Configure RSA Cloud Authentication Service

1. Enable My Page SSO by accessing the RSA Cloud Admin Console > Access > My Page > Single Sign-On (SSO). Ensure it is enabled and protected using two-factor authentication - Password and Access Policy.
2. On the Applications > Application Catalog page, click on Create From Template.
3. On the Choose Connector Template page, click Select for SAML Direct.
4. On the Basic Information page, enter a name for the configuration in the Name field and click Next Step.
5. In the Connection Profile section, select IdP-initiated option.
6. To provide Service Provider details, select Import Metadata, click the Choose File button, and select the file downloaded from the Service Provider.

7. Assertion Consumer Service (ACS) URL and Service Provider Entity ID values will be auto filled.
8. In the SAML Response Protection section, select IdP signs assertion within response, and download the certificate by clicking Download Certificate.
9. Under the User Identity section, select Show Advanced Configuration, then configure Identifier Type and Property as follows: 
   1. Identifier Type: Auto Detect 
   2. Property: Auto Detect

10. Under the Statement Attributes section, add the following attributes:
    1. First Attribute: 
       1. Attribute Name: https://aws.amazon.com/SAML/Attributes/RoleSessionName
       2. Attribute Source: Identity Source
       3. Property: mail
    2. Second Attribute:
       1. Attribute Name: https://aws.amazon.com/SAML/Attributes/Role
       2. Attribute Source: Constant
       3. Property: AWS role arn value,AWS saml-provider arn value

11. Choose your desired Access Policy for this application and click Next Step > Save and Finish.
12. On the My Applications page, click the Edit dropdown and select Export Metadata to download the metadata.
13. Click Publish Changes to save your settings. After publishing, your application will be enabled for SSO.

Configure AWS IAM Identity Center S3

1. Access the AWS Mangement Console by logging in to your AWS account with admin credentials.
2. Go to Security, Identity, & Compliance under Service > IAM Identity Center.
3. Click Go to Settings on the right.
4. Under Identity Source tab, select Change Identity Source from the Action dropdown menu.
5. Select External identity provider, then click Next.
6. Configure the external identity provider and click Next:

• Service Provider Metadata: Click Download Metadata File to download the SP metadata.
• IdP SAML Metadata: Click Choose file and upload the metadata downloaded from the RSA platform.

7. Review the list of changes. Once you ready to proceed, type ACCEPT and click Change identity source.
8. Go to Settings and copy the Provider ARN for the IdP configuration.
9. To configure S3 access, navigate to AWS IAM.
10. To create roles, navigate to Access Management > Roles.
11. Click Create role.

12. Select the Trusted entity type as SAML 2.0 federation.
13. Provide the following details and click Next.

• SAML 2.0-based Provider: Select the provider you configured in the Identity Providers section.
• Attribute: Select the attribute as SAML:aud from the dropdown menu.
• Value: The assertion URL from the service provider metadata downloaded from the IAM Identity Center.

14. Provide the desired permissions as required and click Next.
15. Provide a name for the role and click Create role.
16. Click on the role you configured.
17. Copy the role ARN value for the IdP configuration.
18. Combine the Role ARN value and Provider ARN value, separated by a comma, to use as the Property value in the RSA platform.