This article describes how to configure Cloud Access service (CAS) as a SCIM Client for Articulate Reach 360.

Configure CAS

Perform these steps to configure CAS as a SCIM client.

Procedure

1. Sign in to RSA Cloud Administration Console, and navigate to Applications > Application Catalog.
2. Click Create From Template and select SAML Direct.

3. Choose Cloud on the Basic Information page.

4. Enter the Name for the application and click Next Step.

5. On the Connection Profile page, navigate to Initiate SAML Workflow section and choose IdP-initiated.

6. Scroll down to the Service Provider section, and enter the following information:
   1. ACS URL: Provided from Articulate Reach 360 during the configuration.
   2. Service Provider Entity ID: Provided from Articulate Reach 360 during the configuration.

7. Scroll down to the Identity Provider section. Make a note of the Identity Provider URL, as it will be needed for the Articulate Reach 360 configuration.

8. Under the Show IdP Advanced Configuration section, proceed with the Default option for Identity Provider Entity ID and Audience for SAML Response.

9. Under the Message Protection section, In the SAML Response Protection section, select IdP signs assertion within response.
10. Download the certificate by clicking on Download Certificate.

11. Scroll down to the User Identity section and select the following information:
    1. Identifier Type > Auto Detect
    2. Property > Auto Detect

12. Under Statement Attributes. Configure the following attributes as these are required by Articulate Reach 360.
    2. email > Identity Source > mail
    3. firstName > Identity Source > giveName
    4. lastName > Identity Source  > sn

11. Click Next Step.
12. In the Access Policy section, choose the policy for the application from the dropdown menu.

13. In the Fulfillment section, enable the fulfillment service.
14. Choose the Approver Type: None, Manager, Application Owner, Manager & Application Owner.

15. Choose SCIM Endpoint from the Fulfillment Configuration Type dropdown and enter the following details:
    1. Base URI: Obtained during the configuration of Articulate Reach 360.
    2. API Key: The SCIM Auth Token obtained during the configuration of Articulate Reach 360.

Refer to the Articulate Reach 360 configuration section on how to get these values.

16. Choose Next Step and Save and Finish.
17. Click Publish Changes and wait for the operation to be completed.

After publishing, your application is now enabled for SSO. 

Configure Articulate Reach 360 as a SCIM Server

Perform these steps to configure Articulate Reach 360 with RSA ID Plus in My Page SSO.

Procedure

1. Log in to your provided tenant with an admin account. https://<Your_org_tenant>.reach360.com
2. From the Manage menu, navigate to Settings.
3. Scroll down to Single sign-on (SSO) authentication and click Configure SSO.

4. On the Configure Single Sign-On (SSO) Authentication page, enter the following details:
   1. IDP SSO URL: Entity ID obtained in step 6 in the RSA configuration section.
   2. IDP Issue URI: Entity ID obtained in step 6 in the RSA configuration section.
   3. IDP Signature Certificate: Copy and paste the downloaded certificate in step 8 in the RSA configuration section.
   4. Response Signature Verification: Choose Assertion from the dropdown menu to match the signing of RSA of the assertion.
   5. Automate User Provisioning: Toggle the field to ON to enable user provisioning via SCIM.

5. Scroll down and click on Save & Continue to SAML Info.
6. On the Your Reach 360 SAML Information page, copy the Assertion Consumer Service URL and Audience URI, the 2 values will be used in their respective fields in step 5 in the RSA configuration section.

7. Scroll down to the SCIM section and copy the values of SCIM URL and SCIM Auth Token, the 2 values will be used in their respective fields in the RSA configuration section.

8. Scroll down and click Done.

SSO is now configured on Articulate Reach 360 side.

Configuration is complete