Fortra GoAnywhere - SAML-My-Page-SSO-Configuration-RSA-Ready-Implementation-Guide
This section describes how to integrate GoAnywhere with RSA Cloud Authentication Service using My Page SSO.
Configure RSA Cloud Authentication Service
Perform the following steps to configure RSA Cloud Authentication Service using My Page SSO.
Procedure
- Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog, search for GoAnywhere and select Add to add the connector.
- Choose Cloud in the Basic Information section.
- Enter the name for the application in the Name field on the Basic Information page and click the Next Step button.
- On the Connection Profile page, navigate to Initiate SAML Workflow section and choose SP-initiated.
- In the Connection URL field, enter https://<GoAnywhere>/webclient/Dashboard.xhtml Replace <GoAnywhere> with your GoAnywhere MFT server IP or fully qualified domain name (FQDN).
- Go to the Identity Provider section, and take note of the Identity Provider URL since it will be needed in the GoAnywhere app configuration.
- Go to the Message Protection section, check the SP signs SAML requests option, and upload the GoAnywhere certificate. This certificate serves as the SSL certificate for the HTTPS service in GoAnywhere.
- In the SAML Response Protection section, select the radio button for IdP signs entire SAML response, then click Download Certificate , you’ll need this certificate later when configuring GoAnywhere.
- Go to the Service Provider section and enter the following details.
- In the Assertion Consumer Service (ACS) URL: Enter URL in the following format https://<GoAnywhere>/webclient/saml/consume. Replace <GoAnywhere> with your GoAnywhere MFT server IP or fully qualified domain name (FQDN).
- Service Provider Entity ID: enter an original string, this can be any value and MUST match the Entity ID value you enter in GoAnywhere configuration.
- Go to the User Identity section and select the following information.
- Identifier Type > emailAddress
- Property > mail
- In the Statement Attributes section, enter the following information.
- Select Identity Source from the Attribute Source dropdown list, enter email in the Attribute Name text box and select mail from the Property dropdown list.
- Click Next Step.
-
- On the User Access page, choose the access policy you want to use to determine which users can access the application, then click Next Step.
- On the Portal Display page, configure the portal display and other settings. Then click Next Step.
- On the Fulfillment page, configure your preferred settings or leave the Fulfillment toggle button disabled as it is, then click Save and Finish.
- Locate the application created in My Applications page and click the dropdown arrow next to Edit > Export Metadata.
- Click Publish Changes and wait for the operation to be completed.
- After publishing, your application is now enabled for SSO.
Configure GoAnywhere
Perform the following steps to configure GoAnywhere.
Procedure
- Open a web browser and connect to GoAnywhere Web UI at https://<GoAnywhere>/webclient/Login.xhtml where <GoAnywhere> is the address of the GoAnywhere MFT server IP or fully qualified domain name (FQDN).
- Enter your admin username and password into the web UI.
- From the sidebar navigation menu, select Users > Login Methods.
- Click + Add Login Method.
- Choose SAML Single Sign on, then click Continue.
- In the Preferences menu, select General and then enter any Name you prefer to the SAML Server.
- Go to the Identity Provider tab, you can either manually enter the details using the steps below or click Import Metadata and upload the metadata.xml file exported from RSA Cloud Authentication Service to autofill the fields.
-
- In the Entity ID field enter the Identity Provider Entity ID value acquired from RSA Cloud Authentication Service configuration.
- In the Trusted Certificate Location field select the System Key Vault.
- In the Binding field select HTTP Post.
- In the Post URL field enter the Identity Provider URL value acquired from RSA Cloud Authentication Service configuration.
- Select the Service Provider tab.
-
- In the Entity ID field enter an original string, this can be any value and MUST match the Service Provider Entity ID value you entered in RSA Cloud Authentication Service configuration.
- Enter any Name Qualifier.
- In the Private Key Location dropdown, select System Key Vault.
- In the Private Key Name field, select the GoAnywhere certificate that was used in the RSA Cloud Authentication Service to sign SAML requests.
Note: This is the SSL certificate used for the HTTPS service in GoAnywhere. You’ll need to generate this SSL certificate in advance so it can be used both here and in the RSA Cloud Authentication Service configuration.
-
- In the Require Signed Assertion field, select the checkbox.
- In the SSO Site URL enter https://<GoAnywhere> where <GoAnywhere> is the address of the GoAnywhere MFT server IP or fully qualified domain name (FQDN).
- SSO Response URL will be the same value as the Assertion Consumer Service (ACS) URL in Cloud Authentication Service configuration.
- Select the Web User tab.
-
- In the NameID Format field select Email Address.
- In the Username Location field select NameID.
- Select Save.
- From the sidebar navigation menu, navigate to Users > Login Settings.
- Select Default Login Methods tab and you could change Admin Users and/or Web Users to use the login method that was previously configured.
- Click Save.
Configuration is complete.
