In the RSA Identity Governance and Lifecycle 7.2.1 release, we have enhanced the email functionality to include the following security features:
OAuth 2.0 Authentication for Inbound and Outbound Connections
Today, all credentials for email servers (inbound and outgoing) rely on basic credentials. Mail servers are evolving and Office 365, in particular, is ending support for basic credentials and requiring OAuth 2.0 support instead. Open Authentication (OAuth) is an open standard for authorization that provides administrators with an authorization method when connecting to incoming IMAP/POP and outgoing SMTP servers. OAuth enables the product to receive and send email from a third-party account, such as Gmail, without having to enter the credentials for that account.
The OAuth 2.0 implementation requires you to obtain access and refresh tokens from your third-party email provider for each third-party email account. The tokens are automatically saved to the database. They provide authorization for all email communication between the product and the authorized third-party account. In RSA Identity Governance and Lifecycle, a scheduled job regularly checks to see if email access tokens are valid. If the access token is not valid, but the refresh token is, the product automatically regenerates a new access token.
Before you begin
You should have
- Basic knowledge of SMTP, POP & IMAP protocols to configure the email settings.
- Understanding of configuring an OAuth 2.0 application as per the email service specification
- Check the capabilities of your email server
RSA Identity Governance and Lifecycle user must have
- Email Configuration Admin or System Edit privileges
A new improved user interface lets you select OAuth 2.0 as authentication method for inbound & outbound email account connections in email settings page.
- Log in to your third-party email account, such as Gmail, and enable/setup OAuth 2.0 app
- Obtain the following from your third-party email provider application configured above
- Client ID : The Application (client) ID that the provider assigned to your application
- Client secret : A secret string that the application uses to prove its identity when requesting a token.
- Authorization URL: OAuth 2.0 Authorization Server URL
- Token URL : OAuth 2.0 Token Server URL
- Scope: Space delimited string to get token having specific permissions to send/receive emails
- Key in the above details to obtain the OAuth 2.0 access & optionally a refresh token
- If a refresh token is also acquired a scheduled background job is started to refresh the access token before its expiration.
STARTTLS support for Outbound Connections
This release also enhanced the connection security for outbound email connection. If the email server supports the STARTTLS command and you select STARTTLS as the connection security, RSA Identity Governance and Lifecycle will use this protocol after making the connection, and before sending any login information. STARTTLS is an email protocol command that tells an email server that an email client, wants to turn an existing insecure connection into a secure one.
For additional information on this update - please check out this additional context: