Choosing a Connection Method to Add an SSO Agent ApplicationChoosing a Connection Method to Add an SSO Agent Application
In the Application Catalog, RSA provides connection templates for popular web applications such as Cisco WebEx, Salesforce, and Microsoft Outlook Web Access. These applications require minimal configuration to enable them for single sign-on (SS0) through the application portal. To provide users with SSO access to a protected web application that is not in the Application Catalog, you can configure an application connection using one of the following connector templates: SAML Direct, HTTP Federation Proxy, or Trusted Headers. You can also add a simple bookmark to My Applications. Bookmarks do not require SSO configuration.
Use the following guidelines to decide which method to use for adding an application in RSA SecurID Access.
SAML DirectSAML Direct
Use the SAML Direct template to connect RSA SecurID Access with web applications that are enabled for SAML SSO.
In a SAML Direct configuration, the identity router verifies a user's identity through a SAML assertion, and a service provider (such as a SaaS application) consumes that assertion as proof of identity. User access to the application flows through a trust relationship between the identity router and a SAML-enabled web application.
HTTP Federation (HFED) ProxyHTTP Federation (HFED) Proxy
Use the HFED Proxy template to connect RSA SecurID Access with web applications that do not support SAML and that use sign-in forms to validate user credentials.
In an HFED Proxy configuration, the identity router performs authentication into the protected application server on the user's behalf, using credentials stored on the identity router in a user profile (called a keychain), before directing the user to the requested application page. Users cannot access the web application without authenticating first through the identity router. With HFED Proxy, the identity router serves as a password vault for storing multiple sets of credentials for multiple applications, while requiring users to remember only a single password (the credentials used to sign into the application portal) to access many protected applications.
Note: If you configure RSA SecurID Access to use SSL when connecting to a protected application using the HFED Proxy method, the web server hosting the application must have a valid SSL certificate signed by a certificate authority (CA) that the identity routers trust. For more information, see Cloud Authentication Service Certificates.
Trusted HeadersTrusted Headers
Use the Trusted Header template to connect RSA SecurID Access with applications that were developed internally. These applications validate identity through user information encoded in trusted HTTP headers.
In a trusted headers configuration, the identity router acts as a reverse proxy to protect an application from unauthorized or unauthenticated access. The application must be configured to check for headers that it receives from the identity router. Users cannot access the web application without authenticating first through the identity router.
Note: If you configure RSA SecurID Access to use SSL when connecting to a protected application using the trusted headers method, the web server hosting the application must have a valid SSL certificate signed by a certificate authority (CA) that the identity routers trust. For more information, see Cloud Authentication Service Certificates.