Using Fortanix Data Security Manager with RSA Secure ID Access

Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with RSA SecurID Access using SAML Relying Party and SSO Agent configuration. It also contains the information that a user requires to:

  • Configure RSA Cloud Authentication Service
  • Configure Fortanix Data Security Manager

Relying party integrations use SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to Fortanix DSM SAML Service Provider (SP).
SSO Agent integrations use SAML 2.0 technology to direct users’ web browsers to Cloud Authentication Service for authentication. SSO Agents also provide Single Sign-On to other applications using the RSA Application Portal.

When integrated, the Fortanix DSM end users must authenticate with RSA SecurID Access to sign in.

Architecture Diagram

SecureIDRelyingParty_Arch.png
Figure 1: Architecture diagram for Fortanix DSM with Relying Party Integration

SecureID_SSOAgentArch.png
Figure 1: Architecture diagram for Fortanix DSM with SSO Agent Integration

Configure RSA Cloud Authentication Service - Relying Party

Perform the following steps to configure RSA Cloud Authentication Service as a relying party SAML IdP to Fortanix DSM.

Procedure

  1. Sign in to the RSA Cloud Administration Console and browse to Authentication Clients > Relying Parties and click Add a Relying Party. Add_Relying_Party.png
    Figure 3: Add Relying Party
  2. From the Relying Party Catalog, click +Add for Service Provider SAML. Service_Provider_SAML.png
    Figure 4: Add service provider SAML
  3. In the Basic Information section, enter a name and click Next Step. Service_Provider_SAML1.png
    Figure 5: Enter basic information
  4. In the Authentication section, do the following:
    1. Under Authentication Details, select SecurID Access manages all authentication.
    2. Select the appropriate primary and additional authentication methods.
    3. Click Next Step.
    AuthenticationDetails.png
    Figure 6: Authentication details
  5. On the next page, under Service Provider Metadata enter the following values:
    1. Assertion Consumer Service (ACS) URL: Enter the URL: https://<fortanix_dsm_url>/saml.
    2. Service Provider Entity ID - Enter the URL: https://<fortanix_dsm_url>/saml/metadata.xml.
    ServiceProvider1.png
    Figure 7: Service provider metadata
  6. Select Default Service Provider Entity ID in Audience for SAML Response section. AudienceForSAML.png
    Figure 8: Audience for SAML response
  7. In the Message Protection section, under SAML Response Protection, select IdP signs entire SAML response. MessageProtection.png
    Figure 9: Message protection
  8. Click Show Advanced Configuration. AdvancedConfig.png
    Figure 10: Advanced configuration
  9. Under the User Identity section, select the following:
    1. Identifier Type: Select Auto Detect.
    2. Property: Select Auto Detect.
    UserIdentity.png
    Figure 11: User identity details
  10. Click Save and Finish.
  11. Click Publish Changes in the top left corner of the page and wait for the operation to complete. PublishChanges.png
    Figure 12: Publish changes
  12. On the My Relying Parties page, do the following:
    1. Select Metadata from the Edit drop-down list to view and download an XML file containing your RSA SecurID Access IdP’s metadata.
    2. Click Download Metadata File in the View or Download Identity Provider Metadata page to download the file. A file named IdpMetadata.xml should be downloaded.
    MyRelyingParties.png
    Figure 13: My relying parties

Configure RSA Cloud Authentication Service - SSO Agent

Perform the following steps to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to Fortanix DSM.

Procedure

  1. Sign in to the RSA Cloud Administration Console and browse to Applications > Application Catalog
  2. Click Create From Template and select SAML Direct. CreateSAMLDirect.png
    Figure 14: Choose SAML direct connector template
  3. On the Basic Information page, specify the application name and click Next Step. BasicInfo.png
    Figure 15: Enter basic information
  4. In the Initiate SAML Workflow section:
    1. Connection URL: In the Connection URL field, enter the URL: https://<fortanix_dsm_url>.
    2. Select the SP-initiated radio button.
    InitiateXAML1.png
    Figure 16: Initiate XAML workflow
  5. In the SAML Identity Provider (Issuer) section::
    1. Identity Provider URL: This will be automatically generated.
    2. Issuer Entity ID: This will be automatically generated.
    3. Click Generate Cert Bundle to generate and download a zip file containing the private key and certificate. Unzip the downloaded file to extract the certificate and private key.
    4. For the Private Key Loaded field, click Choose File and upload the RSA SecurID Access private key.
    5. For the Certificate Loaded field, click Choose File and upload the RSA SecurID Access public certificate.
    SAML_IdP.png
    Figure 17: SAML IdP
  6. Under the Service Provider section:
    1. Assertion Consumer Service (ACS) URL: In the Assertion Consumer Service (ACS) URL field enter the URL: https://<fortanix_dsm_url>/saml.
    2. Audience (Service Provider Entity ID): In the Audience field enter the URL: https://<fortanix_dsm_url>/saml/metadata.xml.
    ServiceProvider1.png
    Figure 18: Service provider details
  7. Under User Identity section, select Email Address from the Identifier Type drop down list, select the name of your user Identity Source and select the property value as mail. UserID.png
    Figure 19: User identity
  8. Scroll to the bottom of the page and click Next Step.
  9. On the User Access page, select the access policy the identity router will use to determine which users can access the Fortanixservice provider. Click Next Step.
    AccessPolicy.png
    Figure 20: Access policy
  10. On the Portal Display page, configure the portal display and other settings. Click Save and Finish.
  11. Click Publish Changes in the top left corner of the page and wait for the operation to complete. PublishChanges.png
    Figure 21: Publish changes
  12. Navigate to Applications > My Applications and locate Fortanix in the list and from the Edit option, select Export Metadata.

Configuration on Fortanix Data Security Manager

Perform the following steps to integrate Fortanix Data Security Manager with RSA SecurID Access as a Relying Party SAML Service Provider or as a SAML SSO Agent.

Procedure

  1. Log in to the Fortanix DSM portal (https://<fortanix_dsm_url>/).
  2. In the Fortanix DSM left panel, click the Settings tab, and then in the AUTHENTICATION tab, select SINGLE SIGN-ON. DSMSSO1.png
    Figure 22: Select Single Sign On
  3. Add the SAML integration, and upload the SAML file downloaded from Step 12 of Configure RSA Cloud Authentication Service – Relying Party or Configure RSA Cloud Authentication Service – SSO Agent. DSMSSO2.png
    Figure 23: Add SAML Integration
  4. Enter your custom SSO Title and Logo URL. CustomSSO.png
    Figure 24: Customize SSO
  5. Click ADD INTEGRATION to add the SSO SAML integration.
  6. Once you have the Ping Identity SSO integrated successfully you will be able to see your configuration. The configuration is complete. IntegrationAdded.png
    Figure 25: SAML IdP Integrated
  7. Now, log out from Fortanix DSM and sign in using SSO.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful