This section describes how to integrate RSA SecurID Access with Firehydrant using a SAML SSO Agent.

Architecture Diagram

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Firehydrant . During configuration of the IdP you will need some information from the SP. This information includes (but is not limited to) Assertion Consumer Service URL and Service Provider Entity ID.

Procedure

1. Sign into RSA Cloud Administration Console and browse to Applications > Application Catalog, click Create From Template and select SAML Direct.

   

2. Enter a name for the application in the Name field on the Basic Information page and click the Next Step button.

   

3. Navigate to Initiate SAML Workflow section.

   1. In the Connection URL field, enter the url: https://app.firehydrant.io/sso/saml/consume.

   2. Choose SP-Initiated.

   

4. Scroll down to SAML Identity Provider (Issuer) section. Click Generate Cert Bundle, enter the Common Name and Generate and Download the certificate. This certificate will be required in Step 5 of Configure SAML in Firehydrant.

   

   1. Identity Provider URL - <Automatically generated>

   2. Issuer Entity ID - <Automatically generated>

   3. Select Choose File and upload the private key.

   4. Select Choose File to import the public signing certificate.

1. Scroll down to the Service Provider section.

   

   1. Assertion Consumer Service (ACS) - Enter the url: https://app.firehydrant.io/sso/saml/consume.

   2. Audience (Service Provider Entity ID) - firehydrant.

2. Scroll to the User Identity section, select the following values.

   
   • Identifier Type – Email Address

   • Identity Source – name of your user identity source

   • Property – mail

3. Click Show Advanced Configuration. In the Attribute Extension section, click on +Add button and add the following two attributes:

   a. Attribute Source : Identity Source, Attribute Name : firstName, Identity Source : your identity source, Property : givenName.

   b. Attribute Source : Identity Source, Attribute Name : lastName, Identity Source : your identity source, Property : sn.

1. Click Next Step.

2. On the User Access page, select Allow All Authenticated Users radio button.

   

1. Click Next Step.

2. On the Portal Display page, select Display in Portal.

3. Click Save and Finish.

4. Click Publish Changes.

   

Configure SAML in Firehydrant

Perform these steps to configure Firehydrant as an SSO Agent SAML SP to RSA Cloud Authentication Service.

Procedure

1. Log onto your Firehydrant account using administrative credentials.

2. Navigate to Organization > Single sign on.

   

3. On the Single Sign On page, click the checkbox Enable SSO. Additional fields will appear.

4. Enter the following URL values:

   

   1. In the Idp Login URL, enter the Identity Provider URL from Step 4 of Configure RSA Cloud Authentication Service section.

   2. In the IdP Issuer, enter the Issuer Entity ID fetched from Step 4 of Configure RSA Cloud Authentication Service section.

5. In the IdP X509 Certificate text area, enter the certificate text of the RSA certificate downloaded in Step 4 of Configure RSA Cloud Authentication Service section.

   

6. In the Domains section, click Add domain and enter your email domain. This is the email domain with which the user will login to Firehydrant via SAML.

   

7. Click Save.

Configuration is complete.

Return to the main page for more certification related information.