SecurID® Integrations

Microsoft Active Directory Federation Services - Relying Party Configuration - RSA Ready SecurID Access Implementation Guide

Microsoft Active Directory Federation Services - Relying Party Configuration - RSA Ready SecurID Access Implementation Guide

This section describes how to integrate RSA SecurID Access with Microsoft Active Directory Federation Services using relying party. Relying party uses SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to Microsoft Active Directory Federation Services SAML Service Provider (SP).

Architecture Diagram



Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as a relying party SAML IdP to Microsoft Active Directory Federation Services .


    1. Sign into RSA Cloud Administration Console.

    2. Select the Authentication Clients > Relying Parties menu item at the top of the page.



    1. Click the Add a Relying Party button on the My Relying Parties page.



    1. From the Relying Party Catalog select the +Add button for Service Provider SAML.



    1. Enter a Name for the Service Provider in the Name field on the Basic Information page.

    2. Click the Next Step button.

    3. On the Authentication page, in this example we have selected RSA SecurID Access manages all authentication.

    4. From Access Policy for Additional Authentication in this example we select No Step-up.



    5. Select Next Step.

    6. Configure the Connection Profile for the MicrosoftActive Directory Federation Services
    7. Admin_Dharani_6-1633644045144.png
      1. Assertion Consumer Service (ACS) URL - Enter the Assertion Consumer Service URL in the format: https://<adfs_service>/adfs/ls/.
      2. Service Provider Entity ID - Enter the Service Provider Entity ID in the format: http://<adfs_service>/adfs/services/trust.



    1. In Audience for SAML Response section Select Default Service Provider Entity ID.
    2. Download Certificate and save the IDPSigningCertificate.pem.Click Choose File and attach the .PEM file in the configuration.



    1. Configure User Identity for NAMEID mapping.



      1. Identity Type – Auto Detect

      2. Property - Auto Detect

    1. Click Save and Finish.

    2. Browse to Authentication Clients -> Relying Party and select the configured relying party connector, select the down arrow next to Edit and select View or Download IdP Metadata.

    3. Click Publish Changes



  1. Open the Metadata file and find the entityID and location URL. This will be needed to configure the Claim Provider on the <MadCap:variable name="Variables.Partner Name" /> <MadCap:variable name="Variables.Partner Application" />.




Configure Microsoft Active Directory Federation Services

Add RSA SecurID Access as a Claim Provider in Active Directory Federation Services


  1. In Active Directory Federation Services console, right-click the Claims Provider Trusts folder, and then click Add Claims Provider Trust.

  2. The Add Claims Trust Wizard will open. Click Start.



  3. On the Select Data Source page, select Enter claims provider trust data manually.



  4. On the Specify Display Name page, enter a name click Next. In this example the name is Cloud.



  5. On the Configure URL page, in the WS-Federation Passive URL enter the location URL found in the RSA Metadata file downloaded in step 18 or previous section.



  6. On the Configure Identifier page, enter the Entity ID url from the RSA Metadata file downloaded in step 18 or previous section, in the Claims provider trust identifier field and click Next.



  7. On the Configure Certificates page, select Add and browse to the file IDPSigningCertificate.pem which you download in step 13 of the previous section.



  8. On the Ready to Add Trust page, use the tabs and verify all the information and click Next.

  9. Click Finish.

  10. Double click the Claims Provider Trusts you just created and select the Endpoints tab.

  11. Select the WS-Federation Passive Endpoints URL and click Remove.



  12. Click Add SAML button.

  13. On the Add an Endpoint page, select the following:



    1. From the Endpoint type pulldown select SAML Single Sign-On.

    2. From the Binding pulldown select POST.

    3. In the Trusted URL, enter the location URL found in the RSA Metadata file downloaded in step 18 or previous section.

  14. Click Edit Claim Rules



  15. On the Acceptance Transform Rules tab, click Add Rule.



  16. On the Select Rule Template page, select the Pass Through or Filter an Incoming Claim from the pulldown, and then click Next.

  17. On the Configure Rule page, enter a Claim rule name.

  18. Select Name ID from the Incoming claim type pulldown.

  19. Select Unspecified from the Incoming name ID format pulldown.

  20. Select Pass through all claim values.



  21. Click Finish.


Login Flow

  1. Browse to: https://ADFS_servicename/adfs/ls/IdpInitiatedSignon.aspx. Select your site from the dropdown. In this example select Salesforce New.



  2. Select the identity source to validate against; in this example click Cloud.



  3. This will redirect you to the RSA Cloud IDP login.



  4. Enter your credentials and verify that you get logged in to your Salesforce home page.




Return to the main page for more certification related information.

No ratings
Version history
Last update:
‎2021-10-08 12:37 AM
Updated by:
Article Dashboard