Questetra BPM - SAML Relying Party Configuration - SecurID Access Implementation Guide

This section describes how to integrate SecurID Access with Questetra BPM using Relying Party. Relying party uses SAML 2.0 to integrate SecurID Access as a SAML Identity Provider (IdP) to Questetra BPM SAML Service Provider (SP).

Architecture Diagram

Configure SecurID Access Cloud Authentication Service

Perform these steps to configure SecurID Access Cloud Authentication Service(CAS) as a relying party SAML IdP to Questetra BPM .

Procedure

1. Sign into the Cloud Administration Console and browse to Authentication Clients > Relying Parties and click Add a Relying Party. Then select Add for a SAML service provider.

   

    

   

    

2. On Basic Information page enter a Name for the application, ie. Questetra BPM Then click on Next Step.

3. On Authentication page.

   1. select the RSA SecurID Access manages all authentication.

   2. Select the desired Primary Authentication Method from the dropdown list.

   3. Select the desired policy from the Access Policy for Additional Authentication.

   4. Click Next Step.

      

       

4. On Connection Profile page.

   1. Under the Service Provider Metadata section.

      

       

   2. For the Assertion Consumer Service (ACS) enter the ASC URL from Questetra BPM SP information in the SSO setup below. This URL is based on your instance of Questetra BPM. For example, https://mytestenv.questetra.net/saml/SSO/alias/bpm.

   3. For the Service Provider Entity ID enter the Enitity from Questetra BPM SP information in the SSO setup below. This URL is based on your instance of Questetra BPM. For example, https://mytestenv.questetra.net/.

   4. Uncheck SP signs SAML Requests.

   5. Check IdP signs assertion within response.

   6. Click on Download Certificate. This will be used below in the Questetra BPM configuration.

   7. Open Advanced Configuration section.

      

       

   8. Note the Identity Provider Entity ID field . For Example :https://rsa-test-pe.auth-demo.securid.com/saml-fe/sso.

5. Click on Save and Finish.

6. Browse to Authentication Clients > Relying Parties .

7. Scroll down to the your newly created Relying party and click down arrow to Edit and choose View or Download IdP MetatData and save off the metadata information if desired.

   

    

8. Click on Publish Changes. Your application is now enabled for SSO. If you make any additional changes to the application configuration you will need to republish.

   

    

Configure Questetra BPM

Perform these steps to integrate Questetra BPM with SecurID Access as a Relying Party SAML SP.

Procedure

1. Login into Questetra BPM https://<instance>.questetra.net/Login_show.

2. Under Username choose System Settings.

3. Select SSO (SAML).

4. Check Enable Single Sign-On and make sure Disable Password Authentication is unchecked.

   

    

5. Goto the SP Information section.

6. Note the Entity ID and ASC URL these will be used above in the SecurID CAS configuration.

   

    

7. Goto the IdP Configuration section.

8. For Entity ID provide the Identity Provider Entity ID from the above in the SecurID CAS configuration. For example, https://rsa-test-pe.auth-demo.securid.com/saml-fe/sso.

9. For Sign-In page URL  provide the Identity Provider Entity ID from the above in the SecurID CAS configuration. For example, https://rsa-test-pe.auth-demo.securid.com/saml-fe/sso.

10. Leave the NameID format blank.

11. For Verification Certificate copy and paste the certificate downloaded above in the SecurID CAS configuration. Exclude the begin/end comments in the certificate.

    

     

12. Click on Save .

     

     

Configuration is complete.

Next Step: See main page for more certification information.