Absolute Secure Access - SAML My Page SSO Configuration - RSA Ready Implementation Guide

2 years ago

This section describes how to integrate Absolute Secure Access with RSA Cloud Authentication Service using My Page SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.
Procedure

Sign in to the RSA Cloud Administration Console with administrator credentials.
Enable SSO on the My Page portal by accessing the RSA Cloud Administration Console > Access > My Page > Single Sign-On (SSO). Ensure it is enabled and protected by two-factor authentication using a Password and Access Policy.
Click Applications > My Applications.
Click Add an Application.
Click Create From Template.
Click Select corresponding to SAML Direct.
Configure the following options on the Basic Information page:
1. Click the Cloud option under Choose where to enable your application.
2. In the Name field, provide a name for the application; for example, Absolute Secure Access.
3. In the Description field, provide a detailed description of the SAML application.
4. Click Next Step.
Configure the following options on the Connection Profile page:
1. In the Initiate SAML Workflow section, click the SP-initiated option.
2. Specify the FQDN or IP address of the Secure Access Server as the Connection URL. It is not used for the authentication for Absolute Secure Access.
3. Select the Import Metadata option in the Data Input Method section.
4. Click Choose File in the Data Input Method section.
5. Locate and select the SP metadata from Secure Access. A summary of the imported SP metadata will be displayed.
6. Verify the metadata information, and then click Save.
7. Verify the details in the Service Provider and Identity Provider sections.
  1. Service Provider: The Assertion Consumer Service (ACS) URL should match the ACS Location setting from the SAML - SP Configuration option in the Secure Access Console with /saml/login appended to the end of the URL.
  2. Service Provider Entity ID: This setting should match the Entity ID setting from the SAML - SP Configuration option in the Secure Access Console.
  3. Identity Provider URL: Ensure a unique Identity Provider URL was generated by RSA.
8. Select the SP signs SAML requests check box in the Message Protection > SAML Request Protection section, and then select the SP signing certificate PEM file created in the next section.
9. Click Next Step.
Configure the following options in the User Access section:
1. Click the Select a Policy option.
2. Select the access policy appropriate for Secure Access.
3. Click Next Step.
Configure the following options in the Portal Display section:
1. Retain the Display in Portal check box cleared.
2. Set an Application Icon and Application Tooltip if required.
3. Click Save and Finish.
Click Publish Changes.
Click Applications > My Applications.
Locate the SAML Application for Secure Access that was created in the previous step.
Click the arrow icon beside Edit for the application, and then click Export Metadata.

Configure Absolute Secure Access

Perform these steps to configure Absolute Secure Access.
Procedure

Click Configure > Authentication Settings on the menu at the top of the page.
Click New on the Authentication Settings page.
Enter a descriptive name for the new Authentication Profile in the Profile name field, and then click OK.
Select Authentication > User Authentication Protocol, change the Protocol option to SAML, and then click Apply.
Select the SAML - SP Configuration option and provide the following details:
1. Entity ID: The URL for the Secure Access Server or an identifier at the end of the URL if multiple SAML configurations are used. For example, https://secureaccess.absolute.com/ or https://secureaccess.absolute.com/rsa
2. ACS Location: The URL for the Secure Access Server. For example, https://secureaccess.absolute.com/
3. Click Apply.
4. Click Generate New Certificate in the Signing certificate section.
5. Click Download Metadata in the Metadata section.
Create SP signing certificate from the SP metadata using the following steps.
1. Open the downloaded SP metadata in a text editor.
2. Open a new blank text editor document.
3. Copy the entire SP signing certificate from the SP metadata. This is the value placed between the <ds:X509Certificate> and </ds:X509Certificate> section.
4. Paste the value of the SP signing certificate in the blank text editor document.
5. On a new line at the top of the text document containing only the SP signing certificate, add the following:
  -----BEGIN CERTIFICATE-----
6. On a new line at the end of the text document containing the SP signing certificate, add the following:
  -----END CERTIFICATE-----
7. Save the SP signing certificate as SPsigning.pem.
Change the valid until value in SP metadata using the following steps.
1. Open the downloaded SP metadata in a text editor.
2. Locate the validUntil value.
3. Modify the year to 5 years in the future. This will match the expiration of the SP signing certificate.
4. Save the SP metadata.
Click Configure > Authentication Settings on the menu at the top of the screen.
Locate and select the Authentication Profile created in the previous steps.
Select the SAML - IdP Configuration option and set the following options:
1. Select the Setting Override check box.
2. Click Choose File in the Identity provider metadata section.
3. Locate and select the IdP metadata from the RSA console.
4. Click Import.
5. Change the Sign sign-on binding to HTTP POST.
Click Apply.