Announcements

SecurID® Integrations

Microsoft Active Directory Federation Services - SAML SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide

Microsoft Active Directory Federation Services - SAML SSO Agent Configuration - RSA Ready SecurID Access Implementation Guide

This section describes how to integrate RSA SecurID Access with Microsoft Active Directory Federation Services using a SAML SSO Agent.

Architecture Diagram

Admin_Dharani_0-1633645966751.png

 

 

Complete the steps in this section to integrate MicrosoftActive Directory Federation Services with RSA SecurID Access using SAML authentication protocol.

Export the Active Directory Federation Services token-signing Certificate

Procedure

  1. Open the MicrosoftActive Directory Federation Services management console.

  2. Select Certificates and double click the token-signing certificate.

  3. Click the Details tab.

  4. Click Copy to File.

  5. Save the certificate in DER format.

Note: This certificate will be needed later to configure the Salesforce SAML settings.

Admin_Dharani_1-1633646049563.png

 

 

Configure Salesforce for Single Sign-on

Procedure

  1. Login to the Salesforce administration console. In SETTINGS > Identityselect Single Sign-On Settings.

    Admin_Dharani_2-1633646161317.png

     

  2. Click Edit button.

  3. Under Federated Single Sign-On Using SAML section, enable SAML Enabled checkbox, and click Save.

    Admin_Dharani_3-1633646294182.png

     

  4. In the SAML Single Sign-On Settings section, choose New, to configure the setting manually.

  5. Enter the following values in the corresponding fields:

    Admin_Dharani_4-1633646392937.png

     

    1. In the Name field, enter a name.

    2. In the Issuer field, enter your MicrosoftActive Directory Federation Services name appended with /adfs/services/trust.

      In this example we used: http://vm2013.PEADFS.com/adfs/services/trust.

      Note: This is http not https.

    3. In the Entity ID field, enter an ID that starts with https://.

      In this example we used our custom domain: https://rsa-a.my.salesforce.com.

    4. In Identity Provider Certificate, click Browse and select MicrosoftActive Directory Federation Services token-signing certificate you exported earlier.

    5. In SAML Identity Type, select Assertion contains Federation ID from the User object.

    6. In SAML Identity Location, select Identity is in the NameIdentifier element of the Subject statement.

    7. In Service Provider Initiated Request Binding, select HTTP POST.

    8. In Identity Provider Login URL field, enter the MicrosoftActive Directory Federation Services name appended by /adfs/ls/.

      In this example we used https://vm2013.PEADFS.com/adfs/ls/.

      Note: This URL is https and you must include the slash at the end of the URL.

    9. Click Save.

  6. From the SAML Single Sign-On Settings section, click on the name we just created. In this example viaWest.

    Admin_Dharani_5-1633646463041.png

     

  7. Select Download Metadata. This will be needed later to configure MicrosoftActive Directory Federation Services Reply Party Trust.

 

Configure Salesforce User

Procedure

  1. In Salesforce administration console >ADMINISTRATION > Users > Users.

    Admin_Dharani_0-1633646647358.png

     

  2. Click New User.

  3. Complete all the required fields.

  4. Enter the email address in the Federation ID field.

    Admin_Dharani_1-1633646694096.png

     

    Admin_Dharani_2-1633646735685.png

     

  5. Select Save.

 

Configuration for My Domain

Procedure

  1. In the Salesforce console, select SETTINGS > Company Settings > My Domain.

    Admin_Dharani_3-1633646799527.png

     

  2. In the My Domain > My Domain Settings > My Domain Details, enter the URL to use to login to your Salesforce domain section, click Check Availability.

    Admin_Dharani_4-1633646845059.png

     

  3. Select Save.

  4. In the My Domain Settings > Policies, confirm that Prevent login from https://login.salesforce.com is cleared.

    With this checkbox cleared, administrators and users can authenticate from https://login.salesforce.com without SSO. RSA recommends clearing this box to prevent an inadvertent lockout as the result of an SSO misconfiguration.

  5. In the My Domain Settings > Authentication Configuration, click Edit.

  6. In Authentication Configuration > Authentication Service, clear Login Page check box and check Name of the SSO settings that you just created (In this example viaWest)

    With the SSO settings option selected and the Login Page option cleared, users and administrators accessing Salesforce through My domain (in this example, https://rsa-a.my.salesforce.com) always authenticate to Salesforce using the Single Sign-on profile viaWest.

    Admin_Dharani_5-1633646923329.png

     

  7. Click Save.

 

Configure MicrosoftActive Directory Federation Services to Send Claims

Procedure

  1. Open the MicrosoftActive Directory Federation Services management console..

  2. In Actions, Click Add Relying Party Trust.

  3. The configuration wizard will launch, check that Claims aware radio option is selected then click Start.

    Admin_Dharani_0-1633647140487.png

     

  4. Select Import data about the relying party from a file.

    Admin_Dharani_1-1633647201217.png

     

  5. Browse to the Salesforce metadata file you downloaded earlier and click Next.

  6. Enter a Display name and click Next.

    Admin_Dharani_2-1633647231095.png

     

  7. On the Choose Access Control Policy page, select Permit everyone and click Next.

    Admin_Dharani_3-1633647283711.png

     

  8. Verify all information is correct and click Next.

  9. Click Finish.

  10. From Actions > Salesforce New click Edit Claim Issuance Policy.

    Admin_Dharani_4-1633647327422.png

     

  11. On the Edit Claim Issuance Policy for Salesforce New click Add Rule.

  12. From the Claim rule template dropdown select Send LDAP Attributes as Claims.

  13. Enter a Claim rule name.

  14. From the Attribute store select Active Directory.

  15. In the Mapping of LDAP attributes to outgoing claim types window use the pull down to select E-Mail-Addresses and for Outgoing Claim Type select Name ID.

    Admin_Dharani_5-1633647384835.png

     

  16. Click Finish.

  17. Double click the Salesforce Relying Party Trust, in our case Salesforce New and select the Advanced tab.

  18. Select the Secure hash algorithm pulldown option SHA-1.

    Note: For SP-initiated login to work, we need to set Active Directory Federation Services Secure Hash Algorithm parameter to SHA-1

 

Verify that MicrosoftActive Directory Federation Services now protects Salesforce.

Procedure

  1. Browse to: https://ADFS_servicename/adfs/ls/IdpInitiatedSignon.aspx

    Admin_Dharani_0-1633647600595.png

     

  2. Enter the user credentials

    Admin_Dharani_1-1633647620834.png

     

  3. Verify that the user logins to Salesforce.

    Admin_Dharani_2-1633647656906.png

     

 

Configure Microsoft Active Directory Federation Services

Perform these steps to configure Microsoft Active Directory Federation Services as an SSO Agent SAML SP to RSA Cloud Authentication Service.

Procedure

    1. Sign into RSA Cloud Administration Console and browse to Applications > Application Catalog, search for MicrosoftActive Directory Federation Services and click +Add to add the connector.

      Admin_Dharani_3-1633647725258.png

       

    2. Enter a name for the application in the Name field on the Basic Information page and click the Next Step button.

      Admin_Dharani_4-1633647771064.png

       

    3. Navigate to Initiate SAML Workflow section.

      1. In the Connection URL field, enter the url to the Active Directory Federation Services login page. Note: In this example use:

        https://vm2013.peadfs.com/adfs/ls/IdpInitiatedSignon.aspx

      2. Choose SP-Initiated.

        Admin_Dharani_5-1633647820789.png

         

    4. Scroll down to SAML Identity Provider (Issuer) section.

Admin_Dharani_6-1633647868136.png

 

  1. Identity Provider URL - <Automatically generated>

  2. Issuer Entity ID - <Automatically generated>

  3. Select Choose File and upload the private key. If you do not have a key pair use the Generate Cert Bundle to create the keys.

  4. Select Choose File to import the public signing certificate.

    1. Scroll down to the Service Provider section.

      Admin_Dharani_7-1633647906016.png

       

      1. Assertion Consumer Service (ACS) URL - enter the Active Directory Federation Services name appended by /adfs/ls.

        In this example we used: https://vm2013.peadfs.com/adfs/ls/

      2. Audience (Service Provider Issuer ID) – enter the Active Directory Federation Services name appended by /adfs/services/trust.

        In this example we used: http://vm2013.peadfs.com/adfs/services/trust

    2. Scroll down to the User Identity section.

      Admin_Dharani_8-1633647936295.png

       

      Verify the settings are correct for your environment. In this example following values were used.

      1. Identifier Type – unspecified

      2. Identity Source – User store

      3. Property – mail

    3. Click Show Advanced Configuration

      Admin_Dharani_9-1633647967254.png

       

      1. Scroll to Uncommon Formatting SAML Response Options section. Verify that Signature Algorithm is set to rsa-sha256.

        Admin_Dharani_10-1633647996760.png

         

    4. Click Next Step.

    5. On the User Access page, select Allow All Authenticated Users user policy from the available options.

Admin_Dharani_11-1633648034726.png

 

    1. Click Next Step.

    2. On the Portal Display page, select Display in Portal.

    3. Click Save and Finish.

    4. Click Publish Changes.

Admin_Dharani_12-1633648056581.png

 

  1. Navigate to Applications > My Applications.

  2. Locate MicrosoftActive Directory Federation Services (AD FS) in the list and from the Edit option, select Export Metadata.

 

Configure MicrosoftActive Directory Federation Services to Use RSA SecurID Access as an Identity Provider

Add RSA SecurID Access as a Claim Provider in MicrosoftActive Directory Federation Services.

Procedure

  1. In Active Directory Federation Services console, right-click the Claims Provider Trusts folder, and then click Add Claims Provider Trust.

  2. The Add Claims Trust Wizard will open. Click Start.

    Admin_Dharani_0-1633667287736.png

     

  3. On the Select Data Source page, select Import data about the claims provider from a file, click Browse.

  4. Select the metadata file downloaded earlier from MicrosoftActive Directory Federation Services (AD FS) connector in RSA Cloud Administration Console.

    Admin_Dharani_1-1633667360827.png

     

  5. Click Next.

  6. On the Specify Display Name page, type RSA_IDP, and then click Next.

    Admin_Dharani_2-1633667389978.png

     

  7. Click Next.

  8. Use the tabs and verify all information is correct and click Next.

  9. Click Finish.

  10. Click Edit Claim Rules

  11. On the Acceptance Transform Rules tab, click Add Rule.

  12. On the Select Rule Template page, select the Pass Through or Filter an Incoming Claim from the dropdown Claim rule template.

    Admin_Dharani_3-1633667419738.png

     

  13. On the Configure Claim Rule page, enter a Claim rule name.

  14. Select Name ID from the Incoming claim type pulldown.

  15. Select Unspecified from the Incoming name ID format pulldown.

  16. Select Pass through all claim values.

    Admin_Dharani_4-1633667444511.png

     

  17. Click Finish.

  18. Select Salesforce New under Relying Party Trust.

  19. Select Edit Claim Issuance Policy.

  20. On Issuance Transform Rules, click Add Rule.

  21. On the Select Rule Template page, select the Pass Through or Filter an Incoming Claim from the dropdown Claim rule template.

    Admin_Dharani_5-1633667478069.png

     

  22. On the Configure Claim Rule page, enter a Claim rule name.

  23. Select Name ID from the Incoming claim type pulldown.

  24. Select Unspecified from the Incoming name ID format pulldown.

  25. Select Pass through all claim values.

    Admin_Dharani_6-1633667510540.png

     

  26. Click Finish.

 

Verify that MicrosoftActive Directory Federation Services now redirect to the RSA portal.

Procedure

  1. Browse to: https://ADFS_servicename/adfs/ls/IdpInitiatedSignon.aspx. Select your site from the dropdown. In this example select Salesforce New.

    Admin_Dharani_7-1633667544285.png

     

  2. Select the identity source to validate against; click RSA_IDP and get redirect to RSA portal login page.

    Admin_Dharani_8-1633667585116.png

     

  3. Enter your credentials and get logged to your Salesforce home page.

    Admin_Dharani_9-1633667601406.png

     

    Admin_Dharani_10-1633667624032.png

     

Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the SAML SSO Agent configuration to your use case.

 

Return to the main page for more certification related information.

No ratings
Version history
Last update:
‎2021-10-08 12:39 AM
Updated by:
Contributors
Article Dashboard