Quick Setup - Configuring IDP-Initiated SAML for Third-Party Application
7 months ago

Quick Setup - Configuring IDP-Initiated SAML for Third-Party Application

Solution Summary

This article describes the configuration steps involved in integrating the third-party application with Cloud Access Service (CAS) using SAML 2.0.

Integration Types

My Page SSO provides Single-Sign-On (SSO) to Application name users leveraging RSA self-service portal My Page. Both SP-initiated SSO and IdP-initiated SSO are supported.

Modern Cloud-hosted SSO with My Page replaces the existing SAML SSO support with IDR.

Note:    RSA will continue to maintain existing SAML SSO integrations using IDR My Applications. At a to-be-determined future date, RSA will announce the end-of-life (EOL) date for the SAML SSO support with IDR. For more information, see Available Now: My Page SSO Enhancements.

Relying Party integrations use SAML 2.0 to direct users’ web browsers to CAS for authentication. With Relying Party integration, CAS can manage either additional authentication only or both primary authentication (for example, user ID and password) and additional authentication, depending on the service provider's capability.

Supported Features

When integrated with CAS using SAML 2.0, the third-party application users can authenticate with any of the following multi-factor authentication methods.

Authentication Methods

Relying Party

My Page SSO

Approveticktick
LDAP Passwordticktick
SecurID OTPticktick
Authenticate OTPticktick
Device Biometricsticktick
SMS OTPticktick
Voice OTPticktick
FIDO Security Keyticktick
QR Codeticktick
Emergency Access Codeticktick
OATH OTPticktick

Note:  For the list of currently supported authentication methods, see Authentication Methods for Cloud Access Service Users.

Configuration Steps

This section contains instruction steps that show how to configure the third-party application with CAS using all supported integration types.

This article is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components.

All RSA and third-party application components must be installed and working prior to the integration.

SAML My Page SSO

SAML Relying Party

SAML My Page SSO Configuration

This section describes how to configure the third-party application as a service provider for CAS.

Configure CAS

Perform these steps to configure CAS as an IdP for third-party application..

Procedure 

  1. Sign in to Cloud Administration Console and navigate to Applications > Application Catalog.

  2. Click Create From Template and click Select for SAML Direct.
    mypagesso_samldirect_1238x238

  3. On the Basic Information page, choose Cloud and enter the name for the application.
    mypagesso_basic_info_1241x500

  4. Click Next Step.

  5. On the Connection Profile page, choose IdP-initiated under the Initiate SAML Workflow section.

    ngx_g_initiate_SAML

  6. Under Data Input Method, enter the following details.

    1. ACS URL: https://third-party application domainname/domain format/

    2. Service Provider Entity ID: The name must match the Issuer Entity ID as confirmed in the third-party application.
      mypagesso_data_input_1262x832

  7. Scroll down to the Identity Provider section. Make a note of the Identity Provider URL as it will be needed for the third-party application configuration.
    mypagesso_identity_provider_1311x259

  8. Click Show IdP Advanced Configuration.

  9. Retain the Identity Provider Entity ID and Audience for SAML Response as the default unless the third-party application needs them to be set differently.
    mypagesso_entityid_1332x619

  10. In the SAML Response Protection section, do one of the following:

    1. To sign the SAML assertion only, click the IdP signs assertion within response option.

    2. To sign the whole SAML response, click the IdP signs entire SAML response option.

    3. Click Generate Cert Bundle or use your own certificates. Download IdP Certificate to configure the third-party application.

    4. If you have any SP signing certificate available, upload it in the following section.
      mypagesso_message_protection_1325x1009

  11. Under the User Identity section, select the Identifier Type and Property value as needed by the third-party application. Typical Identity attributes are emailAddress and mail.

    1. Identifier Type: emailAddress

    2. Property: mail
      mypagesso_useridentity_1320x445

  12. Click Next Step.

  13. In the 2.0 Access Policy for Authentication list, select your desired access policy for the application.
    mypagesso_accesspolicy_1360x323

  14. Click Next Step.

  15. On the Portal Display page, select Display in Portal and click Next step.
    mypagesso_portaldisplay_1358x666.

  16. Provide the Fulfillment details.
    mypagesso_fulfillment_1351x618

  17. Click Publish Changes.
    The SAML SSO configuration for your application is now active in CAS.
    mypagesso_publishchanges_1370x156
    mypagesso_publihedchanges_1374x142

CAS configuration is complete.

Configure Third-Party Application

Refer to your application configuration guide for SAML.

SAML Relying Party Configuration

This section describes how to integrate CAS with third-party application using SAML Relying Party.

Configure CAS

Perform these steps to configure CAS.

Procedure 

  1. Sign in to Cloud Administration Console.

  2. Click Authentication Clients > Relying Parties.

    rp_rps_1521x186

  3. On the My Relying Parties page, click Add a Relying Party.

    ngx_g_add_a_relying_party

  4. On the Relying Party Catalog page, click Add for Service Provider SAML.

    ngx_g_relying_party_catalog

  5. On the Basic Information page, enter a name for the application in the Name field.

    ngx_g_rp_service_provider

  6. Click Next Step.

  7. On the Authentication page, choose whether the application (Service Provider) manages primary authentication, or if RSA manages all authentication. Choose an access policy.
    rp_authentication_1521x510

  8. Click Next Step.

  9. On the Connection Profile page, provide the following values.

    1. ACS URL: https://third-party application domain name/domain format

    2. Service Provider Entity ID: The name must match the Issuer Entity ID as confirmed in the third-party application.
      rp_cp_1503x759

  10. Scroll down to the Identity Provider section. Make a note of the Identity Provider URL. It is needed for the third-party application configuration.

  11. Under the Message Protection section, for SAML Response Protection, select IdP signs assertion with response.
    rp_mp_1558x906

  12. Under the User Identity section, select the Identifier Type and Property value as needed by the third-party application. Typical identity attributes are email and user name.
    rp_identity_1569x798

  13. In the Identity Provider section, Entity ID is displayed.
    rp_ip_1580x506

  14. Click Save and Finish.

  15. Click Publish Changes.
    The SAML configuration for your application is now active in CAS.
    rp_publish_1591x139
    rp_published_1598x127

CAS configuration is complete.

Configure Third-Party Application

Refer to your application configuration guide for SAML.

Related Articles

Trending Articles

Don't see what you're looking for?