1. Assertion Consumer Service (ACS) URL: Enter https://<Shibboleth-Hostname>/idp/profile/Authn/SAML2/POST/SSO, where <Shibboleth-Hostname> is the hostname as configured in your Shibboleth IDP. The hostname can be found in the file idp-metadata.xml file located in the <Shibboleth-Install-Location>\IdP\metadata\ folder (on the Windows Server where Shibboleth IDP is installed). 
    2. Service Provider Entity ID: Enter https://<Shibboleth-Scope>/idp, where <Shibboleth-Scope> is the scope as configured in Shibboleth IDP. The scope can be found in the idp.properties file located in the <Shibboleth-Install-Location>\IdP\conf\ folder (on the Windows Server where Shibboleth IDP is installed).                                                                                                                   
    3. Click Show Advanced Configuration.
    4. Under User Identity, in the NameID section, select the Identifier Type as unspecified and Property as sAMAccountName.
    5. Click Save and Finish.                                                                                                                                                                  
11. On the My Relying Parties page, in the Edit list, click View or Download IdP Metadata.
12. On the View or Download Identity Provider Metadata page, click Download Metadata File. The file is downloaded with the name IdPMetadata.xml. Once the file is downloaded, click Cancel to return to the My Relying Parties page. This file needs to be uploaded to Shibboleth IDP.
13. Click Publish Changes.                                                                                                                                                                               

Configure Shibboleth IDP

1. Sign in to the server where Shibboleth IDP is installed.
2. Copy the metadata file downloaded in Step 12 of RSA Cloud Authentication Service configuration and place it in the <Shibboleth-Install-Location>\IdP\metadata\ folder.                                                                                                                                                                         
3. Edit the <Shibboleth-Install-Location>\IdP\conf\metadata-providers.xml file to add another Metadata Provider entry as follows pointing to the metadata file copied - <MetadataProvider id="CAS-Relying-Party" xsi:type="FilesystemMetadataProvider" metadataFile="<Shibboleth-Install-Location>\IdP\metadata\IdpMetadata.xml" />                                                                                                                                                    
4. Edit the <Shibboleth-Install-Location>\IdP\conf\authn\saml-authn-config.xml file to add a new bean as follows -                                                  <bean id="shibboleth.authn.SAML.discoveryFunction" parent="shibboleth.Functions.Constant" c:target="https://rsa-sid-pe-01.auth-dev.securid.com/saml-fe/sso" />
   The value for "target" is same as the Issuer Entity ID value which can be obtained from the "IdpMetadata.xml" file downloaded in Step 12 of RSA Cloud Authentication Service configuration.
   
5. Edit the <Shibboleth-Install-Location>\IdP\conf\c14n\subject-c14n.xml file to do the following -   
   1. Uncomment the SAML2ProxyTransform bean - <ref bean="c14n/SAML2ProxyTransform" />
   2. Add a new "value" inside the "list" element in the bean with id="shibboleth.ProxyNameTransformPredicate". The "value" should be the Issuer Entity ID as obtained from the "IdpMetadata.xml" file downloaded in Step 12 of RSA Cloud Authentication Service configuration. The code looks as follows - <value>https://rsa-sid-pe-01.auth-dev.securid.com/saml-fe/sso</value>                                                                                                                 
6. Edit the <Shibboleth-Install-Location>\IdP\conf\saml-nameid.xml file to add another bean under the SAML 2 NameID Generation block as follows - <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
   p:omitQualifiers="true"
   p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
   p:attributeSourceIds="#{ {'sAMAccountName'} }" />                                                                                                                                       
7. Edit the <Shibboleth-Install-Location>\IdP\conf\idp.properties file to add the SAML and/or MFA flows in idp.authn.flows parameter. Any new flow can be added to the end of the string using the pipe (|) character.                                                                                                     idp.authn.flows=Password|SAML|MFA                                                                                                                                                           
8. Edit the <Shibboleth-Install-Location>\IdP\conf\relying-party.xml file to add the authentication flow to the required service providers (that need to be protected using RSA) by adding/modifying the "p:authenticationFlows" parameter for the respective beans as follows - <bean parent="SAML2.SSO" p:encryptAssertions="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:authenticationFlows="SAML"/>. Note: The supported flows for RSA are SAML and MFA. Repeat the preceding step for each application, which needs to be protected using RSA.                                                                                                                                                                    
9. (Optional Step) - This step is required only if MFA authentication flow is used for any service providers protected by RSA according to Step 8. Edit the <Shibboleth-Install-Location>\IdP\conf\authn\mfa-authn-config.xml file to add the SAML flow as required to an existing MFA transition map as follows -
   <util:map id="shibboleth.authn.MFA.TransitionMap">
   <!-- Run authn/Flow1 first. -->
   <entry key="">
   <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
   </entry>
   <!-- If that returns "proceed", run authn/Flow2 next. -->
   <entry key="authn/Password">
   <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/SAML" />
   </entry>
   </util:map>                                                                                                                                                                                                      
10. Save all the configuration files and restart the Shibboleth IDP service. Wait for about 30 seconds after the service starts before proceeding.

• <Shibboleth-Install-Location> refers to the directory where Shibboleth IDP is installed. In Windows, by default, it is the directory "C:\Program Files (x86)\Shibboleth". Any step that mentions <Shibboleth-Install-Location> should be replaced with the actual path to the directory where Shibboleth IDP is installed in your system.
• If Password is configured as the Primary authentication method of RSA Cloud Authentication Service configuration, then RSA will prompt for and validate both the LDAP Password and any additional factors configured (such as Approve or Biometric) if the password has already been validated by Shibboleth IDP. So it is recommended to not use a password method before invocation of RSA when Password is configured as the Primary authentication method in RSA Cloud Authentication Service to avoid two prompts asking for LDAP username and password (one from Shibboleth and another from RSA). This is applicable only when MFA Flow is configured in Shibboleth IDP.

The configuration is complete.
Return to Shibboleth - RSA Ready Implementation Guide.