Configure RSA Cloud Authentication Service

1. Sign in to the RSA Cloud Administration Console with administrator credentials.
2. Enable SSO on the My Page portal by accessing the RSA Cloud Administration Console > Access > My Page > Single Sign-On (SSO). Ensure it is enabled and protected by two-factor authentication using a Password and Access Policy.
3. On the Applications > Application Catalog page, click on Create From Template.
4. On the Choose Connector Template page, click Select for SAML Direct.
5. On the Basic Information page, enter a name for the configuration in the Name field and click Next Step.
6. In the Connection Profile section, select IdP-initiated option.
7. Provide the Service Provider details in the following format:
   1. Assertion Consumer Service (ACS) URL: <Qualys ACS URL>
   2. Service Provider Entity ID: <Qualys Entity ID>

8. In the SAML Response Protection section, select IdP signs assertion within response, and download the certificate by clicking Download Certificate.
9. Under the User Identity section, select Show Advanced Configuration, then configure Identifier Type and Property as follows: 
   1. Identifier Type: Auto Detect 
   2. Property: Auto Detect

10. Under the Statement Attributes section, add the following attributes:
    1. Attribute Name: qualysguard_external_id
    2. Attribute Source: Identity Source
    3. Property: ALTERNATE_USERNAME. This user attribute contains the value of qualysgaurd_external_id. In this case, ALTERNATE_USERNAME holds the qualysgaurd_external_id value.

11. Enter the relay state value in the Default Relay State section. The relay state value is required for My Page IdP-initiated SAML SSO flow.

12. Click Next Step.
13. Choose your desired Access Policy for this application and click Next Step > Save and Finish.
14. On the My Applications page, click the Edit dropdown and select Export Metadata to download the metadata.
15. Click Publish Changes to save your settings. After publishing, your application will be enabled for SSO.

Configure Qualys Enterprise TruRisk

1. Contact Qualys support: Visit www.qualys.com/support to request SAML 2.0 SSO activation for your subscription.
2. Receive ACS URL and Entity ID: Qualys support will provide the ACS URL and Entity ID needed for RSA platform configuration and request the metadata file downloaded from the RSA platform.
3. Configure Trust Relationship: After receiving your metadata file, Qualys support will configure the trust relationship between RSA and the Qualys platform.
4. Notification of SSO Activation: Once the trust relationship is configured, Qualys support will notify you that SAML 2.0 SSO has been enabled. 
5. Obtain Unique URL: Qualys will provide a unique URL specific to your subscription. Users will use this URL to start a session with SAML SSO (e.g., https://qualysguard.qualys.com/fo/login.php?idm_key=XYZ).
6. Extract Relay State value: The provided URL will include a key named idm_key. Copy this idm_key value for use as the relay state value in the RSA platform configuration.
7. Follow these steps to obtain qualysguard_external_id:
   1. Log in to the Qualys Enterprise TruRisk platform with admin credentials.
   2. Navigate to the USERS tab.

3. Select the user for whom you need the external_id and click Edit from the Quick Actions dropdown.
4. Find the qualysguard_external_id in the General Information section under the External ID attribute. Use this value for the user attribute in the RSA platform, in this case ALTERNATE_USERNAME is used.

8. Enable SAML SSO for the user: Click Security tab, check the Enable SAML SSO checkbox to enable SAML for the user and click Save.

Notes:

1. Go to Users > Management in the RSA platform, search for the user and select them.
2. Enter the qualysguard_external_id value in the appropriate user attribute (e.g., Alternate Username) and click Save.