PingFederate: RSA SecurID Integration Kit 3.0.1
PingFederate supports different third-party integration kits for Multi-Factor Authentication (MFA) to enhance security. One of the more popular integration kits is RSA SecurID, which can be integrated with PingFederate to leverage two-factor authentication.
In the previous version, RSA SecurID Integration Kit 2.1 wasn’t compatible with PingFederate 9.2.3 or above. When trying to create an IDP adapter, you would receive an error “Can’t create API: There was a problem connecting to RSA SDK.” Some were using RADIUS authentication as a workaround for the issue.
So, what is the good news now?
PingIdentity has released a new Integration kit 3.0.1 for RSA SecurID. This new Integration kit has a slight difference compared to the previous version. In RSA SecurID 2.1, PingFederate administrator need to upload ‘sdconf.rec’ file from the RSA authentication manager in the adapter. The new version doesn’t need one. Instead, the administrator needs to configure the RSA REST API URL. In this blog, we’ll cover what you need to know to configure the RSA adapter using RSA SecurID integration kit 3.0.1.
1. Download ‘RSA SecurID Integration kit 3.0.1’ from the PingIdentity website at https://www.pingidentity.com/en/resources/downloads/pingfederate.html
2. Copy ‘pf-rsa-securid-idp-adapter-3.0.1.jar’ file from dist directory to <PingFederateInstallpath>\ pingfederate\server\default\deploy
3. Copy all the form pages from template directory to <PingFederateInstallpath>\pingfederate\server\default\conf\template.
Before configuring an RSA adapter, you’ll need to have the below information ready.
RSA Agent: RSA agent should be created in RSA Authentication Manager to be used as a client identifier. Use this reference link to create an agent on the RSA Authentication Manager console. https://community.rsa.com/docs/DOC-77208
RSA API URL: PingFederate uses this REST API URL to communicate with RSA Authentication Manager to validate the username and passcode. You need administrator access to setup an API URL. Use this reference link to setup RSA SecurID Authentication API. https://community.rsa.com/docs/DOC-76573
sample REST API URL: https://nj1dev2s3rsa01.idmworks.com:5555/mfa/v1_1
Access ID: RSA Access ID is a unique identifier for the client that can securely pass user authentication requests to and from the Authentication Manager.
Access Key: RSA Access key is a unique value that will be used as a shared secret to communicate securely with the RSA Authentication Manager.
Create a new IdP adapter and select ‘RSA SecurID IdP Adapter 3.0’ from the dropdown list.
If you have a failover server for RSA, Enter the Failover server API URL in the failover section.
Enter RSA agent name, REST API URL, Access ID and key in the below section.
The new Integration kit has the ability to test the connection with the details entered. Click ‘Test Connection.’ If there are no errors, it will return a “connection successful” message. If there are any errors, a “connection unsuccessful” message will appear on the screen.
Add the extended contract as per the requirement. The ‘subject’ default will be contract.
Select any attribute to be Pseudonym.
If attributes are added under extended contract, add the attribute source mapping in the below section to fulfill the contracts from the local Datastore.
Review the summary page and save the changes.
To leverage Multi-Factor Authentication (MFA), chain the HTMLForm and RSA SecurID adapter in a composite adapter and map it to an SP connection. At runtime, SSO requests first pass through HTMLForm for username/password authentication then through RSA SecurID for RSA passcode.
As always, if you run into any bumps along the way, feel free to reach out to the IAM Pros at IDMWORKS and we’ll help you work through it.