cancel
Showing results for 
Search instead for 
Did you mean: 

SSO with RSA two factor Authentication

jhagdak_
Contributor

SSO with RSA two factor Authentication

We are trying to setup SSO to streamline our authentication access for our customers.

Currently we use RSA SecureID to front end the initial auth attempts and then the users open a bookmark and signon again to the appliaction.

I have been told that this was not supported...

Junipers Response:

- Wanted the users to get authenticated using RSA & having the SSO for resources that require AD credentials.

- Informed him that the functionality is not supported as of now.

From what I understand it can be done using SAML on the IVE and RSA FIM

http://www.rsa.com/node.aspx?id=1191

Has anyone done this before and can they share there setup with me to resolve this issue?

22 REPLIES 22
jhagdak_
Contributor

Re: SSO with RSA two factor Authentication

Was informed by Juniper that native RSA is not suppported, however in version 6.4 they offer KCD which allows for SSO with OTP compatibility. In the midst of defining this access method to allow two factor authentication directly to our applications and allow the SSO for our end users.
dmw_
Occasional Contributor

Re: SSO with RSA two factor Authentication

I have my system setup with RSA and AD auth for SSO.

My primary logon is RSA and secondary is AD that I use later for SSO.

The only trick is that when the <PASSWORD> is required for the passthru you specify <PASSWORD[2]> that is provided on the secondary set of credentials. And if the username is different then provide the <Username[2]> as well if they are the same then it doesn't matter.

stine_
Super Contributor

Re: SSO with RSA two factor Authentication

dmw, how do you do your role mapping? I have an sa-2000 (6.3r3) w/ Windows AD as primary and RSA as secondary so that I can use the AD group memberships to to role assignments.

dmw_
Occasional Contributor

Re: SSO with RSA two factor Authentication

Not a problem I use RSA as primary, and pick up directory attirbutes from LDAP pointing at AD and pick the group membership from there I use expressions to go inquire on group membership but I think you can do it with group membership as well when the directory attribute is pointing to AD via LDAP
stine_
Super Contributor

Re: SSO with RSA two factor Authentication

thanks, i'll have to try that in my copious free time.
jhagdak_
Contributor

Re: SSO with RSA two factor Authentication

dmw,

I will need to try that! I assume this setting you mentioned is under the SSO \ Windows Credential Policy ?

Where was this information published ?

dmw_
Occasional Contributor

Re: SSO with RSA two factor Authentication

Servers
Authentication: RSAServer <----- I use this for Pirmary Auth
Directory/Attribute: LDAPServer <---- I use this for checking Group Memebership in Role Mapping
Accounting : RadiusServer

Additional authentication server

Authentication #2: AD Kerberos <--- SSO secondary Auth

Username is: specified by user on sign-in page <----- this variable on the IVE is <USER[2]>
Password is: specified by user on sign-in page <----- this variable on the IVE is <PASSWORD[2]>

In the expression builder you can use user@{AD_SSO} to perfrom the checks against the SSO user. If the userid's are the same go ahead and use the user from RSA to dip directly against LDAP. I have tested the RSA userid where it is equal to my <USERNAME[2]> so group membership can be tested with the primary user.

There are all kinds of combinations that open themselves up with this kind of configuration.

stine_
Super Contributor

Re: SSO with RSA two factor Authentication

thanks. that's exactly what i wanted to do.
stine_
Super Contributor

Re: SSO with RSA two factor Authentication

question: i have two auth servers, RSA and AD. Why would you make one the 'primary' instead of the other???

Have any ssl vpn providers been hit with DOS attacks against specific logins? if so, how do you mitigate them?

stine