Configure RSA Cloud Authentication Service

1. Sign in to RSA Cloud Administration Console and enable My Page SSO by accessing Access > My Page > Single Sign-On (SSO).
2. Navigate to Applications > Application Catalog.
3. Search for ShibbolethSP and click Add to add the connector.                                                                                                                
4. On the Basic Information page, choose Cloud.
5. In the Name field, enter a name for the application and click Next Step.                                                                                                   
6. In the Connection Profile section, choose IDP-initiated.
7. In the SAML Identity Provider (Issuer) section, do the following:
   1. Click Generate Cert Bundle to generate and download the zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
   2. Click Choose File and upload the RSA private key.
   3. Click Choose File and upload the RSA public certificate.                                                                                                               
8. Make a note of the Identity Provider Entity ID. This will be used in the Shibboleth configuration as the target value.
9. In the Service Provider section, provide the details in the following format:
   1. In the Assertion Consumer Service (ACS) URL field, replace <Shibboleth-Hostname> with the hostname as configured in your Shibboleth IDP. The hostname can be found in the file idp-metadata.xml file located in the <Shibboleth-Install-Location>\IdP\metadata\ folder (on the Windows Server where Shibboleth IDP is installed). The ACS URL will be of the form https://<Shibboleth-Hostname>/idp/profile/Authn/SAML2/POST/SSO.
   2. In the Audience (Service Provider Entity ID) field, replace <Shibboleth-Scope> with the scope as configured in Shibboleth IDP. The scope can be found in the idp.properties file located in the <Shibboleth-Install-Location>\IdP\conf\ folder  (on the Windows Server where Shibboleth IDP is installed). The Entity ID will be of the form https://<Shibboleth-Scope>/idp.                                   
10. In the SAML Response Protection section, do one of the following:
    1. To sign the SAML assertion only, select IdP signs assertion within response.
    2. To sign the whole SAML response, select IdP signs the entire SAML response.
11. Click Generate Cert Bundle or use your own certificates.                                                                                                         
12. Click Show Advanced Configuration.
13. In the User Identity section, select the Property type and Property value.                                                                               
14. Click Next Step.
15. Choose your desired Access Policy for this application.                                                                                                         
16. On the Portal Display page, select Display in Portal.
17. Click Publish Changes.                                                                                                                                                            
18. Click Next Step.
19. Click Save and Finish.
20. Click Publish Changes. Your application is now enabled for SSO.    

Configure Shibboleth

Perform these steps to configure Shibboleth.
Procedure

1. Sign in to the server where Shibboleth IDP is installed.
2. Copy the metadata file from the previous section and place it in the <Shibboleth-Install-Location>\IdP\metadata\ folder. 
3. Edit the <Shibboleth-Install-Location>\IdP\conf\metadata-providers.xml file to add another Metadata Provider entry as follows pointing to the location of the metadata file copied: <MetadataProvider id="<generic name> " xsi:type="FilesystemMetadataProvider" metadataFile="<Shibboleth-Install-Location>\IdP\metadata\Shibboleth_IDP-idp-metadata.xml" />                                                                                                           
4. Edit the <Shibboleth-Install-Location>\IdP\conf\authn\saml-authn-config.xml file to add a new bean as follows -<bean id="shibboleth.authn.SAML.discoveryFunction" parent="shibboleth.Functions.Constant" c:target="shib-idp-test" />.                                                  The value for 'target' is the same as the Identity Provider Entity ID value obtained from Step 8 of the previous section.                               
5. Edit the <Shibboleth-Install-Location>\IdP\conf\c14n\subject-c14n.xml file and do the following:
   1. Uncomment the following reference bean - <ref bean="c14n/SAML2ProxyTransform" />.                                                                   
   2. Add a new "value" inside the "list" element in the bean with id="shibboleth.ProxyNameTransformPredicate". The "value" should be the Issuer Entity ID of RSA Cloud Authentication Service configuration. The code looks as follows - 
      <value>shib-idp-test</value>                                                                                                                                                              
6. Edit the <Shibboleth-Install-Location>\IdP\conf\saml-nameid.xml file to add another bean under the SAML 2 NameID Generation block as follows -
   <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
   p:omitQualifiers="true"
   p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
   p:attributeSourceIds="#{ {'sAMAccountName'} }" />                                                                                                                                    
7. Edit the <Shibboleth-Install-Location>\IdP\conf\idp.properties file to add the SAML and/or MFA flows in idp.authn.flows parameter. Any new flow can be added to the end of the string using the pipe (|) character.
   idp.authn.flows=Password|SAML|MFA                                                                                                                                                        
8. Edit the <Shibboleth-Install-Location>\IdP\conf\relying-party.xml file to add the authentication flow to the required service providers (that need to be protected using RSA) by adding or modifying the "p:authenticationFlows" parameter for the respective beans as follows -
   <bean parent="SAML2.SSO" p:encryptAssertions="false" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:authenticationFlows="SAML"/>. Note: The supported flows for RSA are SAML and MFA. Repeat the preceding step for each application that needs to be protected using RSA.          
9. (Optional Step) - This step is only required if MFA authentication flow is used for any service providers protected by RSA according to Step 8. Edit and add the following code snippet to the <Shibboleth-Install-Location>\IdP\conf\authn\mfa-authn-config.xml file to add the SAML flow as required to an existing MFA transition map -
   <util:map id="shibboleth.authn.MFA.TransitionMap">
   <!-- Run authn/Flow1 first. -->
   <entry key="">
   <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/Password" />
   </entry>
   <!-- If that returns "proceed", run authn/Flow2 next. -->
   <entry key="authn/Password">
   <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/SAML" />
   </entry>
   </util:map>                                                                                                                                                                                                    
10. Save all the configuration files and restart the Shibboleth IDP service. Wait for about 30 seconds after the service starts before proceeding.