This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
  • RSA.com
  • Products
    • Archer®
      • Archer®
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Archer® Exchange
      • Training
      • Upcoming Events
      • Videos
    • RSA® Fraud & Risk Intelligence Suite
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Web Threat Detection
      • Upcoming Events
      • Videos
    • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Cloud
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Patch Content
      • Videos
    • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication Mobile SDK
      • Advisories
      • Events
      • Ideas
      • Knowledge Base
      • Request Access
      • Training
    • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication for eCommerce
      • RSA® Adaptive Authentication for eCommerce
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® FraudAction Services
      • RSA® FraudAction Services
      • Advisories
      • Discussions
      • Documentation
      • Ideas
      • Videos
    • RSA® Web Threat Detection
      • RSA® Web Threat Detection
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Videos
    • RSA NetWitness® Platform
      • RSA NetWitness® Platform
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA NetWitness® Detect AI
      • RSA NetWitness® Detect AI
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Investigator
      • RSA NetWitness® Investigator
      • Documentation
      • Download the Client
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Orchestrator
      • RSA NetWitness® Orchestrator
      • Overview
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA SecurID® Suite
      • RSA SecurID® Suite
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Knowledge Base
      • Ideas
      • Integrations
      • Training
      • Videos
    • RSA® Identity Governance & Lifecycle
      • RSA® Identity Governance & Lifecycle
      • Advisories
      • Blog
      • Community Exchange
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA SecurID® Access
      • RSA SecurID® Access
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • Other RSA® Products
      • Other RSA® Products
      • RSA® Access Manager
      • RSA® Data Loss Prevention
      • RSA® Digital Certificate Solutions
      • RSA enVision®
      • RSA® Federated Identity Manager
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
  • Resources
    • Advisories
      • Product Advisories on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Hosted
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Product Advisories
    • Blogs
      • Blogs on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Blogs on RSA Link
    • Discussion Forums
      • Discussion Forums
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Discussion Forums on RSA Link
    • Documentation
      • Product Documentation
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Downloads
      • Product Downloads
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Downloads on RSA Link
    • Ideas
      • Idea Exchange
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Knowledge Base
      • Knowledge Base
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Knowledge Base Pages on RSA Link
    • Upcoming Events on RSA Link
      • Upcoming Events
    • Videos
      • Videos on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Videos on RSA Link
  • Support
    • RSA Link Support
      • RSA Link Support
      • News & Announcements
      • Getting Started
      • Support Forum
      • Support Knowledge Base
      • Ideas & Suggestions
    • RSA Product Support
      • RSA Product Support
      • General Security Advisories and Statements
      • Product Life Cycle
      • Support Information
      •  
      •  
      •  
      •  
      •  
  • RSA Ready
  • RSA University
    • Certification Program
      • Certification Program
    • Course Catalogs
      • Course Catalogs
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • On-Demand Subscriptions
      • On-Demand Subscriptions
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • Product Training
      • Product Training
      • Archer®
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Identity Governance & Lifecycle
      • RSA NeWitness® Platform
      • RSA SecurID® Access
    • Student Resources
      • Student Resources
      • Access On-Demand Learning
      • Access Virtual Labs
      • Contact RSA University
      • Enrollments & Transcripts
      • Frequently Asked Questions
      • Getting Started
      • Learning Modalities
      • Payments & Cancellations
      • Private Training
      • Training Center Locations
      • Training Credits
      • YouTube Channel
    • Upcoming Events
      • Upcoming Events
      • Full Calendar
      • Conferences
      • Live Classroom Training
      • Live Virtual Classroom Training
      • Webinars
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

Visit the Known Issues dashboard if you are experiencing issues on RSA Link

View Dashboard

RSA SecurID® Access Cloud Authentication Service Documentation

Browse the official RSA SecurID Access Cloud Authentication Service documentation for helpful tutorials, step-by-step instructions, and other valuable resources.
  • RSA Link
  • :
  • Products
  • :
  • RSA SecurID Suite
  • :
  • RSA SecurID Access
  • :
  • Cloud Authentication Service
  • :
  • Documentation
  • :
  • SAML Applications
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • Options
    • Subscribe to RSS Feed
    • Bookmark
    • Subscribe
    • Email to a Friend
    • Printer Friendly Page
    • Report Inappropriate Content
Versions
Collections
All Downloads

Table of Contents

  •   Introduction
    •   Overview
    •   Educating Your Users
    •   Release Notes
    •   Videos
  •   Planning and Deployment
    •   Deployment Overview
    •   Quick Setup for RADIUS Client Deployment
    •   Quick Setup for SAML App Deployment
    •   Quick Setup for SSO Deployment
    •   Quick Setup for POC Deployment
  •   Administration
    •   View All Administration Documentation
    •   Protect Resources
    •   RSA Authentication Manager Integration
    •   Manage Identity Routers
    •   Manage Access Policies
  •   Developer Information
    •   RSA SecurID Authentication API
    •   Custom Web Application Portals
    •   Cloud Administration APIs

Product Resources

  •   Advisories
    •   Product Advisories
    •   Security Advisories
    •   Service Notifications
    •   Technical Advisories
  •   Blog
  •   Discussions
  •   Documentation
    •   Authentication Agents
      •   API / SDK
      •   Apache Web Server
      •   Citrix StoreFront
      •   IIS Web Server
      •   Microsoft AD FS
      •   Microsoft Windows
      •   PAM
    •   Authentication Engine
    •   Authentication Manager
    •   Cloud Authentication Service
    •   Hardware Appliance Component Updates
    •   Hardware Tokens
    •   MFA Agents
      •   macOS
      •   Microsoft Windows
    •   Software Tokens
      •   Android
      •   Blackberry
      •   Blackberry 10
      •   iOS
      •   macOS
      •   Token Converter
      •   Windows
      •   Windows Phone
  •   Downloads
    •   Authentication Agents
      •   API / SDK
      •   Apache Web Server
      •   Citrix StoreFront
      •   IIS Web Server
      •   Microsoft AD FS
      •   Microsoft Windows
      •   PAM
    •   Authentication Engine
    •   Authentication Manager
    •   Cloud Authentication Service
    •   MFA Agents
      •   macOS
      •   Microsoft Windows
    •   Software Tokens
      •   Android
      •   Blackberry
      •   Blackberry 10
      •   iOS
      •   macOS
      •   Token Converter
      •   Windows
      •   Windows Phone
  •   Events
  •   Ideas
  •   Integrations
  •   Knowledge Base
  •   RSA SecurID Access Prime
  •   Training
  •   Videos
SAML Applications

SAML Applications

RSA SecurID Access supports Security Assertion Markup Language (SAML), an XML-based standard protocol that provides web browser single sign-on (SSO) between a service provider (SP) and an identity provider (IdP).

SAML Connections

In the Cloud Administration Console, you can configure connections between SAML-enabled web or SaaS applications (SPs) and the identity router (the IdP). These connections provide users with SSO access to those applications through the application portal or, if configured, Integrated Windows Authentication (IWA).

RSA provides out-of-the-box SAML applications, such as Salesforce and Dropbox, in the Application Catalog. For instructions on configuring the SSO workflow for your specific application, sign into RSA Link (https://community.rsa.com/community/products/securid) and search for the application you want to configure. For instructions on configuring your own connections to SAML applications, see Add a SAML Application.

SAML Metadata

SAML metadata is one of the standard means by which SAML-enabled IdPs and SPs exchange configuration information and establish two-way trust. When configuring a connection between the identity router and a SAML-enabled application, you can import SAML metadata from the SP to prepopulate SP-related fields in the configuration wizard. After saving an application configuration, you can export the SAML IdP metadata from My Applications, and send it to the SP administrator.

Authentication Workflow

When a user tries to access an SP through a direct link or through the application portal, the identity router authenticates the user, if necessary, and sends a SAML response to the application. The response includes a SAML assertion, which contains XML-encoded identity information about the authenticated user. If the application trusts the SAML assertion, the user is permitted to access the application with no additional identity verification.

The authentication workflow between a SAML-enabled SP and the IdP is called the SSO profile and can be initiated by either the IdP or the SP. The workflow you configure for a SAML connection is determined by the SSO profile that the application supports.

IdP-Initiated SSO Profile

The workflow for an IdP-initiated SSO profile in RSA SecurID Access is illustrated in the following diagram:

ngx_g_SAML IdP-initiated sequence diagram.png
The IdP-initiated workflow is described in the following steps: ​
  1. ​A user opens a browser and signs into the application portal, either with an LDAP directory password or through IWA, and tries to access the protected, SAML-enabled application.
  2. ​The identity router generates a response that contains the SAML assertion.
  3. ​The identity router redirects the user’s browser to the application’s Assertion Consumer Service (ACS) URL along with the SAML response.
  4. ​The ACS validates the assertion in the SAML response.
  5. ​The user can access the application without providing additional credentials.

SP-Initiated SSO Profile

The workflow for an SP-initiated SSO profile in RSA SecurID Access is illustrated in the following diagram: ​ngx_g_SAML SP-initiated sequence diagram.png

The SP-initiated workflow is described in the following steps: ​
  1. ​A user who may or may not be signed into the application portal opens a browser.
  2. ​The user tries to access the protected, SAML-enabled application.
  3. ​The application generates a SAML request and sends it, through the browser, to the identity router.
  4. ​The identity router receives the SAML request and, if necessary, authenticates the user using an LDAP directory password or IWA. The user is now signed into the identity router.
  5. ​The identity router generates a response that contains the SAML assertion.
  6. ​The identity router redirects the user’s browser to the application’s ACS URL along with the SAML response.
  7. ​The ACS validates the assertion in the SAML response.
  8. ​The user can access the application without providing additional credentials.

 

 

 

Previous Topic:Choosing a Connection Method to Add an SSO Agent Application
Next Topic:Application Availability and Visibility
You are here
Table of Contents > Web Applications > SAML Applications
Labels (1)
Labels:
  • Configuration

Tags (20)
  • CAS
  • Cloud
  • Cloud Auth Service
  • Cloud Authentication
  • Cloud Authentication Service
  • Config
  • Configuration
  • Docs
  • Documentation
  • idp-initiated
  • Product Docs
  • Product Documentation
  • RSA SecurID
  • RSA SecurID Access
  • saml application
  • saml assertion
  • saml request
  • saml response
  • SecurID
  • sp-initiated
1 Like
Was this article helpful? Yes No
Share
No ratings

On this page

Powered by Khoros
  • Products
  • Resources
  • Solutions
  • RSA University
  • Support
  • RSA Labs
  • RSA Ready
  • About RSA Link
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
© 2020 RSA Security LLC or its affiliates.
All rights reserved.