Using Fortanix Data Security Manager with RSA Secure ID Access

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with RSA SecurID Access using SAML Relying Party and SSO Agent configuration. It also contains the information that a user requires to:

• Configure RSA Cloud Authentication Service

• Configure Fortanix Data Security Manager

Relying party integrations use SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to Fortanix DSM SAML Service Provider (SP).
SSO Agent integrations use SAML 2.0 technology to direct users’ web browsers to Cloud Authentication Service for authentication. SSO Agents also provide Single Sign-On to other applications using the RSA Application Portal.

When integrated, the Fortanix DSM end users must authenticate with RSA SecurID Access to sign in.

2.0 Architecture Diagram

3.0 Configure RSA Cloud Authentication Service - Relying Party

Perform the following steps to configure RSA Cloud Authentication Service as a relying party SAML IdP to Fortanix DSM.

3.1 Procedure

1. Sign in to the RSA Cloud Administration Console and browse to Authentication Clients > Relying Parties and click Add a Relying Party.  

   

2. From the Relying Party Catalog, click +Add for Service Provider SAML.  

   

3. In the Basic Information section, enter a name and click Next Step.  

   

4. In the Authentication section, do the following:

   1. Under Authentication Details, select SecurID Access manages all authentication.

   2. Select the appropriate primary and additional authentication methods.

   3. Click Next Step.

   

5. On the next page, under Service Provider Metadata enter the following values:

   1. Assertion Consumer Service (ACS) URL: Enter the URL: https://<fortanix_dsm_url>/saml.

   2. Service Provider Entity ID - Enter the URL: https://<fortanix_dsm_url>/saml/metadata.xml.

   

6. Select Default Service Provider Entity ID in Audience for SAML Response section.  

   

7. In the Message Protection section, under SAML Response Protection, select IdP signs entire SAML response.  

   

8. Click Show Advanced Configuration.  

   

9. Under the User Identity section, select the following:

   1. Identifier Type: Select Auto Detect.

   2. Property: Select Auto Detect.

   

10. Click Save and Finish.

11. Click Publish Changes in the top left corner of the page and wait for the operation to complete.  

    

12. On the My Relying Parties page, do the following:

    1. Select Metadata from the Edit drop-down list to view and download an XML file containing your RSA SecurID Access IdP’s metadata.

    2. Click Download Metadata File in the View or Download Identity Provider Metadata page to download the file. A file named IdpMetadata.xml should be downloaded.

    

4.0 Configure RSA Cloud Authentication Service - SSO Agent

Perform the following steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Fortanix DSM.

4.1 Procedure

1. Sign in to the RSA Cloud Administration Console and browse to Applications > Application Catalog. 

2. Click Create From Template and select SAML Direct.  

   

3. On the Basic Information page, specify the application name and click Next Step.  

   

4. In the Initiate SAML Workflow section:

   1. Connection URL: In the Connection URL field, enter the URL: https://<fortanix_dsm_url>.

   2. Select the SP-initiated radio button.

   

5. In the SAML Identity Provider (Issuer) section::

   1. Identity Provider URL: This will be automatically generated.

   2. Issuer Entity ID: This will be automatically generated.

   3. Click Generate Cert Bundle to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.

   4. For the Private Key Loaded field, click Choose File and upload the RSA SecurID Access private key.

   5. For the Certificate Loaded field, click Choose File and upload the RSA SecurID Access public certificate.

   

6. Under the Service Provider section:

   1. Assertion Consumer Service (ACS) URL: In the Assertion Consumer Service (ACS) URL field enter the URL: https://<fortanix_dsm_url>/saml.

   2. Audience (Service Provider Entity ID): In the Audience field enter the URL: https://<fortanix_dsm_url>/saml/metadata.xml.

   

7. Under User Identity section, select Email Address from the Identifier Type drop down list, select the name of your user Identity Source and select the property value as mail.  

   

8. Scroll to the bottom of the page and click Next Step.

9. On the User Access page, select the access policy the identity router will use to determine which users can access the Fortanixservice provider. Click Next Step.

   

10. On the Portal Display page, configure the portal display and other settings. Click Save and Finish.

11. Click Publish Changes in the top left corner of the page and wait for the operation to complete.  

    

12. Navigate to Applications > My Applications and locate Fortanix in the list and from the Edit option, select Export Metadata.

5.0 Configuration on Fortanix Data Security Manager

Perform the following steps to integrate Fortanix Data Security Manager with RSA SecurID Access as a Relying Party SAML Service Provider or as a SAML SSO Agent.

5.1 Procedure

1. Log in to the Fortanix DSM portal (https://<fortanix_dsm_url>/).

2. In the Fortanix DSM left panel, click the Settings tab, and then in the AUTHENTICATION tab, select SINGLE SIGN-ON.  

   

3. Add the SAML integration, and upload the SAML file downloaded from Step 12 of Configure RSA Cloud Authentication Service – Relying Party or Configure RSA Cloud Authentication Service – SSO Agent.  

   

4. Enter your custom SSO Title and Logo URL.  

   

5. Click ADD INTEGRATION to add the SSO SAML integration.

6. Once you have the Ping Identity SSO integrated successfully you will be able to see your configuration. The configuration is complete.  

   

7. Now, log out from Fortanix DSM and sign in using SSO.