1Kosmos integrates with RSA SecurID as a SAML 2.0 identity provider, replacing RSA password and OTP-based authentication with biometric verification for enterprise applications.
Integration type
Auth/IDP
Overview
RSA SecurID Access (now RSA ID Plus) is an enterprise authentication platform providing SSO, MFA, and risk-based access control. 1Kosmos integrates as a SAML 2.0 identity provider, delegating authentication to 1Kosmos biometrics. 1Kosmos replaces the RSA identity provider, authenticating users biometrically and returning signed SAML assertions to RSA-connected service providers.
What we solve
Organizations using RSA SecurID Access/ID Plus need to increase assurance and reduce OTP/password dependence for access to RSA-managed applications and SSO workflows. This integration configures 1Kosmos as the upstream SAML identity provider so users authenticate biometrically and RSA can broker that verified login to protected applications.
The RSA Cloud Administration Console provides an Application Catalog for configuring SAML integrations. For applications not in the catalog, a SAML Direct template is used to create a custom SAML connector.
The connector is configured with the SP Entity ID and ACS URL of the target service provider, and 1Kosmos metadata is imported to establish the IdP configuration. RSA metadata is then exported and imported into AdminX to complete the federation trust.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
RSA SecurID Access / RSA ID Plus administrator access: Admin access to the RSA Cloud Administration Console with permissions to configure applications and identity providers.
RSA-protected application SP details: The Entity ID and ACS URL of the downstream service provider that RSA is protecting. These are needed when configuring the RSA SAML connector for each application.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for RSA:
Field | Where to find it |
|---|---|
SAML Metadata XML or URL | AdminX → Settings → IdP Configuration → Metadata URL |
SSO URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
RSA SP values to collect for AdminX (generated by RSA Application Catalog):
Field | Where to find it |
|---|---|
RSA SP Entity ID | RSA Cloud Admin Console → Applications → [application] → Service Provider section → Audience / SP Entity ID |
RSA ACS URL | Same application → Assertion Consumer Service URL |
RSA IdP Metadata XML | RSA Cloud Admin Console → Applications → [application] → Export Metadata |
Integration steps
Step 1: Create a SAML application connector in RSA
Log in to the RSA Cloud Administration Console and navigate to Applications → Application Catalog.
Search for your application (e.g., ServiceNow, Salesforce, custom app). If not found, select SAML Direct and click Add.
Enter a name for the application on the Basic Information page and click Next Step.
Configure the Initiate SAML Workflow settings for SP-initiated or IdP-initiated flow as required by your application.
In the SAML Identity Provider (Issuer) section, upload the 1Kosmos signing certificate and configure signing. Use the 1Kosmos SSO URL as the Connection URL.
In the Service Provider section, enter the SP Entity ID and ACS URL for the downstream application being protected.
Configure the User Identity section (NameID type, property mapping). Click Next Step and then Publish Changes.
Step 2: Export RSA SAML metadata
From the application entry in the RSA Application Catalog, click Export Metadata to download the RSA IdP metadata XML file. This contains the RSA SP ACS URL and Entity ID needed for AdminX.
Step 3: Add the RSA-protected application as a SAML app in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Select SAML 2.0 Generic and click Add integration. Enter the application name and the application's login URL as the Application Access URL.
Configure NameID format, value, and claims as required by the downstream application. Enable Assertion signing.
Enter the SP Entity ID and ACS URL values from the RSA SAML connector (which represent the downstream application's SP values that RSA proxies). Click Save.
Step 4: Test the integration
Navigate to the RSA-protected application login page or initiate SSO from the RSA portal.
Confirm you are redirected through 1Kosmos biometric authentication and returned to the application as an authenticated user.
Attribute mappings
Source (1Kosmos) | Target (RSA / downstream app) | Description |
|---|---|---|
user.email | NameID / email attribute | Primary identifier; format varies by downstream application requirements |
user.firstName | firstName or givenName | User first name attribute |
user.lastName | lastName or sn | User last name attribute |
Integration notes
RSA SecurID Access supports both IdP-initiated and SP-initiated SAML flows depending on the connector configuration. The RSA application catalog contains pre-built connectors for hundreds of enterprise applications.
For applications not in the catalog, the SAML Direct template provides a generic SAML 2.0 connector with full control over SP configuration.
Each downstream application integrated through RSA requires its own SAML connector entry in the RSA Application Catalog.
