Article Number
000036933
Applies To
RSA Product Set: SecurID Access
Issue
The SecurID Access Cloud Authentication Service offers two ways to configure an Identity Provider (IdP) for SAML applications:
- Configure the IDR IdP as described in Add a SAML Application.
- Configure the Cloud IdP as described in Add a Relying Party.
The cloud IdP configuration process is simpler (fewer options) while the IDR IdP is more configurable. Configuration differences may not be readily apparent.
Resolution
The differences between the two options are listed below:
| Cloud IdP | IDR IdP |
|---|
| Creates its own signing certificate | Admin generates and uploads signing certificate |
| Assertion signatures use the SHA-256 hashing algorithm | Assertion signatures use the SHA-1 hashing algorithm by default. Other algorithms including SHA-256 can be configured. |
| Assertion signing is performed on the“Assertion within response” | Assertion signing defaults to “Entire SAML response” but can be configured to be “Assertion within response” |
| The User Identity NameID type is auto-detected | You must specify the User Identity NameID type |
| Extended Attributes are automatically hunted for in all Identity Sources by default | Extended Attributes must be configured with the specific Identity Source where they can be found |
| IdP URL is found only in the IdP metadata file | IdP URL is auto populated in the configuration page |
| 3rd party Service Provider must support SP-initiated SAML | Supports IdP-initiated or SP-initiated SAML |
| Identity Source User Attributes page must have "Synchronize the selected policy attributes with the Cloud Authentication Service" checked. | This checkbox is not applicable |
Notes
The IDR IdP supports single sign-on to protected applications.
The cloud IdP provides primary and/or additional multi-factor authentication for SaaS applications but does not provide single sign-on.
