Deploying Integrated Windows Authentication

Perform these steps to deploy Integrated Windows Authentication (IWA) in your RSA SecurID Access deployment. To learn about the process flow and user experience, see Integrated Windows Authentication.

  1. Download the Integrated Windows Authentication Connector Installer

  2. Install the Integrated Windows Authentication Connector

  3. Add Integrated Windows Authentication as an Identity Provider

  4. Test Integrated Windows Authentication

  5. Enable Automatic Integrated Windows Authentication

You must be a Super Admin in the Cloud Administration Console to perform these tasks.

Download the Integrated Windows Authentication Connector Installer

Download and run the RSA SecurID Access IWA Connector installer on a Windows server in your RSA SecurID Access environment.

Procedure

  1. In the Cloud Administration Console, click Users > Identity Providers.
  2. Click Add an Identity Provider.
  3. In the identity providers list, next to Integrated Windows Authentication, click Download IWA Installer.
  4. Click Download, and choose a location to save the installer package.

Install the Integrated Windows Authentication Connector

Install and configure the RSA SecurID Access IWA Connector on a Windows server connected to your RSA SecurID Access deployment.

Before you begin

  • You must have system administrator rights on the server where you want to install IWA.
  • The following must be installed and configured on the server where you want to install IWA:
    • Windows Server 2016, 2012 R2, or 2008 R2
    • .NET Framework 4.5
    • ASP.NET 4.5
    • Internet Information Services (IIS) 7 with the following capabilities:

      IIS Features:

      • .NET Framework 4.5
      • ASP.NET 4.5
      • HTTPS Binding Enabled in IIS with a valid SSL certificate

      IIS Role Components:

      • Application Development > ASP
      • Application Development > ASP.NET 4.5
      • Security > Windows Authentication
      • Management Tools > IIS6 Management Compatibility
  • You must have access to a personal information exchange (.pfx) file generated from matching private key (.key) and certificate (.pem) files. You can issue the certificate and private key using your own company infrastructure, or from the Cloud Administration Console. For instructions, see Generate and Download a Certificate Bundle for Service Providers and Identity Providers for the SSO Agent. You can then use a third-party SSL toolkit to generate the .pfx file. The certificate file must have a password.

Procedure

  1. On the server where you are installing the RSA SecurID Access IWA Connector, navigate to the RSASecurIDAccessIWASetup.msi file and double-click it to launch the installer wizard.
  2. When the installer wizard opens, click Next.
  3. From the Site drop-down list, select Default Web Site.
  4. In the Virtual Directory field, enter RSASecurIDAccessIWAConnector.
  5. From the Application Pool drop-down list, select DefaultAppPool.
  6. Click Next.
  7. Click Next to start the installation.
  8. In the Audience URL field, enter an Audience URL for the RSA SecurID Access IWA Connector.
    This value must match the Audience URL you specify for the IWA IdP in the Cloud Administration Console.
    Use the format https://<identity_router_URL>/SPServlet?sp_id=<uniqueID>
    where:
    • <identity_router_URL> is either the URL of the identity router, or the virtual hostname of the load balancer for a cluster of identity routers.
    • <uniqueID> is a unique identifier for the IWA IdP, for example, RSASecurIDAccessIWA.
  9. In the Issuer ID field, enter an Issuer ID for the RSA SecurID Access IWA Connector. The Issuer ID must be an alphanumeric string with no special characters.
    This value must match the Issuer ID you specify for the IWA IdP in the Cloud Administration Console.
  10. In the Audience ID field, enter an Audience ID for the RSA SecurID Access IWA Connector. The Audience ID must be an alphanumeric string with no special characters.
    This value must match the Audience ID you specify for the IWA IdP in the Cloud Administration Console.
  11. From the User Identifier (Name ID) drop-down list, select the Active Directory attribute that the IWA provider will send to the identity router during authentication. This attribute identifies the user to the identity router. Select the value that corresponds to the User Tag specified for the identity source in the Cloud Administration Console. Use the following table to identify the correct value.
    Active Directory Value IWA Connector Installer Value
    sAMAccountName Username
    cn CommonName
    mail Email
    userPrincipalName userPrincipalName
    objectGUID objectGUID
    distinguishedName distinguishedName
    objectSid objectSid
  12. In the Issuer Signing Certificate section, click Upload Certificate. Browse to the .pfx certificate and select it. Enter the password for the certificate file.
  13. Click Submit to save your changes.
  14. Click Close.

After you finish, you can delete the .pfx certificate file from the machine where the Connector is installed.

Add Integrated Windows Authentication as an Identity Provider

Add IWA as an identity provider (IdP) for RSA SecurID Access using the Cloud Administration Console.

Before you begin

  • At least one identity router must be deployed and configured.
  • At least one identity source must be connected to the identity router.
  • You must have access to the certificate (.pem) file that matches the personal information exchange (.pfx) file you specified when installing the RSA SecurID Access IWA Connector.
  • Work with your network administrator to determine the range of IP addresses that will authenticate using IWA.

Procedure

  1. In the Cloud Administration Console, click Users > Identity Providers.
  2. Click Add an Identity Provider.
  3. Click Add to add the Integrated Windows Authentication provider type.
  4. In the Name field, enter a new name for the IdP, or leave the default name.
    This name appears as a tooltip when users hover their mouse over the icon for this IdP on the application portal sign-in page. Choose a user-friendly name, and inform users that they can click the icon to authenticate using this IdP.
  5. (Optional) In the Description field, enter a description for the IdP.
  6. Click Next Step.
  7. In the Audience ID field, leave the default value or enter a different Audience ID for the IdP. The Audience ID must be an alphanumeric string with no special characters.
    This value must match the Audience ID you specified when installing the RSA SecurID Access IWA Connector.
  8. In the Audience URL field, enter an Audience URL for the IdP.
    This value must match the Audience URL you specified when installing the RSA SecurID Access IWA Connector.
    Use the format https://<identity_router_URL>/SPServlet?sp_id=<uniqueID>
    where:
    • <identity_router_URL> is either the URL of the identity router, or the virtual hostname of the load balancer for a cluster of identity routers.
    • <uniqueID> is a unique identifier for the IWA IdP, for example, RSASecurIDAccessIWA.
  9. In the Issuer ID field, enter an Issuer ID for the IdP. The Issuer ID must be an alphanumeric string with no special characters.
    This value must match the Issuer ID you specified when installing the RSA SecurID Access IWA Connector.
  10. In the Issuer URL field, replace <IWA_SERVERNAME> with either the network hostname of the RSA SecurID Access IWA Connector server or the hostname of the load balancer for a cluster of RSA SecurID Access IWA Connector servers.

    For example, if the default value is https://<IWA_SERVERNAME>/RSASecurIDIWAConnector/, change the new value to https://sampleiwa.example.com/RSASecurIDIWAConnector/.

  11. Leave the Passive Sign-in checkbox unchecked.
  12. Select the Transform NameID to Lowercase checkbox.
  13. In the Certificate section, click Select File, then browse to and select the .pem certificate.
  14. Click Next Step.
  15. In the Policy Combination field, leave the default value Deny Overrides.
  16. Specify the IP address ranges that will authenticate using this IWA IdP.
    1. From the Attribute drop-down list, select IpAddress.
    2. From the Operation drop-down list, select In Range.
    3. In the Value field, enter an IP address range.
    4. From the Effect drop-down list, select Allow Access.
    5. (Optional) Click ADD, and repeat steps a through d to specify additional IP ranges.
  17. Click Next Step.
  18. In the IdP Icon section, leave the default icon, or click Change Icon to upload a new icon to represent the IWA IdP on the application portal sign-on page.
  19. Click Save and Finish.
  20. Click Publish Changes to apply the configured settings.

Test Integrated Windows Authentication

RSA recommends that you test authentication to verify that it works properly.

Before you begin

  • The RSA SecurID Access IWA Connector must be installed and configured on a Windows server in your RSA SecurID Access environment.
  • Integrated Windows Authentication must be configured as an identity provider for RSA SecurID Access.

Procedure

  1. Sign into a Windows account on a computer within your corporate network domain.
    The IP address of the computer you use to test IWA must fall within the IP range specified for the IWA identity provider.
  2. Open the application portal in a web browser.
  3. In the Or sign in with... section of the portal sign-in screen, click the IWA icon.

After you finish

The SSO Agent authenticates you to the application portal using IWA.

If authentication succeeds, you can Enable Automatic Integrated Windows Authentication to authenticate eligible users automatically, allowing them to bypass the portal sign-in screen.

If authentication fails:

  • Verify that the RSA SecurID Access IWA Connector server is properly configured.
  • Verify that the IWA identity provider is properly configured.
  • Verify that the configuration changes are published to the identity router.
  • Verify network connectivity.
  • Test IWA again with new settings.

Enable Automatic Integrated Windows Authentication

You can configure automatic IWA as the default authentication source for the RSA SecurID AccessSSO Agent.

Before you begin

  • Integrated Windows Authentication must be configured as an identity provider for RSA SecurID Access.
  • The RSA SecurID Access IWA Connector must be installed and configured on a server in your RSA SecurID Access environment.

Procedure

  1. Sign into the Cloud Administration Console.
  2. Click Access > Authentication Sources.
  3. Click Add.
  4. Select the IWA identity provider. For example, RSA SecurID Access IWA Connector.
  5. Click Save.
  6. Click and drag the IWA identity provider so that it appears as the first item in the list of authentication sources.
    The SSO Agent attempts to authenticate users against each authentication source in the order in which they are listed.
  7. Click Save.
  8. Click Publish Changes to apply the configured settings.

After you finish

Instruct users to Configure User Browsers for Integrated Windows Authentication.