Scribd Logo
Carica

Benvenuto in Scribd!

  • Document Access and ID

    Caricato da

    testerrs
    22 visualizzazioni16 pagine
    Document access

    Titolo originale

    Document access and ID

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Document access

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    22 visualizzazioni16 pagine

    Document Access and ID

    Caricato da

    testerrs
    Document access

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 16

    <Partner Name>

    <Partner Product>

    RSA SECURID® ACCESS


    Implementation Guide

    Okta

    Gina Salvalzo, RSA Partner Engineering


    Last Modified: February 27th, 2018
    Okta

    Solution Summary
    Okta can integrate with RSA Cloud Authentication Service using SAML. When integrated with Cloud IdP,
    Okta can challenge users with policy and context driven multifactor authentication. When integrated with
    Application Portal (Identity Router) IdP, Okta can challenge users with policy and context drive
    multifactor authentication and provide Single Sign-on (SSO).
    RSA SecurID Access Features
    Okta

    On Premise Methods
    RSA SecurID ✔
    On Demand Authentication ✔
    Risk-Based Authentication (AM) -
    Cloud Authentication Service Methods
    Authenticate App ✔
    FIDO Token ✔
    SSO
    SAML SSO ✔
    HFED SSO -

    Identity Assurance

    Collect Device Assurance and User Behavior ✔

    -- 2 -
    Okta

    Supported Authentication Methods by Integration Point

    This section indicates which authentication methods are supported by integration point. The next section
    (Configuration Summary) contains links to the appropriate configuration sections for each integration
    point.

    Okta integration with RSA Cloud Authentication Service

    IDR Cloud
    Authentication Methods REST HFED RADIUS
    SAML SAML

    RSA SecurID - ✔ ✔ - n/t


    LDAP Password - ✔ ✔ - n/t
    Authenticate Approve - ✔ ✔ - n/t
    Authenticate Tokencode - ✔ ✔ - n/t
    Device Biometrics - ✔ ✔ - n/t
    SMS Tokencode - ✔ ✔ - n/t
    Voice Tokencode - ✔ ✔ - n/t
    FIDO Token ✔ ✔ -

    Okta integration with RSA Authentication Manager

    UDP TCP
    Authentication Methods REST RADIUS
    Agent Agent

    RSA SecurID - n/t - -


    AM RBA - -

    Supported

    - Not supported
    n/t Not yet tested or documented, but may be possible

    -- 3 -
    Okta

    Configuration Summary
    All of the supported use cases of RSA SecurID Access with Okta require both server-side and client-side
    configuration changes. This section of the guide includes links to the appropriate sections for configuring
    both sides for each use case.
    RSA Cloud Authentication Service – Okta can be integrated with RSA Cloud Authentication Service in
    the following way(s):
    SAML via RSA Identity Router (IdP)
    Cloud Authentication Service – Identity Router IdP Configuration
    Okta SAML SP Configuration
    SAML via RSA Cloud (IdP)
    Cloud Authentication Service – Cloud IdP Configuration
    Okta SAML SP Configuration

    -- 4 -
    Okta

    RSA SecurID Access Configuration


    RSA Cloud Authentication Service Configuration
    SAML via RSA Identity Router (IdP)
    To configure a SAML Service Provider in RSA Identity Router, you must deploy the connector for Okta in
    the RSA SecurID Access Console. During configuration of the IdP you will need some information from
    the SP. This information includes (but is not limited to) Assertion Consumer Service URL and Service
    Provider Entity ID.
    1. Logon to the RSA SecurID Access console and browse to Applications > Application Catalog,
    search for Okta and click +Add to add the connector.

    2. On the Basic Information page, specify the application name and click Next Step.

    Note: The following SP-initiated configuration works for both SP-


    initiated and IDP- initiated connections.

    -- 5 -
    Okta

    3. On the Connection Profile page, choose SP–initiated.


    4. Modify the Connection URL. Replace <mycompany> with your Okta subdomain.

    Note: If you are configuring on an Okta developers account any refer


    to okta.com should be replaced with oktapreview.com.

    -- 6 -
    Okta

    5. Scroll down to the SAML Identity Provider (Issuer) section.

     In the Identity Provider URL field, copy the URL which will be needed later.
     Select Choose File and upload the private key.
     Select Choose File and upload the public certificate.

    -- 7 -
    Okta

    6. Scroll down to the Service Provider section.

    Note: If you are configuring on an Okta developers account any refer


    to okta.com should be replaced with oktapreview.com.

     In the Assertion Consumer Service (ACS) URL field replace <mycompany> with your Okta’s
    subdomain.
     In the Audience (Service Provider Entity ID) field replace <string> with the value from page 9 of
    Okta SAML SP Configuration section.

    7. Scroll down to the User Identity section. Set the Identifier Type to unspecified and Property to mail.

    8. Click Next Step.

    -- 8 -
    Okta

    9. On the User Access page, select the desired user policy from the drop down list.

    10. Click Next Step.


    11. On the Portal Display page, select Display in Portal.
    12. Click Save and Finish.
    13. Click Publish Changes. Your application is now enabled for SSO.

    Refer to the Okta SAML Configuration section for instructions on how to configure the service provider
    for SAML SSO.

    SAML via RSA Cloud (IdP)


    To configure a SAML Service Provider in RSA Cloud IdP, you must add a Service Provider for in the RSA
    SecurID Access Console. During configuration of the IdP you will need some information from the SP.
    This information includes (but is not limited to) Assertion Consumer Service URL and Service Provider
    Entity ID.
    1. Log in to the RSA SecurID Access Administration Console.
    2. Select the Authentication Clients > Relying Parties menu item at the top of the page.

    -- 9 -
    Okta

    3. Click the Add a Relying Party button on the My Relying Parties page.

    4. From the Relying Party Catalog select the +Add button for Service Provider SAML.

    5. Enter a name for the Service Provider in the Name field on the Basic Information page and click
    Next Step.
    6. On the Authentication page, select RSA SecurID Access manages all authentication.
    7. From the Primary Authentication Method pulldown select your desired login method either Password
    or SecurID.
    8. From the Access Policy pulldown select a policy that was previously configured.

    9. Select Next Step.

    -- 10 -
    Okta

    10. Select Import Metadata.

    11. Select Choose File and select the file you download in step 11 of Okta SAML SP Configuration
    section.
    Note: that the ACS URL, Service Provider Entity ID, and SP signs certificate are now populated.

    -- 11 -
    Okta

    12. Select the Download Certificate button. This will be needed to configure Okta in step 9 of Okta
    SAML SP Configuration section.
    13. Select Save and Finish.
    14. On the top menu click Publish Changes.

    15. Return to Okta’s management page and replace the temporary IDP certificate with the certificate you
    down loaded in the Okta SAML SP Configuration section.
    Refer to the Okta SAML Configuration section for instructions on how to configure the service provider
    for SAML SSO.

    -- 12 -
    Okta

    Partner Product Configuration


    Before You Begin
    This section provides instructions for configuring the Okta with RSA SecurID Access. This document is
    not intended to suggest optimum installations or configurations.
    It is assumed that the reader has both working knowledge of all products involved, and the ability to
    perform the tasks outlined in this section. Administrators should have access to the product
    documentation for all products in order to install the required components.
    All Okta components must be installed and working prior to the integration. Perform the necessary tests
    to confirm that this is true before proceeding.

    Okta SAML Configuration


    Complete the steps in this section to integrate with RSA SecurID Access using SAML authentication
    protocol.
    1. Log in to your Okta’s administrator account. https://<mycompany>.okta.com/login/default
    2. Verify that your test user is assigned a SAML App.
    3. Once you have verified that your test user can log in to Okta and access the SAML App proceed to
    configure Okta’s SAML Endpoint.
    4. From the Okta’s admin console go to Security > Delegated Authentication.

    -- 13 -
    Okta

    5. Select the Inbound SAML tab and click Add Endpoint.

    -- 14 -
    Okta

    6. Select Browse and upload a temporary certificate. You will need to return to this step to replace the
    temporary certificate with the RSA IdP certificate once the RSA side is configured.
    7. Enter the entityID in the IDP Issuer field.
    8. Enter the location URL in the IDP Login URL field, in format
    9. Select IDP Binding method HTTP-Post.

    10. Select the checkbox Enable SP Initiated SAML and click Save Endpoint.

    -- 15 -
    Okta

    11. Select the Download SAML Metadata link.

    -- 16 -

    Potrebbero piacerti anche