AnsweredAssumed Answered

How do I find the metadata for our RSA Authentication Manager?

Question asked by Kevin Conway on Aug 5, 2019
Latest reply on Aug 6, 2019 by Kevin Conway

Like • Show 0 Likes0
Comment • 4

Hi,

I am trying to Integrate RSA Authentication Manager 8.4 with Ping Federate so I can implement multi-factor for Service Provider O365. I am using The RSA Document Ping Identity PingFederate 9 - RSA ScureID Access Implementation Guide:

Ping Identity PingFederate 9 - RSA SecurID Access Implementation Guide

I'm looking at the PingFederate SAML SP Configuration in the document and am trying to figure out how to find/determine what or where is the metadata file for RSA when creating the new IDP Connection in the Ping Federate Console with RSA. This is item 4 & 5 on page 17 of the guide. How do I get the Metadata File for our RSA on-premise Authentication Manager Application so I can add it as in IDP Connection in the Ping Federate Console.

Thanks,

Kevin C.

Ted Barbour

Aug 5, 2019 2:43 PM

Correct Answer

Hi Kevin - the Ping integration with Authentication Manager is only using a SecurID agent. The Metadata you are referring to for SAML is available in the SecurID Access Cloud Administration Console (discussed on Page 12 step 8 for cloud IdP).

Thanks,

Ted

See the reply in context

Attachments

rsaidpmetadata file.PNG61.0 KB

No one else had this question

Outcomes

Ted Barbour

Aug 5, 2019 2:43 PM

Thanks,

Ted

Actions

Kevin Conway @ Ted Barbour on Aug 5, 2019 4:01 PM

Hi Ted,

Thank you for the reply. So if we are not using the RSA Cloud Authentication Service ( we are not) and are using an on-premise RSA Authentication is there no metadata involved? I'm a novice in the federation area and trying to follow the RSA Guide on how to integrate RSA as an Identity Provider. Our goal is to use RSA SecureID for multi-factor authentication for our Office 365 tenant. Our Office 365 environment uses Ping Federate for its Identity Provider. Looking at this more, I think I may need to follow the Ping Identity TCP Agent Configuration Steps (p35-39) and then follow that up with the section "Bridge RSA SecurID Access SAML Idp to 3rd party SAML SP." the 3rd party SAML SP, in this case would be Office 365. Does this sound right?

Thanks,

Actions

Ted Barbour

@ Kevin Conway on Aug 5, 2019 4:28 PM

Correct, unless you are using the RSA SecurID Cloud Authentication Service there is no SAML metadata involved as the RSA SecurID Authentication Manager (AM) does not support SAML.

The RSA Ping Identity Implementation Guide Page 2 describes two possible SAML integrations (require Cloud Auth Service) and then:

"...

RSA agent API integrations use Ping Identity PingFederate RSA SecurID Integration Kit to integrate with RSA Authentication Manager. When integrated, Authentication Manager can provide authentication for PingFederate integrated applications using SecurID hardware and software SecurID tokens."

See:

TCP Agent (Page 14) Authentication Manager configuration
Ping Identity PingFederate TCP Agent Configuration (Page 36)

Hope that helps,

Ted

Actions

Kevin Conway @ Ted Barbour on Aug 6, 2019 2:24 PM

Ted,

Thanks for the clarification. I’ve created the adapter instance ID SecurID Authentication Adapter 2.1 in the Adapter Console. I followed all the steps to create this up to page 39. I have arrived at the section that says:

This completes the SecurID adapter configuration process. You may now configure or modify your SP connection(s) to use the SecurID adapter instance. See the PingFederate Administrator’s Manual for further details.

https://documentation.pingidentity.com/pingfederate/pf92/index.shtml#adminGuide/administratorsManual.html

Ideally, I would like to have a model that is similar to the one here for O365

https://www.rsa.com/en-us/blog/2017-06/protecting-pingfederate-users-with-rsa-securid-access - see the How it works graphic

I’m guessing I can add an authentication policy that ties the adapter to the O365 Service Provider but not sure on the best way. I’ll work on this through Trial and error. Does that make sense?

Thanks

Kevin C.

Actions

4 Replies

Ted Barbour Aug 5, 2019 2:43 PM
Unmark Correct
Correct Answer
Hi Kevin - the Ping integration with Authentication Manager is only using a SecurID agent. The Metadata you are referring to for SAML is available in the SecurID Access Cloud Administration Console (discussed on Page 12 step 8 for cloud IdP).

Thanks,
Ted
Like • Show 1 Like1
Actions
- Kevin Conway @ Ted Barbour on Aug 5, 2019 4:01 PM
  Mark Correct
  Correct Answer
  Hi Ted,
  
  Thank you for the reply. So if we are not using the RSA Cloud Authentication Service ( we are not) and are using an on-premise RSA Authentication is there no metadata involved? I'm a novice in the federation area and trying to follow the RSA Guide on how to integrate RSA as an Identity Provider. Our goal is to use RSA SecureID for multi-factor authentication for our Office 365 tenant. Our Office 365 environment uses Ping Federate for its Identity Provider. Looking at this more, I think I may need to follow the Ping Identity TCP Agent Configuration Steps (p35-39) and then follow that up with the section "Bridge RSA SecurID Access SAML Idp to 3rd party SAML SP." the 3rd party SAML SP, in this case would be Office 365. Does this sound right?
  
  Thanks,
  Like • Show 0 Likes0
  Actions
  - Ted Barbour @ Kevin Conway on Aug 5, 2019 4:28 PM
    Mark Correct
    Correct Answer
    Correct, unless you are using the RSA SecurID Cloud Authentication Service there is no SAML metadata involved as the RSA SecurID Authentication Manager (AM) does not support SAML.
    The RSA Ping Identity Implementation Guide Page 2 describes two possible SAML integrations (require Cloud Auth Service) and then:
    
    "...
    RSA agent API integrations use Ping Identity PingFederate RSA SecurID Integration Kit to integrate with RSA Authentication Manager. When integrated, Authentication Manager can provide authentication for PingFederate integrated applications using SecurID hardware and software SecurID tokens."
    
    See:
    TCP Agent (Page 14) Authentication Manager configuration
    Ping Identity PingFederate TCP Agent Configuration (Page 36)
    
    Hope that helps,
    Ted
    Like • Show 0 Likes0
    Actions
    - Kevin Conway @ Ted Barbour on Aug 6, 2019 2:24 PM
      Mark Correct
      Correct Answer
      Ted,
      
      Thanks for the clarification. I’ve created the adapter instance ID SecurID Authentication Adapter 2.1 in the Adapter Console. I followed all the steps to create this up to page 39. I have arrived at the section that says:
      
      This completes the SecurID adapter configuration process. You may now configure or modify your SP connection(s) to use the SecurID adapter instance. See the PingFederate Administrator’s Manual for further details.
      
      https://documentation.pingidentity.com/pingfederate/pf92/index.shtml#adminGuide/administratorsManual.html
      
      Ideally, I would like to have a model that is similar to the one here for O365
      
      https://www.rsa.com/en-us/blog/2017-06/protecting-pingfederate-users-with-rsa-securid-access - see the How it works graphic
      
      I’m guessing I can add an authentication policy that ties the adapter to the O365 Service Provider but not sure on the best way. I’ll work on this through Trial and error. Does that make sense?
      
      Thanks
      
      Kevin C.
      Like • Show 0 Likes0
      Actions

How do I find the metadata for our RSA Authentication Manager?

Attachments

Outcomes

Related Content

Recommended Content