RSA Access Manager Migration Guide

Read Time: 17 minutes

Introduction

Web access management (WAM) systems have been a part of enterprises for decades. It’s critical to control access and audit applications while reducing the friction for users to interact with applications.

As business has shifted and changed in the Internet era, identity and access management systems have to change and grow to support new use cases. Traditional IAM vendors have been challenged to respond in a timely manner to these changing business requirements. Ping Identity® offers the solution with Identity Defined Security to extend and replace traditional IAM vendor products.

Ping’s products are designed to provide a simple migration strategy from traditional IAM solutions. PingFederate® and PingAccess® integrate with RSA Access Manager to facilitate the transfer of applications without disrupting your end users. The transition from one system to Ping can happen on a timeline that supports your business.

A typical migration to the Ping Identity Platform involves the four phases discussed below. We recommend contacting one of our Platinum Service Partners to assist and guide your organization through the migration process. Information regarding a Platinum Service Partner can be found at https://www.pingidentity.com/en/partner-network.html.

Planning Phase

Understanding Your Architecture

The first step in planning your migration from RSA Access Manager is to survey your deployment and understand the different WAM pieces in play. A standard WAM deployment is shown in Figure 1.

Figure 1: A typical RSA Access Manager Single Sign-On WAM deployment

Typically, an RSA Access Manager deployment uses web agents installed on web servers that sit adjacent to each application. As you plan for the migration, it’s a good time to evaluate your deployment architecture and the lessons learned from maintaining agents. The total cost of ownership related to an agent-based deployment is typically very high.

Deploying a gateway-based architecture can save deployment time as well as reduce the total cost of ownership. PingAccess can be deployed quickly, and the gateway can easily be integrated into existing applications and network traffic can be re-routed to it. A system fully migrated to PingAccess using a gateway deployment is shown in Figure 2.

Figure 2: System migrated to PingAccess

If the PingAccess gateway architecture is not feasible, the migration can still be performed with PingAccess agents following the same deployment architecture as the typical RSA Access Manager installation. A system fully migrated to PingAccess using agents is shown in Figure 3.

Figure 3: System migrated to PingAccess with agents

PingAccess also supports both architectures simultaneously. Some applications can continue with the agent-based architecture while the rest of the applications are protected by the PingAccess gateway. This approach can also be used as an intermediary as the deployment architecture is shifted from agents to gateways.

Application and Policy Inventory

After understanding and planning the deployment architecture, you’ll take inventory of the applications to be migrated. You’ll also evaluate each application to understand the dependencies on RSA Access Manager. A framework for application classification can be found in Appendix A.

For each application, you should catalog the realms, rules and rule groups to be migrated into PingAccess applications, resources, rules and rule sets.

Next, you’ll take inventory and prepare the RSA Access Manager policies for migration. You’ll then catalog each policy and identify the protected resources, the rules and access control lists (ACLs) used and the authentication requirements used to identify users.

Authentication and Session Management

To begin this step, you’ll evaluate and ensure you understand the authentication processes in the environment while planning the migration. If RSA Access Manager is used to authenticate users, you must decide when to migrate authentication away from those systems. There are two recommended methods to migrate authentication from RSA Access Manager. All authentication flows are explained in Appendix B.

The first method migrates authentication from RSA Access Manager at the beginning of the migration process. Migrating authentication at the beginning of the process makes PingFederate the source of record for authentication and identity. If this method is selected, PingFederate can be integrated with RSA Access Manager to provide applications with those still expecting them.

The second method migrates authentication from RSA Access Manager at the end of the migration process. Authentication will continue to occur with RSA Access Manager even if users are accessing PingAccess protected application. PingFederate can be configured and integrated with RSA Access Manager to trust and accept tokens issued by that system. When it’s time to decommission RSA Access Manager, the authentication process is migrated to PingFederate.

Next, you’ll evaluate the session management process. When working with two concurrent WAM systems, it’s important to understand how the sessions integrate. Without evaluating and integrating the sessions between the systems, end users may be unnecessarily prompted to authenticate to the system.

Project Planning

After classifying the applications, cataloging the policies and understanding the authentication and session management processes, you should create a project plan to acquire the resources to install PingFederate and PingAccess, perform integration with RSA Access Manager and migrate the applications.

Based on the application classifications, we recommend the following migration order:

Start with a simple application as a proof-of-concept (PoC) to understand the migration process and remove risk further in the process.
Migrate low complexity applications (i.e., ones with no RSA Access Manager customizations, or those using custom RSA Access Manager APIs) into PingAccess.
Migrate the remaining medium/high complexity applications. Customizations and complex authentication schemes should be migrated and configured as well.

Initial Deployment and RSA Access Manager Integration Phase

PingFederate Installation

To install PingFederate, find the document here.

PingAccess Installation

To install PingAccess, find the documentation here.

PingAccess Integration with PingFederate

Connect PingAccess to PingFederate for authentication by following the documentation located here.

RSA Access Manager Integration

RSA Access Manager Integration leverages the authentication and session management features in both environments. There are two approaches to this, and depending on your deployment needs, one or both might be used at different stages of the migration. Read about the two approaches on the following pages.

Option 1: Leverage RSA Access Manager

In its existing deployment, RSA Access Manager is likely the entry point for users in the system, dictating how authentication is performed and creating sessions once successful. The PingFederate and PingAccess infrastructure can leverage this authentication point by using the PingFederate WAM Integration Kit. This approach is a good way to try some of the PingAccess access control and session management capabilities without impacting the majority of applications or network infrastructure.

Consult the PingFederate WAM Integration Kit documentation for detailed steps on how to deploy it.

Once the PingFederate WAM Integration Kit is deployed, RSA Access Manager sessions are created or updated when accessing applications protected by PingAccess. From that point on, if the user accesses applications using only a PingAccess session, there’s a risk of the RSA Access Manager session timing out. To prevent this behavior and effectively centralize the sessions, employ a ‘session keep alive’ rule or site authenticator to ensure that the RSA Access Manager session is periodically ‘refreshed’ by calling a test resource on the user’s behalf. Any updates to this session (i.e., new cookie values returned in a SetCookie HTTP response header) should be relayed back to the browser.

A summary system architecture diagram of this WAM migration phase is depicted below:

Option 2: Token Mediation

An alternative to leveraging sign-on interfaces in RSA Access Manager is to migrate those to PingFederate as the sole entry point into the system. PingFederate provides a full-featured username/password sign-on mechanism, known as the HTML Form Adapter, and it easily connects to existing directory servers. This may be supplemented with other sign-on mechanisms such as Integrated Windows Authentication (IWA) and strong authentication (i.e., PingID, X.509 certificates, third-party OTP tokens, etc.).

When a mix of PingAccess and RSA Access Manager protected applications exist in the environment, token mediation can be used to ensure a seamless end user SSO and session management experience. In this configuration, the PingAccess gateway exchanges its own web session cookie (known as the PA token) for the target RSA Access Manager session, which is presented to a back-end web server on which an agent
is still deployed. This may be most convenient in a phased migration when a majority of the applications are protected by PingAccess, but pockets of applications still exist that have third-party agents installed on their supporting web server that are difficult to remove.

Details of a typical token mediation are presented in the PingAccess documentation.

The token mediator site authenticator provides this capability in PingAccess and depends on the PingFederate STS with appropriate token generators installed, such as the WAM token translator. View the documentation here.

A summary system architecture diagram of this WAM migration phase is depicted below:

Application Migration Phase

The first step in migrating an application from RSA Access Manager to PingAccess is to ensure that the required integrations are complete and that PingAccess can provide the necessary identity information to the application. The next step is to create the PingAccess rules that enforce access in the same way that RSA Access Manager enforces access.

The final step is to select the architecturally appropriate deployment option. Appendix C highlights a sample migration scenario from an agent- based architecture into either a gateway-based or proxy architecture.

Migrating Application Protection to the PingAccess Gateway

The first step is to determine if the application will continue to require the RSA Access Manager Cleartrust SSO cookie. If it’s still required (for example, if the RSA Access Manager agent will remain on the target web server), you configure token mediation so that PingAccess will acquire a target token on behalf of the user.

Next, you configure the application in PingAccess, defining where the protected web server resides, how it’ll be exposed via the gateway, what the required web session management controls are, and how end user identity details will be passed down to the application if needed (i.e., HTTPheaders using identity mappings).

Then you define your access policies using rules that are equivalent to (or a simplification of) those employed in RSA Access Manager.

Last, you configure network routing to start sending request traffic to PingAccess instead of the application.

Migrating Application Protection to a PingAccess Agent

In scenarios where an agent model is still preferred, the PingAccess agent replaces the existing RSA Access Manager agent.

You should start by defining the application details in PingAccess, including virtual host and path information, web session management controls and how end user identity details will be passed down to the application, if required (i.e., HTTP headers using identity mappings). The agent bootstrap configuration must be defined in PingAccess, and produces a configuration file the agent plugin will read on the target system.

Next, you define your access policies using rules that are equivalent to (or a simplification of) those employed in RSA Access Manager.

Once configured, you uninstall the RSA Access Manager agent on the target web server and install the PingAccess agent.

Documentation for the agents can be found here.

Deploying New Applications

Any new applications protected by the solution should be deployed behind PingAccess. They immediately benefit from the lighter weight integration and combined web and API access management features that PingAccess provides. While a gateway-based implementation is recommended to simplify ongoing maintenance, agents can be installed where required in order to accommodate existing deployment models.

Finalize Migration Phase

Authentication Migration

The final phase of the migration is to remove any remaining RSA Access Manager dependencies. If authentication responsibilities haven’t been transferred to PingFederate, finalize those changes first.

Move the authentication policies and methods to PingFederate in order to provide the same security, experience and functionality that existed with RSA Access Manager.

Application Migration

As applications are migrated to PingAccess for protection, RSA Access Manager agents could still be left in place. It’s critical to work with the application owners to remove those agents before RSA Access Manager is decommissioned. As agents are removed from applications, configuration should be updated in PingAccess to provide the applications the necessary information.

When the final application requiring RSA Access Manager Cleartrust Tokens is migrated to PingAccess, you remove the token mediation configuration.

Final Migration Steps

The last steps are to remove any mechanisms for synchronizing sessions between RSA Access Manager. Finally, RSA Access Manager can be shut down and the servers can be recycled.

The migration to PingFederate and PingAccess is now complete. If you encounter problems or challenges, please contact support@pingidentity.com.

Appendix A: RSA Access Manager Application Classifications

Low Complexity Applications

Low complexity applications are protected by standard web/application agents and have the following characteristics:

LDAP or Active Directory is typically used for authentication
Form basic and certificate-based authentication schemes
Simple realms, rules and policies with no custom authentication schemes/active expressions (such applications are easily migrated to PingAccess without any customizations)

Medium Complexity Applications

Medium complexity applications rely on minor RSA Access Manager customization and have the following characteristics:

Minimal RSA Access Manager customizations, such as custom authentication schemes

RSA Access Manager authorization APIs called to perform authorization checks or using RSA Access Manager APIs for responses (headers/cookies)

Custom code developed using the RSA Access Manager SDK will need to be evaluated to determine if similar functionality is supported by PingAccess out-of-box functionality or can be developed using the PingAccess SDK.

High Complexity Applications

High complexity applications are similar to the medium complexity applications, but have more customization or specific integration requirements. High complexity applications have the following characteristics:

More complex forms of authentication schemes like two-factor authentication, IWA, and impersonation

Integration with applications like PeopleSoft, SAP, WebLogic, WebSphere, etc.

Custom code developed using RSA Access Manager’s SDK will have to be evaluated to determine if similar functionality is supported by PingAccess out-of-box functionality or can be developed using the SDK. While PingAccess provides a number of out-of-box connectors/ adapters for various other tools that require SSO integration, the migration may require some additional planning.

Appendix B: Authentication Flow Process Options

RSA Access Manager as the Authenticator

When RSA Access Manager is used for user authentication, there are two request flows to understand. The first flow focuses on the user accessing an application protected by RSA Access Manager before accessing an application protected by PingAccess. The second flow focuses on the user accessing an application protected by PingAccess and then accessing an application protected by RSA Access Manager.

Scenario 1: User Accesses an Application Protected by RSA Access Manager and then an Application Protected by PingAccess

The user initiates a web session by accessing a RSA Access Manager protected application and then clicks on a URL protected by PingAccess. The following diagram shows the request flow:

Request Flow:

The user clicks a URL protected by RSA Access Manager.
The agent intercepts the request and collects the credentials and authenticates the user with the policy server.
The user is then redirected to the protected web page. The agent creates an Cleartrust SSO cookie for the user.
The user now clicks a URL protected by PingAccess.
PingAccess redirects to PingFederate for authentication.
Integration with PingFederate (i.e., WAM Integration Kit integrated with RSA Access Manager) decodes the Cleartrust SSO cookie and then validates the session with the policy server.
Upon successful validation, PingFederate performs an OpenID Connect based sign-on to PingAccess.
PingAccess validates the OpenID Connect sign-on and generates a PingAccess web session cookie (PA Token) during a redirection to the requested resource. All rules associated with the resource are evaluated for authorization, and if successful, the resource content is returned to the client.

Scenario 2: User Accesses an Application Protected by PingAccess and then an Application Protected by RSA Access Manager

The user initiates the session by accessing a PingAccess protected application and then clicks on a URL protected by RSA Access Manager. The following diagram depicts the request flow:

Request Flow:

The user accesses a URL protected by PingAccess.
PingAccess redirects to PingFederate for authentication
Integration with PingFederate (i.e., WAM Integration Kit integrated with RSA Access Manager) checks if there’s an existing Cleartrust SSO cookie, and if there’s not, it redirects the user to a URL protected by RSA Access Manager for authentication.
The agent intercepts the URL and shows the sign-on page. The user enters credentials and is authenticated by the policy server. RSA Access Manager then creates an Cleartrust SSO cookie.
PingFederate integration with RSA Access Manager decodes the Cleartrust SSO cookie and completes an OpenID Connect based sign-on to PingAccess.
PingAccess validates the OpenID Connect sign-on and generates a PingAccess web session cookie (PA token) and evaluates all the rules associated with the resource for authorization.
The user now clicks a URL protected by RSA Access Manager.
The agent intercepts and validates the Cleartrust SSO cookie with policy server.
If the Cleartrust SSO cookie is still valid and the user is authorized, the application content returned to the browser.

PingFederate as an authenticator

When PingFederate is used for authenticating users, the requirement is that users must interact with an application protected by PingAccess first. The request flow below shows that the authentication event places both the PingAccess JSON web token (JWT) and the RSA Access Manager Cleatrust token as cookies in the browser. After authentication, the user can access either a PingAccess protected application or a RSA Access Manager protected application.

Scenario 3: User Accesses an Application Protected by PingAccess and then an Application Protected by RSA Access Manager

The following steps describe how SSO is achieved between PingAccess and RSA Access Manager when a user accesses a resource protected by PingAccess and authenticated by PingFederate.

Request Flow:

The user accesses a URL protected by PingAccess.
PingAccess redirects to PingFederate for authentication. The HTML Form Adapter (or other configured sign-on mechanism) presents the sign-on page. The user enters credentials and is authenticated.
PingFederate completes an OpenID Connect based sign-on to PingAccess and is redirected to protected resource.
The user now clicks a URL to a resource hosted on a web server with an RSA Access Manager agent installed that is behind a PingAccess gateway.
The PingAccess gateway takes the PingAccess web session cookie (PA token) and sends it in a WSTrust STS request to PingFederate to request a RSA Access Manager token (the Cleartrust SSO cookie).
The PingAccess gateway puts the Cleartrust SSO cookie in the HTTP request and then proxies it to the RSA Access Manager protected resource.
The RSA Access Manager agent checks the session with the policy server. Upon successful authentication and authorization, the web agent allows access to the resource.
The web server returns the resource to the browser.

Appendix C: Mapping RSA Access Manager Objects to Pingaccess/ Pingfederate Objects

The following table shows the list of RSA Access Manager objects and the corresponding PingAccess/PingFederate objects:

RSA Access Manager

PingAccess/PingFederate

Agent

Servers on Access server + webagent.conf on agent

Agent Configuration Object

Webagent.conf on agent

Authentication Requirements

Webagent.conf on agent

Authentication Schemes

aserver.conf on the access server

Host Configuration Object

Ldap.conf on access server

User Directories

Applications

Domains

Resources

Realms, Sub Realms

Smart Rules

Rules

#3233 | 12.18 | v05