Cisco ISE 3.2 - SAML Relying Party Configuration - RSA Ready Implementation Guide
This section describes how to integrate Cisco ISE with RSA Cloud Authentication Service using Relying Party.
In Cloud Administration Console, go to Authentication Clients > Relying Parties > Add a Relying Party > Service Provider.
In the Authentication section, choose SecurID manages all authentication.
In the Connection Profile section, import the Metadata that was collected previously from Cisco ISE Admin GUI.
In the SAML Response Protection section, choose to sign the whole SAML Response or the assertion only.
In the User Identity section, select the NameID Identifier Type as emailAddress and Property as mail or UPN. You can optionally return the groups that the user is part of on Cisco ISE by mapping attribute value to the virtualGroups property in the Attributes Extension section.
In the Identity Provider section, choose any discriminator name that you want, then click Save and Finish, then click Publish your changes.
Go to Authentication Clients > Relying Parties, and choose your Cisco ISE created application.
Click drop down menu and click Metadata > Download Metadata file.
Go to Administration > Identity Management > SAML ID Providers > Choose your Relying party SAML Application > Identity Provider Config.
Import the metadata file that was downloaded from Step 8 and click on Save.
Go to the Groups section and set the Groups value as in Step 5. Assign the RBAC based on your you need.
In the SAML Identity Provider section, you can add more attributes if needed but RSA must return them as in Step 5.
In the Advanced Settings section, choose the Identity Attribute you need. For the Multi-value attributes, select “Each value in a separate XML element”. Note: You can sign the whole SAML response or only the assertion. You can also accept only Encrypted Assertions.