Article Number
000039638
Applies To
RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Cloud
Issue
When logging in to the Cloud Admin Console and navigating to My Account --> Company Settings --> Sessions & Authentication. It is seen that under the Cloud Administration Console Authentication there are two options, the default method (Password) and using a Third-Party Identity Provider (IdP) to log in to the CAS.
Some customers would like to configure the IDR or the Load Balancer as a Third-party Identity Provider to the Cloud Admin Console, such that the IDR SSO Portal is used to login into Admin Console.
Task
Integrate the IDR as an IDP using SAML SP-Initiated to the Cloud Admin Console.
Resolution
WARNING: If things go wrong in the implementation, you will not be able to access the Cloud Admin Console with your credentials.. Thus we always advise keeping an open and active session that is logged in to the Cloud Admin Console so that you can revert the Primary Authentication Method back to Password if needed.
Other than the session that we will keep as a backup if we are locked out of the Admin Console, we will open two other sessions to the Cloud to be able to map the SAML Attributes:
- In the First Session on the Cloud Admin Console, go Applications --> My Applications.
- Click on Add an Application --> Create from Template --> SAML Direct.
- Ensure that under Basic Information, the Disabled checkmark is not checked, then go to Connection Profile.
- In the Second Session, go to My Account --> Company Settings --> Sessions & Authentication and under the Cloud Administration Console Authentication change the Primary Authentication From Password to Third-Party Identity Provider (IdP).
- Copy the link under Sign-In URL. NOTE: Take a note of that link because this is the SAML link you will use to sign in to your Admin Console.
- Back in the First Session where we create the SAML Application, no need to upload any metadata under Connection Profile, and under Initiate SAML Workflow paste the value copied in Step 5 under Connection URL.
- Ensure the method is SP-initiated, Binding Method is POST and do not check Signed.
- Copy the Identity Provider URL from the First Session to the Second Session under Issuer URL.
- In the First Session, keep Issuer Entity ID as it is the Default value.. and copy that value and paste it in the Second Session under Issuer ID
- In the first session Generate Cert Bundle, and give the CN to be your portal hostname then download and extract that .zip folder.
- In the first session choose the Private Key to be private.key, and upload file cert.pem to be the certificate.
- In the second session under SAML Response Signature ensure you upload the same cert.pem file from the Certificate Bundle.
- In the second session copy, the value under Assertion Consumer Service (ACS) URL and paste it in the first session under.
Assertion Consumer Service (ACS) URL - In the second session, copy the value under Audience ID and paste it in the first session under Audience (Service Provider Entity ID).
- In the first Session under User Identity, make sure the Identifier Type is Email Address and the Property is mail.
- Under Show Advanced Configuration leave everything unchecked.
- Configure the user access as needed, then Save the Application.
- In the second session, configure your Sign-Out URL to be https://<PortalHostname>/LogoutServlet
- Under Error URL, put the value to be https://<PortalHostname>?Signing-error-cas
- Also, Save Settings on the same Page and publish changes.
Now use the link that we took note of in Step 5 to access the Cloud Admin Console.
