Certified: 03/26/2025
Solution Summary
This article describes the configuration steps involved in integrating Microsoft AD FS with RSA Cloud Authentication service using SAML 2.0 to authenticate any third-party application.
Integration Types
My Page SSO provides Single-Sign-On (SSO) to Microsoft AD FS users leveraging RSA self-service portal My Page. When integrated, users must authenticate with RSA to sign in Microsoft AD FS. SP-initiated SSO is supported.
Modern Cloud-hosted SSO with My Page replaces the existing SAML SSO support with the IDR. Existing SSO integrations using IDR My Applications continue to be supported and will be listed in this document as applicable.
Note: RSA will continue to maintain existing SAML SSO integrations using IDR My Applications. At a to-be-determined future date, RSA will announce the end-of-life (EOL) date for the SAML SSO support with the IDR. For more information Available Now: My Page SSO Enhancements - RSA Community - 680715
Relying Party integration allows Microsoft AD FS users’ web browsers to be automatically redirected to RSA Cloud Authentication Service for authentication. With Relying Party integration, Cloud Authentication Service can manage only additional authentication or both primary authentication (for example, user ID and password) and additional authentication.
Supported Features
This section shows when integrated with RSA Cloud Authentication Service using SAML 2.0, Microsoft AD FS users can authenticate with any of the following multi-factor authentications.
Microsoft Active Directory Federation Services Integration with RSA Cloud Authentication Service
|
Authentication Methods |
Relying Party |
My Page SSO |
|---|---|---|
| Approve | ✔ | ✔ |
| Authenticate OTP | ✔ | ✔ |
| Device Biometrics | ✔ | ✔ |
| SMS OTP | ✔ | ✔ |
| Voice OTP | ✔ | ✔ |
| SecurID OTP | ✔ | ✔ |
| LDAP Password | ✔ | ✔ |
| FIDO Token | ✔ | ✔ |
| QR Code | ✔ | ✔ |
| Emergency Access Code | ✔ | ✔ |
Microsoft Active Directory Federation Services Integration with RSA Authentication Manager
|
Authentication Methods |
Authentication API |
RADIUS |
Authentication Agent |
|---|---|---|---|
| RSA SecurID | - | - | - |
| On-Demand Authentication | - | - | - |
| Risk-Based Authentication | n/a | - | - |
| ✔ | Supported |
| - | Not supported |
| n/t | Not yet tested or documented, but may be possible. |
Configuration Summary
This section contains instruction steps that show how to integrate Microsoft AD FS with RSA Cloud Authentication Service using all supported integration types. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.
All RSA and Microsoft AD FS components must be installed and working prior to the integration.
Integration Configuration
Certification Details
Date of testing: 08/28/2021
RSA Cloud Authentication Service
Microsoft Windows Server 2016
Microsoft Active Directory Federation Services management console version 10.0.0.0
Known Issues
IdP-initiated SSO isn’t supported yet.
Related Articles
Microsoft 365 with Azure AD - RSA Ready Implementation Guide Number of Views Palo Alto NGFW Global Protect - SAML Relying Party Configuration - RSA Ready Implementation Guide Number of Views RSA Authentication Agent 2.0.3 for Microsoft AD FS Administrator's Guide Number of Views RSA MFA Agent 3.0 for Citrix StoreFront Administrator's Guide Number of Views Unexpected error from ACE/Agent API for RSA Authentication Agent for PAM Number of Views
