As part of the process to enable Integrated Windows Authentication (IWA), you must add IWA as an identity provider (IdP) for RSA SecurID Access using the
Cloud Administration Console.
- You must be a Super Admin in the Cloud Administration Console.
-
At least one identity router must be deployed and configured.
-
At least one identity source must be connected to the identity router.
-
Install the Integrated Windows Authentication Connector
-
You must have access to the certificate (.pem) file that matches the personal information exchange (.pfx) file you specified when installing the RSA SecurID Access IWA Connector.
-
Work with your network administrator to determine the range of IP addresses that will authenticate using IWA.
-
In the
Cloud Administration Console, click
Users > Identity Providers.
-
Click
Add an Identity Provider.
-
Click
Add to add the
Integrated Windows Authentication provider type.
-
In the
Name field, enter a new name for the IdP, or leave the default name.
This name appears as a tooltip when users hover their mouse over the icon for this IdP on the application portal sign-in page. Choose a user-friendly name, and inform users that they can click the icon to authenticate using this IdP.
-
(Optional) In the
Description field, enter a description for the IdP.
-
Click
Next Step.
-
In the
Audience ID field, leave the default value or enter a different Audience ID for the IdP. The
Audience ID must be an alphanumeric string with no special characters.
This value must match the
Audience ID you specified when installing the RSA SecurID Access IWA Connector.
-
In the
Audience URL field, enter an Audience URL for the IdP.
This value must match the
Audience URL you specified when installing the RSA SecurID Access IWA Connector.
Use the format https://<identity_router_URL>/SPServlet?sp_id=<uniqueID>
where:
- <identity_router_URL> is either the URL of the identity router, or the virtual hostname of the load balancer for a cluster of identity routers.
- <uniqueID> is a unique identifier for the IWA IdP, for example,
RSASecurIDAccessIWA.
-
In the
Issuer ID field, enter an Issuer ID for the IdP. The
Issuer ID must be an alphanumeric string with no special characters.
This value must match the
Issuer ID you specified when installing the RSA SecurID Access IWA Connector.
-
In the
Issuer URL field, replace <IWA_SERVERNAME> with either the network hostname of the RSA SecurID Access IWA Connector server or the hostname of the load balancer for a cluster of RSA SecurID Access IWA Connector servers.
For example, if the default value is https://<IWA_SERVERNAME>/RSASecurIDIWAConnector/, change the new value to https://sampleiwa.example.com/RSASecurIDIWAConnector/.
-
Leave the
Passive Sign-in checkbox unchecked.
-
Select the
Transform NameID to Lowercase checkbox.
-
In the
Certificate section, click
Select File, then browse to and select the .pem certificate.
-
Click
Next Step.
-
In the
Policy Combination field, leave the default value
Deny Overrides.
-
Specify the IP address ranges that will authenticate using this IWA IdP.
-
From the
Attribute drop-down list, select
IpAddress.
-
From the
Operation drop-down list, select
In Range.
-
In the
Value field, enter an IP address range.
-
From the
Effect drop-down list, select
Allow Access.
-
(Optional) Click
ADD, and repeat steps
a through
d to specify additional IP ranges.
-
Click
Next Step.
-
In the
IdP Icon section, leave the default icon, or click
Change Icon to upload a new icon to represent the IWA IdP on the application portal sign-on page.
-
Click
Save and Finish.
-
Click
Publish Changes to apply the configured settings.