Integration Guide for Access Manager - RSA Link - SecurID

Integration Guide for Access Manager

Contact Information

RSA Link at https://community.rsa.com contains a knowledgebase that answers common questions andprovides solutions to known problems, product documentation, community discussions, and case management.

Trademarks

Dell, RSA, the RSA Logo, EMC and other trademarks, are trademarks of Dell Inc. or its subsidiaries. Othertrademarks may be trademarks of their respective owners. For a list of RSA trademarks, go towww.emc.com/legal/emc-corporation-trademarks.htm#rsa.

License Agreement

This software and the associated documentation are proprietary and confidential to Dell Inc. or its subsidiaries,are furnished under license, and may be used and copied only in accordance with the terms of such license andwith the inclusion of the copyright notice below. This software and the documentation, and any copies thereof,may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is herebytransferred. Any unauthorized use or reproduction of this software and the documentation may be subject tocivil and/or criminal liability.

This software is subject to change without notice and should not be construed as a commitment by Dell Inc.

Third-Party Licenses

This product may include software developed by parties other than RSA. The text of the license agreementsapplicable to third-party software in this product may be viewed on the product documentation page on RSALink. By using this product, a user of this product agrees to be fully bound by terms of the license agreements.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or exportof encryption technologies, and current use, import, and export regulations should be followed when using,importing or exporting this product.

Distribution

Use, copying, and distribution of any Dell software described in this publication requires an applicable softwarelicense.

Dell Inc. believes the information in this publication is accurate as of its publication date. The information issubject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." DELL INC. MAKES NO REPRESENTATIONS ORWARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLYDISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

©2015-2017 Dell Inc. or its subsidiaries. All Rights Reserved.

August 2017

https://community.rsa.com/

http://www.emc.com/legal/emc-corporation-trademarks.htm#rsa

RSA SecurID Access Integration Guide for Access Manager

Contents

Preface 4

About This Guide 4

RSA SecurID Access Support and Service 4

Support for RSA Authentication Manager 4

Support for the Cloud Authentication Service and Identity Routers 4

RSA Ready Partner Program 4

Chapter 1: Overview 5

Overview 6

Authentication Flow 6

Deployment Scenarios 7

Deployment Scenario 1 7



Chapter 2: Integration 8

Integration 9

Manually Deploy the Access Manager Agent STS Module 9

Update the RSA Access Manager Agent 9

Configure the RSA Access Manager Agent 10

Modify the STS Web Configuration File 11

Add Access Manager as an Identity Provider for the Cloud Authentication Service 11

Set Access Manager as the Default Authentication Source 13

Add RSA SecurID Access as a Service Provider for RSA Access Manager 14

Configure Logging 16

Test the Integration 16

3


Preface

About This Guide

This guide describes how to integrate RSA® SecurID Access with an existing RSA Access Manager deployment.

This guide is intended for existing RSA Access Manager customers.

For a complete list of RSA SecurID Access documentation, see "RSA SecurID Access Product Documentation" onRSA Link at https://community.rsa.com/docs/DOC-60094.

RSA SecurID Access Support and Service

You can access community and support information on RSA Link at https://community.rsa.com. RSA Linkcontains a knowledgebase that answers common questions and provides solutions to known problems, productdocumentation, community discussions, and case management.

Support for RSA Authentication ManagerBefore you call Customer Support for help with the RSA Authentication Manager appliance, have the followinginformation available:

l Access to the RSA Authentication Manager appliance.

l Your license serial number. To find this number, do one of the following:l Look at the order confirmation e-mail that you received when your ordered the product. This e-mail contains the license serial number.

l Log on to the Security Console, and click License Status. Click View Installed License.

l The appliance software version. This information is located in the top, right corner of the Quick Setup, oryou can log on to the Security Console and click Software Version Information.

Support for the Cloud Authentication Service and Identity RoutersIf your company has deployed identity routers and uses the Cloud Authentication Service, RSA provides you witha unique identifier, called the Customer Support ID, which is required when you register with RSA CustomerSupport. To see your Customer Support ID, sign in to the Cloud Administration Console and clickMy Account >Company Settings.

RSA Ready Partner Program

The RSA Ready Partner Program website at www.rsaready.com provides information about third-party hardwareand software products that have been certified to work with RSA products. The website includesImplementation Guides with step-by-step instructions and other information on how RSA products work withthird-party products.

Preface 4

https://community.rsa.com/docs/DOC-60094


http://www.rsaready.com/


Chapter 1: Overview

Overview 6

Authentication Flow 6

Deployment Scenarios 7



Overview

RSA SecurID Access and RSA Access Manager can be used together to provide authentication and single-sign on(SSO) for users across a variety of on-premise and software as a service (SaaS) applications. This guidedescribes how to integrate the RSA SecurID Access Cloud Authentication Service with your existing AccessManager deployment.

To support Access Manager integration, your RSA SecurID Access deployment must include the SSO Agent.After you perform the integration, your users can use the RSA SecurID Access Application Portal to accessresources protected by both RSA SecurID Access and RSA Access Manager.

The Cloud Authentication Service supports integration with the following Access Manager component versions:

l RSA Access Manager 5.0 SP2 (64-bit) Agent for Microsoft IIS 7.x web server

l RSA Access Manager Server 6.2 SP2

To configure the integration, perform these high-level steps:

1. Update the Access Manager Security Token Service (AxM-STS) component of Access Manager to act as aSAML 2.0 identity provider (IdP).

2. Configure the Cloud Authentication Service to use the AxM-STS component as an IdP and defaultauthentication source.

3. Configure Access Manager to use the Cloud Authentication Service as a service provider (SP).

Authentication Flow

This integration supports the SAML 2.0 web browser SSO profile, which supports an authentication flowinitiated by the SP with the HTTP POST binding.

The following steps describe the authentication flow when a user accesses a Cloud Authentication Service-protected application that is configured to use RSA Access Manager as an IdP.

1. The user requests access to the RSA SecurID Access Application Portal.

2. RSA SecurID Access builds a SAML authentication request, then sends the request using the HTTP POSTbinding to the Access Manager SAML endpoint.

3. The Access Manager SAML endpoint parses the SAML request and automatically redirects the user to theAccess Manager web agent.

4. The user provides the requested credentials, and the Access Manager web agent authenticates the userif the configured policy allows.

5. If the user is successfully authenticated, RSA Access Manager generates a SAML assertion and sends itto the RSA SecurID Access SAML SP handler.

6. The RSA SecurID Access SP handler receives the SAML assertion, then creates an RSA SecurID Accessuser session and directs the user to the application portal.



Deployment Scenarios

Integration between RSA SecurID Access and RSA Access Manager supports three deployment scenarios.

Deployment Scenario 1An Internet Information Services (IIS) or Apache server is deployed in the DMZ and acts as a reverse proxy thatforwards all RSA Access Manager requests to components in the protected internal network. An IIS server isdeployed within the internal network and runs the Access Manager IIS Agent and the AxM-STS component.

Deployment Scenario 2In the second deployment scenario, the Access Manager IIS Agent is installed on an IIS server deployed withinthe DMZ. The AxM-STS component is installed on a separate IIS server deployed in the protected internalnetwork.

In this scenario, the AxM-STS component is installed as a standalone application. To deploy the AxM-STScomponent as a standalone application, copy the STS folder from the server running the Access Manager IISagent and perform the procedure described in Manually Deploy the Access Manager Agent STS Module onpage 9.

Deployment Scenario 3In the third deployment scenario, the Access Manager agent and the AxM-STS component are deployed on thesame IIS server in the DMZ.



Chapter 2: Integration

Integration 9

Manually Deploy the Access Manager Agent STS Module 9

Update the RSA Access Manager Agent 9

Configure the RSA Access Manager Agent 10

Modify the STS Web Configuration File 11

Add Access Manager as an Identity Provider for the Cloud Authentication Service 11

Set Access Manager as the Default Authentication Source 13

Add RSA SecurID Access as a Service Provider for RSA Access Manager 14

Configure Logging 16

Test the Integration 16



Integration

To integrate RSA SecurID Access with your RSA Access Manager deployment, you must perform the followingprocedures to configure both products.

1. (Optional) Manually Deploy the Access Manager Agent STS Module below

2. Update the RSA Access Manager Agent below

3. Configure the RSA Access Manager Agent on the next page

4. Modify the STS Web Configuration File on page 11

5. Add Access Manager as an Identity Provider for the Cloud Authentication Service on page 11

6. Add RSA SecurID Access as a Service Provider for RSA Access Manager on page 14

7. Configure Logging on page 16

8. Test the Integration on page 16

Manually Deploy the Access Manager Agent STS Module

Perform this procedure if you have not already deployed the Security Token Service (STS) component as part ofyour RSA Access Manager Agent 5.0 SP2 installation.

The RSA Access Manager Agent installs STS resources and configuration utilities in the Agent Installationdirectory under the STS folder. Perform these steps to configure the Access Manager STS component as astand-alone application rather than as a component of the agent.

Procedure

1. In the Microsoft Management Console (MMC) for IIS, under the virtual server where the STS module is tobe configured, add a new application with the name AxM-STS.

2. Map the AxM-STS application to the STS-AppResources folder. The STS-AppResources folder is createdby default in the STS directory in the Agent installation directory.

Update the RSA Access Manager Agent

Perform this procedure to update the RSA Access Manager Agent to support RSA SecurID Access integration.

Before you begin

l RSA Access Manager Agent 5.0 SP2 must be installed. For more information, see the RSA AccessManager Agent 5.0 SP2 for Web Servers Installation and Configuration Guide.

l The following must be installed on the machine where you have installed or plan to deploy the RSAAccess Manager Security Token Service (STS) module:

l Microsoft .NET Framework 4.0

l Windows Identity Foundation

l The application pool used to run the Access Manager STS application must support .NET Framework 4.0.



l The user account used to run the application pool must have write permission to the configured log file.

l Download axm-agent-5.0.02.01_VIA.zip from RSA Link (https://community.rsa.com). This zippackage contains the update which enables the Access Manager Agent to support RSA SecurID Accessintegration.

Procedure

1. Extract the contents of axm-agent-5.0.2.01_VIA.zip.

2. Stop the IIS web server on which the Access Manager Agent is installed.

3. Open the directory where the current agent libraries are installed. By default this isAgentInstallationDirectory/lib, where AgentInstallationDirectory is the directory where the AccessManager Agent has been installed. Back up and then delete the library ct_iis70_agent.dll from thisfolder.

4. From the files extracted in step 1, copy ct_iis70_agent.dll to the lib directory.

5. Open the directory where STS resources are installed. By default this isAgentInstallationDirectory/STS, where AgentInstallationDirectory is the directory where the AccessManager Agent has been installed. Back up the existing STS-AppResources and utils directories, thenremove them from the STS resources directory.

6. From the files extracted in step 1, copy the STS-AppResources and configTool directories to the STSdirectory.

Configure the RSA Access Manager Agent

After you install the agent update, you must configure the RSA Access Manager agent in thewebagent.conffile.

Procedure

1. Open the filewebagent.conf. By default, this is located in AgentInstallationDirectory/conf, whereAgentInstallationDirectory is the directory where the Access Manager Agent has been installed.

2. Add the following new parameters:

# Specifies whether SAML IDP is configured as part

# of this agent

#

# Allowed Values

# True, False

#

# Default Value




# False

#

cleartrust.agent.saml_configured=True

3. In the cleartrust.agent.url_exclusion_list parameter, add the relative URL /AxM-STS/saml/Default.aspx.

Modify the STS Web Configuration File

Perform this task only if you currently use the AxM-STS component for Web Services Federation (WS-FED).

Procedure

1. In the AgentInstallationDirectory/STS/STS-AppResources directory, whereAgentInstallationDirectory is the directory where the Access Manager Agent has been installed, replacetheweb.config file with the one that you backed up before updating the agent.

2. In theweb.config file:

a. Add the following line to<configSections>:

<section name="SAMLConfigurations"type="ConfigHelper.SAMLConfigurations,ConfigHelper"/>

b. Add the following line to<appSettings>:

<add key="log4net.Config" value="saml/Log4Net.config"/>

c. Add the following line after the<appSettings> section:

<SAMLConfigurations configSource="saml\\saml.config"/>

Add Access Manager as an Identity Provider for the CloudAuthentication Service

Configure the Cloud Authentication Service to use RSA Access Manager as a SAML Version 2-capable identityprovider (IdP).

Before you begin

l Deploy and configure at least one identity router for your RSA SecurID Access deployment. Forinstructions, see the chapter “Installing and Configuring the Identity Router” in the RSA SecurID AccessCloud Authentication Service Setup and Configuration Guide.

l Add at least one identity source for the Cloud Authentication Service. For instructions, see “Add anIdentity Source for the Cloud Authentication Service” in the RSA SecurID Access Help.



Procedure

1. In the Cloud Administration Console for the Cloud Authentication Service, click Users > IdentityProviders.

2. Click Add an Identity Provider.

3. Click Add to add the SAML 2 Generic IdP provider type.

4. In theName field, enter a name for the IdP.

5. (Optional) In theDescription field, enter a description for the IdP.

6. ClickNext Step.

7. In the Audience ID field, enter an Audience ID for the SAML 2 IdP.

The Audience ID must be an alphanumeric string with no special characters.

The Audience ID value must match the Service Provider Entity ID that you specify when you addRSA SecurID Access as an SP in your Access Manager deployment. For instructions, see AddRSA SecurID Access as a Service Provider for RSA Access Manager on page 14.

8. In the Audience URL field, enter an Audience URL for the SAML 2 IdP.

Use the following format:

https://<identity_router_url>/SPServlet?sp_id=<AudienceID>, where <identity_router_url> is theURL of the identity router, or is the virtual IP address of the load balancer for a cluster of identity routers,and <AudienceID> is the value of the Audience ID entered in step 7.

The Audience URL value must match the Assertion Consumer Service URL that you specify whenyou add RSA SecurID Access as an SP in your Access Manager deployment.

9. In the Issuer ID field, enter the Entity ID of the IdP.

The Issuer ID must be an alphanumeric string with no special characters, and must match the IssuerName that you specify when you add RSA SecurID Accessas an SP in your Access Manager deployment.

10. In the Issuer URL field, enter your Access Manager endpoint URL.

Use the following format:

http://<AxM_Deployment_URL>/AxM-STS/saml/Default.aspx, where <AxM_Deployment_URL> is theURL where your company has deployed the AxM-STS module.

11. Ensure that Passive Sign-in and Transform NameID to Lowercase are not selected.

12. (Optional) Select Sign Request if you require signed authentication requests. The identity router musthave a private key to use this method. The corresponding certificate must reside on the IdP where it isused to verify the signed request.

If you choose Sign Request and the warning No Private Key Loaded appears, you must select aprivate key file to sign the request. If you have an existing private key and a corresponding certificate,click Select File to upload the private key and verify that the corresponding certificate exists within the



Access Manager deployment. Otherwise, use the following procedure to generate a certificate bundleand use the private key and certificate from the bundle.

a. Click Generate Certificate Bundle.

b. In the Common Name field, enter the network hostname of the Access Manager IdP server.

c. Click Generate and Download, and save the certificateBundle.zip file to a secure location inyour file system.

d. Click Close to close the certificate generation modal.

e. Open the zip file and extract the files cert.pem and private.key. You can ignore other items inthe bundle as these are not used for SAML identity requests and responses.

f. Click Select File (located to the right of the Sign Request checkbox) and select the private keyfile, private.key, you just extracted. ClickOK to upload the key.

13. In the Certificate section, click Select File and select the certificate file required to verify the signedSAML response from the IdP.

If you do not have a certificate, click Generate Certificate Bundle to generate a certificate.

14. ClickNext Step.

The Authentication Source Rules page appears.

15. ClickNext Step.

The Portal Display page appears.

16. Click Change Icon to select an icon for portal users to click in order to sign in using the AccessManager IdP.

17. Click Save and Finish.

Set Access Manager as the Default Authentication Source

To allow users to automatically sign into the RSA SecurID Access Application Portal through Access Manager,without clicking an IdP icon, you must configure Access Manager as the default authentication source for RSASecurID Access.

Before you begin

Add Access Manager as an Identity Provider for the Cloud Authentication Service on page 11

Procedure

1. In the Cloud Administration Console for the Cloud Authentication Service, click Access >Authentication Sources.

2. Click Add.

3. Select the Access Manager IdP.



4. Click Save.

5. Drag the Access Manager IdP to the top of the list of authentication sources. The Cloud AuthenticationService attempts to authenticate users against each of the authentication sources in the order theyappear in this list.

6. Click Save.

7. Click Publish Changes to apply the configuration settings.

Add RSA SecurID Access as a Service Provider for RSA AccessManager

In your RSA Access Manager deployment, use the STSConfig tool to add RSA SecurID Access as a serviceprovider (SP). This procedure assumes that you are creating a new STS configuration, but if you need to modifyan existing configuration or add RSA SecurID Access as a new SP to an existing configuration, you can follow theprompts and enter the information as described in this procedure.

Before you begin

Collect the following information before you run the configuration tool:

l Web Site Name. Name of the website where the AxM-STS application is deployed.

l Cookie Domain. The AxM-STS module creates a cookie named SPSESSION to maintain sessioninformation. Specify the cookie domain, which can either be an IdP domain or the fully qualified domainname of the IdP web server.

l Service Provider Configuration. Specify at least one SP configuration. Provide the following detailsfor each SP:

l Service Provider Entity ID. The Entity ID uniquely identifies the SP. This value must matchthe Audience ID specified in Add Access Manager as an Identity Provider for the CloudAuthentication Service on page 11.

l Issuer Name. The Entity ID that identifies the IdP. This value must match the Issuer IDspecified in Add Access Manager as an Identity Provider for the Cloud Authentication Service onpage 11.

l Assertion Consumer Service URL. The RSA SecurID Access assertion consumer service URL,which receives and processes SAML assertions. This value must match the Audience URLspecified in Add Access Manager as an Identity Provider for the Cloud Authentication Service onpage 11.

l Default Relay State. The default target resource at the SP. This value is used only when therelay state is not sent as part of the SAML request.

l Authentication Policy. The RSA Access Manager authentication policy that the identityprovider for this SP must enforce. Supported authentication types include: BASIC, AA, SECURID,and IWA. You can specify a combination of authentication policies by using the AND (+)



operator.

For more information about the supported authentication types, see the RSA Access ManagerAgent 5.0 SP2 for Web Servers Installation and Configuration Guide.

l Signing Certificate. The complete path to the PKCS12 keystore containing the private key. TheAxM-STS module uses this private key to digitally sign the SAML response message sent toRSA SecurID Access. The private key in the PKCS12 keystore must correspond to the certificateprovided in RSA SecurID Access.

l Signing Keystore Password. The password required for accessing the PKCS12 keystore. Thisvalue is required only if the keystore is password protected.

l Signature Verification Certificate. The complete path to the certificate that verifies thesignature of the SAML authentication request. This public key must correspond to the private keythat the SP uses to sign the SAML authentication request. Specify the path if the SP is configuredto sign the request.

This certificate file must correspond to the private key configured by selecting Sign Request inAdd Access Manager as an Identity Provider for the Cloud Authentication Service on page 11.

l Attributes. A list of user attributes to push to the SP as part of the SAML assertion. For eachattribute, configure these values:

l Name. The name of the attribute. This namemust match the name of the user propertyconfigured in RSA Access Manager as the attributes are retrieved from the AccessManager server.

l Name Format. The attribute format. The default is Unspecified.

The agent retrieves the user attributes from the RSA Access Manager server, then publishesthem as request headers to make them available to the AxM-STS component. The requestheaders have the same name as the corresponding user attribute, so the attribute names mustmatch the corresponding user properties on the RSA Access Manager server.

Procedure

1. In the AgentInstallationDirectory/STS/configTool directory, where AgentInstallationDirectory isthe directory where the Access Manager Agent has been installed, run STSConfigTool.exe.

2. Type 1 to enable support for SAML, and press Enter.

3. Type 1 to create a new configuration, and press Enter.

4. Enter theWeb Site Name, and press Enter.

5. Enter the Cookie Domain, and press Enter.

6. In the Service Provider Specific Configuration section:

a. Enter the Service Provider Entity ID, and press Enter.

b. Enter the Issuer Name, and press Enter.



c. Enter the Assertion Consumer Service URL, and press Enter.

d. Enter theDefault Relay State, and press Enter.

e. Enter the Authentication Policy for the SP and press Enter.

f. Enter the complete path to the Signing Certificate, and press Enter.

g. (Optional) If the signing certificate is password protected, enter the password, and press Enter.

h. Enter the complete path to the Signature Verification Certificate, and press Enter.

i. Enter theName of the first attribute for the IdP to push to the SP, and press Enter.

j. Enter theName format of the first attribute for the IdP to push to the SP, and press Enter.

k. Indicate whether you need to enter additional attributes for this SP.

l To enter additional attributes, enter Y and press Enter. Repeat steps i through k.

l If you do not have additional attributes to enter, enter N and press Enter.

7. Indicate whether you need to configure additional SPs.l To configure additional SPs, enter Y and press Enter. Repeat step 6.

l If you do not need to configure additional SPs, enter N and press Enter.

8. To encrypt the configuration file, enter Y and press Enter.

Configure Logging

RSA Access Manager uses the third-party component Apache Log4Net for logging. You can configure loggingfor this integration by modifying the log4net.config file, which is located in the AxM-STS/saml directory. Formore information, refer to the Log4Net manual located on the Apache website.

Test the Integration

After you complete the integration steps on both RSA Access Manager and RSA SecurID Access, you can test theintegration to ensure that the integration has succeeded by signing into the RSA SecurID Access ApplicationPortal.

Procedure

1. Open the RSA SecurID Access Application Portal.

2. Verify that you are redirected to the RSA Access Manager sign-in page, then sign in.

3. Verify that you are challenged with the authentication methods configured in RSA Access Manager forthe SP.

4. Verify that you are directed to the RSA SecurID Access Application Portal after you successfullyauthenticate.


http://www.apache.org/

Integration Guide for Access Manager - RSA Link - SecurID

Documents