Using Fortanix Data Security Manager with RSA SecurID Access

Prev Next

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with RSA SecurID Access using SAML Relying Party and Single Sign-On (SSO) Agent configuration.

  • Relying party integrations use SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to Fortanix DSM SAML Service Provider (SP).

  • SSO Agent integrations use SAML 2.0 technology to direct users’ web browsers to Cloud Authentication Service for authentication. SSO Agents also provide Single Sign-On to other applications using the RSA Application Portal.

When integrated, the Fortanix DSM end users must authenticate with RSA SecurID Access to sign in.

It also contains the information that a user requires to:

  • Configure RSA Cloud Authentication Service

  • Configure Fortanix DSM

2.0 Architecture Diagram

SecureIDRelyingParty_Arch.png

Figure 1: Architecture diagram for Fortanix DSM with relying party integration

SecureID_SSOAgentArch.png

Figure 2: Architecture diagram for Fortanix DSM with SSO agent integration

3.0 Configure RSA Cloud Authentication Service

3.1 Add Relying Party

Perform the following steps to configure RSA Cloud Authentication Service as a relying party SAML IdP to Fortanix DSM.

  1. Sign in to the RSA Cloud Administration Console and browse to Authentication Clients → Relying Parties and click Add a Relying Party.

    Add_Relying_Party.png

    Figure 3: Add Relying Party

  2. In the Relying Party Catalog, click Add for Service Provider SAML.

    Service_Provider_SAML.png

    Figure 4: Add service provider SAML

  3. In the Basic Information section, enter a name and click Next Step.

    Service_Provider_SAML1.png

    Figure 5: Enter basic information

  4. In the Authentication section, do the following:

    • Under Authentication Details, select SecurID Access manages all authentication.

    • Select the appropriate primary and additional authentication methods.

    • Click Next Step.

    AuthenticationDetails.png

    Figure 6: Authentication details

  5. On the Service Provider page, enter the following values:

    • Assertion Consumer Service (ACS) URL: Enter the URL: https://<fortanix_dsm_url>/saml.

    • Service Provider Entity ID - Enter the URL: https://<fortanix_dsm_url>/saml/metadata.xml.

    ServiceProvider1.png

    Figure 7: Service provider metadata

  6. In Audience for SAML Response section, select Default Service Provider Entity ID

    AudienceForSAML.png

    Figure 8: Audience for SAML response

  7. In the Message Protection section, under SAML Response Protection section, select IdP signs entire SAML response.

    MessageProtection.png

    Figure 9: Message protection

  8. Click Show Advanced Configuration.

    AdvancedConfig.png

    Figure 10: Advanced configuration

  9. Under the User Identity section, select the following:

    1. Identifier Type: Select Auto Detect.

    2. Property: Select Auto Detect.

    UserIdentity.png

    Figure 11: User identity details

  10. Click Save and Finish.

  11. Click Publish Changes in the top left corner of the page and wait for the operation to complete.

    PublishChanges.png

    Figure 12: Publish changes

  12. On the My Relying Parties page, do the following:

    1. Select Metadata from the Edit drop down list to view and download an XML file containing your RSA SecurID Access IdP’s metadata.

    2. Click Download Metadata File in the View or Download Identity Provider Metadata page to download the file. A file named IdpMetadata.xml should be downloaded.

    MyRelyingParties.png

    Figure 13: My relying parties

3.2 Add Single Sign-On Agent

Perform the following steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Fortanix DSM:

  1. Sign in to the RSA Cloud Administration Console and browse to Applications → Application Catalog

  2. Click Create From Template and select SAML Direct.

    CreateSAMLDirect.png

    Figure 14: Choose SAML direct connector template

  3. On the Basic Information section, enter the application name and click Next Step.

    BasicInfo.png

    Figure 15: Enter basic information

  4. In the Initiate SAML Workflow section, do the following:

    1. Connection URL: In the Connection URL field, enter the URL: https://<fortanix_dsm_url>.

    2. Select the SP-initiated radio button.

    InitiateXAML1.png

    Figure 16: Initiate XAML workflow

  5. In the SAML Identity Provider (Issuer) section, do the following:

    1. Identity Provider URL: This will be automatically generated.

    2. Issuer Entity ID: This will be automatically generated.

    3. Click Generate Cert Bundle to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.

    4. For the Private Key Loaded field, click Choose File and upload the RSA SecurID Access private key.

    5. For the Certificate Loaded field, click Choose File and upload the RSA SecurID Access public certificate.

    SAML_IdP.png

    Figure 17: SAML IdP

  6. Under the Service Provider section, do the following:

    1. Assertion Consumer Service (ACS) URL: Enter the URL: https://<fortanix_dsm_url>/saml.

    2. Audience (Service Provider Entity ID): Enter the URL: https://<fortanix_dsm_url>/saml/metadata.xml.

    ServiceProvider1.png

    Figure 18: Service provider details

  7. Under User Identity section, select Email Address from the Identifier Type drop down list, select the name of your user Identity Source and select the property value as mail.

    UserID.png

    Figure 19: User identity

  8. Scroll to the bottom of the page and click Next Step.

  9. On the User Access page, select the access policy the identity router will use to determine which users can access the Fortanix service provider. Click Next Step.

    AccessPolicy.png

    Figure 20: Access policy

  10. On the Portal Display page, configure the portal display and other settings. Click Save and Finish.

  11. Click Publish Changes in the top left corner of the page and wait for the operation to complete.

    PublishChanges.png

    Figure 21: Publish changes

  12. Navigate to Applications → My Applications and locate Fortanix in the list and from the Edit option, select Export Metadata.

4.0 Configure RSA SecurID Access in Fortanix DSM

Perform the following steps to integrate Fortanix DSM with RSA SecurID Access as a Relying Party SAML service provider or as a SAML SSO agent:

  1. Log in to the Fortanix DSM using URL: https://<FORTANIX_DSM_URL>/.

  2. In the Fortanix DSM user interface (UI), navigate to Settings → AUTHENTICATION tab, and select SINGLE SIGN-ON as the authentication method.

  3. Click ADD SAML INTEGRATION to add a new SAML integration.

    Figure 22: Select SSO

  4. On the Add SAML Integration page, do the following:

    • Click UPLOAD A FILE to browse and upload the SAML file downloaded in the Step 12 of Section 3.1: Add Relying Party or Section 3.2: Add Single Sign-On Agent.

      Figure 23: Upload SAML metadata

    • In the SSO Title field, customize the SSO by adding a name in the SSO Title field and a URL for the logo image in the Logo URL field.

    • Click ADD INTEGRATION.

    Figure 24: Customize SSO

  5. After successfully integrating RSA Cloud Authentication Service as a relying party or an SSO agent, Fortanix DSM displays the configured SSO below:

    Figure 25: SAML IdP integrated

5.0 Test the Integration

Perform the following steps to verify the SSO integration:

  1. Log out of Fortanix DSM to sign in using SSO.

  2. On the Fortanix DSM Login screen, click the LOG IN WITH RSA SECURID ACCESS to log in using the newly added SSO configuration.

    Figure 26: Sign in using SSO

  3. You will now be automatically logged in to Fortanix DSM and reach the Fortanix DSM accounts page.