How to use RSA Cloud as a SAML Authenticator

This page walks you through configuring RSA Cloud as a SAML identity provider (IdP) for MFA via ADSelfService Plus.

This article outlines how to update the Windows login agent to its latest version.

• Objective
• Prerequisite
• Steps to configure RSA Cloud as a SAML authenticator
  • Step 1: SP configuration
  • Step 2: IdP configuration
• Validation and confirmation
• Tips
• Related topics and articles

Objective

This guide helps you set up your existing RSA Cloud deployment as a SAML authenticator. This will enable users to authenticate using RSA Cloud for MFA within ADSelfService Plus' workflows.

Prerequisite

Ensure that you have:

• Admin credentials for the RSA Cloud portal.
• Admin credentials for the ADSelfService Plus web console.

Steps to configure RSA Cloud as a SAML authenticator

Step 1: SP configuration

In this step, you will configure ADSelfService Plus to be a service provider (SP) for RSA Cloud.

1. Initial setup
   1. Log in to the ADSelfService Plus web console with admin credentials.
   2. Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
   3. Click SAML Authentication (or click Modify if already configured).
2. Configuring RSA Cloud in ADSelfService Plus
   4. Click the Select IdP drop-down and choose Custom SAML.

      

   5. Choose your configuration mode:

      Option A: Upload Metadata File

      1. Select Upload Metadata File.
      2. Click Browse to upload the IdP metadata file downloaded from RSA Cloud.

      Option B: Manual Configuration

      1. Select Manual Configuration.
      2. Enter the Issuer URL/Entity ID URL from RSA Cloud.
      3. Enter the IdP Login URL from RSA Cloud.
      4. Paste the X.509-Certificate from RSA Cloud (must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----).
      5. Copy the ACS URL/Recipient URL and SP Issuer URL values under Service Provider (SP) Details for later use.
3. Configuring advanced settings
   6. Click Advanced Settings to configure SAML request and response processing.

      

      1. Configure the SAML Request:
         1. From the SAML Request drop-down, select whether the request is signed or unsigned.
         2. Choose the Authentication Context Class from the drop-down.
      2. Configure SAML Subject inclusion:
         1. From the SAML Subject drop-down, choose Include if you want users to skip primary authentication during MFA at RSA Cloud.

            

         2. If included, click the Edit button next to Format and select the appropriate SAML subject pattern, then click Save.

            

         3. Choose Exclude if users must complete primary authentication at the IdP before MFA.
      3. Configure signature settings:
         1. Select SAML Response signature requirements.
         2. Select Assertion Signature requirements.
         3. Choose the Signature Algorithm that RSA Cloud uses.
      4. Configure Assertion Encryption:
         1. Select whether assertions are encrypted or unencrypted.
         2. If encrypted, choose the Encryption Certificate type:
            • Self-Signed: Click Download Self-Signed Certificate (needed for RSA Cloud configuration).
            • CA-Signed: Upload the CA Public Key and CA Private Key.
   7. Click Save.
4. Download SP metadata
   8. After saving, click Download SP Metadata to download the metadata file (you'll need this for RSA Cloud configuration).

Step 2: IdP configuration

In this step, you will configure ADSelfService Plus as a custom SAML Application in RSA Cloud.

1. Create Relying Party
   1. Log in to the RSA Cloud portal with admin credentials.
   2. Navigate to Authentication Clients > My Relying Parties.
   3. Click Add a Relying Party.

      

   4. Under Relying Party Catalog, click Add next to Service Provider SAML.
2. Configure basic information
   5. Under Add Service Provider, enter:
      • Name: Provide an easily recognizable name (e.g., ADSelfService Plus).
      • Description: Optionally add details about the connection.
   6. Click Next Step.

      

3. Configure authentication method
   7. Choose your authentication method based on SAML Subject configuration:

      If you included SAML Subject in step 8 of the SP configuration:

      1. Select Service provider manages primary authentication, and RSA manages additional authentication.
      2. Click the 1.0 Access Policy for Additional Authentication drop-down.
      3. Select the policy defining how RSA handles secondary authentication.
      Note: Choosing to include the SAML Subject in the SAML request enables RSA Cloud to bypass first-factor authentication. This will allow users to skip primary authentication during MFA.

      If you excluded SAML Subject in step 8 of the SP configuration:

      1. Select RSA manages all authentication.
      2. Click the 2.0 Access Policy for Authentication drop-down.
      3. Select the policy defining how RSA handles both primary and secondary authentication.
   8. Click Next Step.
4. Configure connection profile
   9. Under Data Input Method, choose your preferred method:

   Option A: Import metadata

   1. Click Import Metadata.
   2. Click Choose File and import the SP Metadata file from step 8 of the SP configuration.
   3. Service Provider Entity ID: Enter the ACS URL/Recipient URL value saved in step 5 of the SP configuration
   4. Audience for SAML Response:
      • Choose Default: Service Provider Entity ID.
   5. Message Protection: Under SAML Response Protection, choose IdP signs assertion within response.

      

   Option B: Enter manually

   1. Click Enter Manually.
   2. Assertion Consumer Service (ACS) URL: Paste the ACS URL/Recipient URL value saved in step 5 of the SP configuration and click the + icon.
   3. Service Provider Entity ID: Paste the SP Issuer URL value saved in step 5 of the SP configuration.
   4. Audience for SAML Response: Choose Default: Service Provider Entity ID.
   5. Message Protection: Under SAML Response Protection, choose IdP signs assertion within response.
5. Finalize configuration
   10. Click Save and Finish.
   11. Click Publish Changes.
6. Download IdP metadata
   12. View your configuration under My Relying Parties.
   13. Click the drop-down button next to Edit and select Metadata.
   14. In the pop-up, click Download Metadata File (use this file for ADSelfService Plus configuration if using the Upload Metadata method in step 5 of the SP configuration).

Your RSA Cloud SAML authenticator is now configured. Users will be able to use RSA Cloud for multi-factor authentication when accessing ADSelfService Plus password self-service features or SSO logins.

Validation and confirmation

Test the authentication flow: From the ADSelfService Plus user portal, attempt to perform an action that requires MFA. You should be redirected to RSA Cloud for authentication. Complete the authentication process in RSA Cloud, and verify that you're successfully redirected back to ADSelfService Plus.

Tips

1. SAML signing and self-signed encryption certificates expire after one year by default. Use the Regenerate button to renew them when needed.
2. Find the complete list of the SAML authentication error codes and their descriptions, here.
3. For encrypted assertions, CA-signed certificates are recommended over self-signed certificates.

Related articles

You can find out more about configuring SAML Authentication using your existing SAML-based IdPs, here.