▪ Dell Customer Communication - Confidential
NATIVE SAML SUPPORT FOR SSO FFTH – RSA Archer 6.8
1 ▪ Dell Customer Communication - Confidential AGENDA
NATIVE SAML 2.0 SUPPORT FOR SSO
▪ Background ▪ Overview ▪ Troubleshooting ▪ Demo
2 ▪ Dell Customer Communication - Confidential BACKGROUND
▪ Main Goal: Provide native SAML 2.0 support for SSO to RSA Archer platform
▪ Prior To 6.8, RSA Archer could not process SAML 2.0 assertions natively
▪ Required using ADFS as middleware to convert SAML assertions to Windows Federated claims
▪ Increased complexity of enabling integration with SAML IDP
▪ Security concerns with ADFS served as an implementation roadblock
▪ Enabling native processing of SAML assertions eliminates the need for ADFS
3 ▪ Dell Customer Communication - Confidential OTHER GOALS
▪ Support multiple SAML identity providers for a single instance
▪ Provide vanity URLs to automatically redirect to a specific identity provider
▪ Provide Service Provider metadata for easier setup in identity provider
▪ Support automatic user provisioning
▪ Support user profile, group membership, and role assignment updates via SSO
▪ Improved logging to aid in troubleshooting authentication issues − Errors point to specific log reference in stand-alone SAML log file − Info level logging provides entire request and assertion contents
▪ Leave Federation SSO option as is
4 ▪ Dell Customer Communication - Confidential
OVERVIEW
5 ▪ Dell Customer Communication - Confidential CONFIGURING SAML SSO
▪ SAML SSO is enabled by selecting the new SAML Single Sign-On Mode
▪ Allow Manual Bypass – If enabled, users can bypass SSO and log in manually with Archer credentials − For example, https://egrc.archer.rsa.com/default.aspx?manuallogin=true.
▪ Instance Entity ID – Used to identify the service provider name when issuing authentication requests
6 ▪ Dell Customer Communication - Confidential CONFIGURING SAML SSO – CERTIFICATE THUMBPRINT
▪ Certificate Thumbprint – Identifies a x.509 certificate in the Windows Local Machine Certificate Store
▪ Certificate is used to sign request when required by the Identity Provider
▪ Certificate is also used by the Identity Provider to encrypt assertions when required
▪ IIS Application Pool identity running RSA application requires read permissions to private key
▪ Same certificate must exist in Local Machine Certificate Stores of all web servers
7 ▪ Dell Customer Communication - Confidential GENERATE SERVICE PROVIDER METADATA ▪ Optionally Generate Service Provider Metadata
▪ Save Single Sign-On Settings Changes Before clicking Generate
▪ Some Identity Providers Can Import Service Provider Metadata
▪ Service Provider Metadata Is Useful Reference Regardless
▪ Service Provider Metadata XML File Includes: − Instance Entity ID − Redirection URL to RSA Archer assertion consumer service − Required Name ID preference − Public key of signing and encryption certificate − Preference for signed assertions from the IDP
8 ▪ Dell Customer Communication - Confidential CONFIGURING IDENTITY PROVIDERS
▪ SAML Mode Supports 1-To-N Identity Providers
▪ RSA Archer Platform Must Be Configured As Service Provider For Each Identity Provider
▪ Configurations Vary Per Identity Provider But Typically Require − Entity ID − Assertion Consumer Service URL − Signing Certificate − Encryption Certificate
9 ▪ Dell Customer Communication - Confidential IDENTITY PROVIDER ATTRIBUTE MAPPING ▪ RSA Attribute Mappings Must Be Configured For Each Identity Provider − These mappings are used to support creating users, updating their profile attributes, group membership, and role assignment
▪ The attributes are then set for each user
10 ▪ Dell Customer Communication - Confidential IDENTITY PROVIDER ATTRIBUTE MAPPING
RSA Archer Field Name RSA Archer Supported Attribute Mapping
User Identity Information
User Name* NameID*
User Domain UserDomain
First Name FirstName
Last Name LastName
Middle Name MiddleName
Title Title
11 ▪ Dell Customer Communication - Confidential IDENTITY PROVIDER ATTRIBUTE MAPPING
RSA Archer Field Name RSA Archer Supported Attribute Mapping
Contact Details
Address Full Address
or
Street City State Zipcode
Note: To update the user address, use one of the following: 1. FullAddress attribute. The Address field in the User Profile updates with the values provided in this attribute.
2. Street, City, State, Zipcode attribute. The Address field updates with the values Street, City, State and Zipcode
Company Company
Default Email Address EmailAddress
Phone 1 PhoneNumber
12 ▪ Dell Customer Communication - Confidential IDENTITY PROVIDER ATTRIBUTE MAPPING
RSA Archer Field Name RSA Archer Supported Attribute Mapping
Localization
Time Zone TimeZoneId
See the appendix for supported TimeZoneId’s
Account Maintenance
Security Parameter SecurityParameterId
Access Roles/Groups
Groups Group/Groups
Use Group for single-value attribute. Use Groups for multiple-value attributes.
Roles Role/Roles
Use Role for single-value attribute. Use Roles for multiple-value attributes.
13 ▪ Dell Customer Communication - Confidential EXPORT IDENTITY PROVIDER METADATA
▪ Export or download the Identity Provider metadata for Archer application
▪ This file will be used in the configuration of the Identity Provider in the RSA Archer Control Panel
14 ▪ Dell Customer Communication - Confidential ADDING IDENTITY PROVIDERS IN ACP ▪ Must Have At Least One Identity Provider
▪ Enter Display Name. − This Display Name will Be Populated In IDP Dropdown Selector − This Name Will Also Be Displayed In IDP Selector For Login Decision Page
▪ Enter Realm Name For The IDP − The Realm field value, instance URL, and parameter name IDP can be used to skip the Single Sign-On Decision Page. − e.g. https://archer.domain.com?IDP=okta skips the Decision Page and immediately redirects you to North America Okta for authentication
▪ Required Encrypted Assertions – If Enabled RSA Archer will fail authentication if IDP does not encrypt assertions
▪ Click + To Add Another Identity Provider
15 ▪ Dell Customer Communication - Confidential IMPORTING IDP METADATA
▪ To complete the Identity Provider setup you must import the Identity Provider Metadata file. − Click Select and browse to your metadata xml file − Click Open to finish the import − If the selected file is valid, the IDP Metadata field shows the IDP entity descriptor
▪ IDP metadata provides the details the Archer platform needs: − To create authentication requests − To process corresponding assertions received from IDP − Typically includes URL endpoints, supported bindings, identifiers, and certificates used for signing
16 ▪ Dell Customer Communication - Confidential USER PROVISIONING SETTINGS
Set the User provisions settings for each Identity Provider
▪ Enable User Provisioning – Creates new Archer account if one does not already exist for NameID
▪ Enable User Update – Enables user profile updates such as first name, last name, address, email etc.
▪ Enable Group Update – Enables group membership updates − Currently selected groups replaced by IDP groups
▪ Enable Role Update – Enables role assignment updates − Currently selected roles replaced by IDP roles
▪ Default First Name – Used if no first name supplied by IDP
▪ Default Last Name – Used if no last name supplied by IDP
▪ Default Role – Used if no role supplied by IDP
17 ▪ Dell Customer Communication - Confidential SSO LOGIN DECISION PAGE
▪ Navigating to instance URL presents RSA Archer SSO Login Decision Page
▪ This page allows end-user to select from the list of Identity Providers configured for the instance
▪ If Allow manual bypass is enabled, the Archer Manual Login is available as a selection
▪ Clicking Login redirects the authentication request to the selected Identity Provider
18 ▪ Dell Customer Communication - Confidential SKIPPING DECISION PAGE
▪ The IDP parameter redirects the authentication request to the Identity Provider tied to the Realm value skipping decision page
▪ Assume Instance URL is set to http://sales.instance.archer.com/RSAArcher
▪ Entering http://sales.instance.archer.com/RSAArcher/default.aspx?IDP=okta as the URL would redirect the request immediately to the North America –Okta IDP as it is tied to “okta” Realm
19 ▪ DellTROUBLESHOOTING Customer Communication - Confidential ▪ Logging for issues with SAML SSO authentication is much more robust than it is with Federated mode
▪ When a SAML SSO authentication failure occurs a specific log reference is presented to the end-user
▪ Errors encountered during SAML SSO Authentication are collected in a new log file within the instance folder a name format of {ServerName}.{Instance}.SAML.{Date_YYYYMMDD}.xml
20 ▪ Dell Customer Communication - Confidential TROUBLESHOOTING ▪ If log reference does not provide enough information. You can also enable Information level logging to provide more context
▪ Info level logging records the full SAML request message as sent and the full SAML assertion received which can greatly aid in troubleshooting
21 ▪ Dell Customer Communication - Confidential
DEMO
22 ▪ Dell Customer Communication - Confidential APPENDIX – SUPPORTED TIME ZONE VALUES
▪ The table on the following slides lists all the supported time zone values that can be used to update the users time zone via SAML SSO
▪ The Time Zone value should be passed as the string in the first column.
▪ The second column shows the value as its represented in the Time Zone drop-down of Manage Users
23 ▪ Dell Customer Communication - Confidential APPENDIX – SUPPORTED TIME ZONE VALUES
RSA Archer Supported Time Zone RSA Archer Drop-Down Values Dateline Standard Time (UTC-12:00) International Date Line West Samoa Standard Time (UTC+13:00) Samoa Hawaiian Standard Time (UTC-10:00) Hawaii Alaskan Standard Time (UTC-09:00) Alaska Pacific Standard Time (UTC-08:00) Pacific Time (US & Canada) Mountain Standard Time (UTC-07:00) Mountain Time (US & Canada) Central Standard Time (UTC-06:00) Central Time (US & Canada) Canada Central Standard Time (UTC-06:00) Saskatchewan Central America Standard Time (UTC-06:00) Central America Eastern Standard Time (UTC-05:00) Eastern Time (US & Canada) Atlantic Standard Time (UTC-02:00) Mid-Atlantic E. South America Standard Time (UTC-03:00) Brasilia Greenland Standard Time (UTC-03:00) Greenland Mid-Atlantic Standard Time (UTC-02:00) Mid-Atlantic Azores Standard Time (UTC-01:00) Azores Cape Verde Standard Time (UTC-01:00) Cape Verde Is. GMT Standard Time (UTC) Dublin, Edinburgh, Lisbon, London Greenwich Standard Time (UTC) Monrovia, Reykjavik Central Europe Standard Time (UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb Central European Standard Time (UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb Romance Standard Time (UTC+01:00) Brussels, Copenhagen, Madrid, Paris
24 ▪ Dell Customer Communication - Confidential APPENDIX – SUPPORTED TIME ZONE VALUES
RSA Archer Supported Time Zone RSA Archer Drop-Down Values W. Europe Standard Time (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna W. Central Africa Standard Time (UTC+01:00) West Central Africa E. Europe Standard Time (UTC+02:00) E. Europe Egypt Standard Time (UTC+02:00) Cairo FLE Standard Time (UTC+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius GTB Standard Time (UTC+02:00) Athens, Bucharest Israel Standard Time (UTC+02:00) Jerusalem South Africa Standard Time (UTC+02:00) Harare, Pretoria Russian Standard Time (UTC+04:00) Moscow, St. Petersburg, Volgograd Arab Standard Time (UTC+03:00) Kuwait, Riyadh, E. Africa E. Africa Standard Time (UTC+03:00) Nairobi Arabic Standard Time (UTC+03:00) Baghdad Iran Standard Time (UTC+03:30) Tehran Arabian Standard Time (UTC+04:00) Abu Dhabi, Muscat Caucasus Standard Time (UTC+04:00) Yerevan Ekaterinburg Standard Time (UTC+06:00) Ekaterinburg West Asia Standard Time (UTC+05:00) Tashkent India Standard Time (UTC+05:30) Chennai, Kolkata, Mumbai, New Dehli Nepal Standard Time (UTC+05:45) Kathmandu Central Asia Standard Time (UTC+06:00) Astana Sri Lanka Standard Time (UTC+05:30) Sri Jayawardenepura
25 ▪ Dell Customer Communication - Confidential APPENDIX – SUPPORTED TIME ZONE VALUES
RSA Archer Supported Time Zone RSA Archer Drop-Down Values N. Central Asia Standard Time (UTC+07:00) Novosibirsk Myanmar Standard Time (UTC+06:30) Yangon (Rangoon) North Asia Standard Time (UTC+08:00) Krasnoyarsk China Standard Time (UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi Singapore Standard Time (UTC+08:00) Kuala Lumpur, Singapore Taipei Standard Time (UTC+08:00) Taipei W. Australia Standard Time (UTC+08:00) Perth North Asia East Standard Time (UTC+09:00) Irkutsk Korea Standard Time (UTC+09:00) Seoul Tokyo Standard Time (UTC+09:00) Osaka, Sapporo, Tokyo Yakutsk Standard Time (UTC+10:00) Yakutsk Central Australia Standard Time (UTC+09:30) Adelaide E. Australia Standard Time (UTC+10:00) Brisbane Tasmania Standard Time (UTC+10:00) Hobart Vladivostok Standard Time (UTC+11:00) Vladivostok West Pacific Standard Time (UTC+10:00) Guam, Port Moresby Central Pacific Standard Time (UTC+11:00) Solomon Is., New Caledonia New Zealand Standard Time (UTC+12:00) Auckland, Wellington Tonga Standard Time (UTC+13:00) Nuku'alofa Azerbaijan Standard Time (UTC+04:00) Baku Middle East Standard Time (UTC+02:00) Beirut 26 ▪ Dell Customer Communication - Confidential APPENDIX – SUPPORTED TIME ZONE VALUES
RSA Archer Supported Time Zone RSA Archer Drop-Down Values Jordan Standard Time (UTC+03:00) Amman Central Standard Time (Mexico) (UTC-06:00) Guadalajara, Mexico City, Monterrey Mountain Standard Time (Mexico) (UTC-07:00) Chihuahua, La Paz, Mazatlan Pacific Standard Time (Mexico) (UTC-08:00) Baja California Namibia Standard Time (UTC+01:00) Windhoek Georgian Standard Time (UTC+04:00) Tbilisi Central Brazilian Standard Time (UTC-04:00) Cuiaba Montevideo Standard Time (UTC-03:00) Montevideo Venezuela Standard Time (UTC-04:30) Caracas Argentina Standard Time (UTC-03:00) Buenos Aires Morocco Standard Time (UTC) Casablanca Pakistan Standard Time (UTC+05:00) Islamabad, Karachi Mauritius Standard Time (UTC+04:00) Port Louis UTC (UTC) Coordinated Universal Time Paraguay Standard Time (UTC-04:00) Asuncion Kamchatka Standard Time (UTC+12:00) Petropavlovsk-Kamchatsky - Old US Mountain Standard Time (UTC-07:00) Arizona US Eastern Standard Time (UTC-05:00) Indiana (East) SA Pacific Standard Time (UTC-05:00) Bogota, Lima, Quito SA Western Standard Time (UTC-04:00) Georgetown, La Paz, Manaus, San Juan Pacific SA Standard Time (UTC-04:00) Santiago
27 ▪ Dell Customer Communication - Confidential APPENDIX – SUPPORTED TIME ZONE VALUES
RSA Archer Supported Time Zone RSA Archer Drop-Down Values (UTC-03:30) Newfoundland Newfoundland Standard Time
SA Eastern Standard Time (UTC-03:00) Cayenne, Fortaleza Afghanistan Standard Time (UTC+04:30) Kabul SE Asia Standard Time (UTC+07:00) Bangkok, Hanoi, Jakarta AUS Central Standard Time (UTC+09:30) Darwin AUS Eastern Standard Time (UTC+10:00) Canberra, Melbourne, Sydney Fiji Standard Time (UTC+12:00) Fiji UTC-11 (UTC-11:00) Coordinated Universal Time-11 Bahia Standard Time (UTC-03:00) Salvador UTC-02 (UTC+01:00) Tripoli Libya Standard Time (UTC+01:00) Tripoli Syria Standard Time (UTC+02:00) Damascus Turkey Standard Time (UTC+02:00) Istanbul Kaliningrad Standard Time (UTC+03:00) Kaliningrad, Minsk Bangladesh Standard Time (UTC+06:00) Dhaka Ulaanbaatar Standard Time (UTC+08:00) Ulaanbaatar Magadan Standard Time (UTC+12:00) Magadan UTC+12 (UTC+12:00) Coordinated Universal Time+12
28 ▪ Dell Customer Communication - Confidential
THANK YOU!
29