This section describes how to configure Okta as an IdP for RSA Cloud Authentication Service.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as a service provider for Okta.
Procedure

1. Sign in to the RSA Cloud Administration Console and navigate to My Account > Company Settings > Sessions & Authentication.
2. Under Cloud Administration Console Authentication, Password is displayed as the default primary authentication. To allow administrators to authenticate through a third-party identity provider, click Third-Party Identity Provider (IdP) and perform the following steps:
3. 1. The Sign-In URL field displays the URL the administrators will use when signing into Cloud Administration Console through a third-party identity provider. This field is read only.
   2. The Assertion Consumer Service URL field displays the URL that Okta will use to set up the service provider.
   3. In the Issuer ID field, enter the value of the Issuer ID provided by Okta: http://www.okta.com/AccountID.
   4. In the Issuer URL field, enter the value of the Single Sign-on Service provided by Okta: https://hostname.okta.com/app/rsasaml2testsp/AccountID/sso/saml.
   5. In the Audience ID field, the RSA hostname value will be auto populated. This value is included by the identity provider in SAML assertions to indicate the intended recipient. The value is set as the Entity ID in SAML requests sent to the identity provider. 

1. 6. In the SAML Response Signature section, click Choose File to upload a certificate that the Cloud Authentication Service uses to validate the assertion signature provided by the Okta. 

Refer to the Okta configuration section to obtain the certificate to validate the assertion signature.

3. Click Publish Changes to save your settings. After publishing, your application will be enabled for SSO.

Note

• Ensure that all changes are correct and saved in Okta before making any changes in the RSA. Once changes are saved in the RSA, the feature will be enabled. If it doesn't work, all Super Admins and Admins will be locked out. This happens because enabling third-party IdP authentication disables regular password authentication by default, meaning the configuration must work through the IdP to access the Console.

Configure Okta

Perform these steps to configure Okta as an SSO Agent SAML service provider to RSA Cloud Authentication Service.

1. Sign in to Okta with the admin account and browse to Applications > Create App Integration. 
2. Select SAML 2.0 checkbox under Sign-in method and click Next. 
3. In the General Settings section, provide the App name as RSA Cloud Administration and click Next. 
4. In the Configure SAML section, under SAML Settings, provide the following details: 
   1. Single sign-on URL: Enter the value of SingleSignOnService, obtainable from the metadata file downloaded from the RSA platform.
   2. Audience URI (SP Entity ID): Enter the value of Service Provider Entity ID, obtainable from the metadata file downloaded from the RSA platform.
   3. Name ID format: Set this to Unspecified, the default value.

5. Under Create SAML Integration section, follow these steps:
   1. Select the checkbox I’m an Okta customer adding an internal app and in App type, select the checkbox This is an internal app that we have created.
   2. Click Finish to complete the application integration with RSA Cloud Administration
   3. Once the application is configured, view the Issuer ID and Issuer URL on Sign On tab. The same values will be configured in RSA Cloud Authentication Service Company settings.

• Download the certificate to upload for RSA.

• To assign users to the application, click the Assing tab, select the People from the Assign dropdown. Search for the user and assign them.

• Click Assign to add the user to the application. The users assigned to the application appear will appear in the list.