Connect Authentication Manager to the Cloud Access Service

9 months ago

Originally Published: 2022-09-19

You can easily deploy and manage multi-factor authentication methods for your RSA Authentication Manager (AM) users. These users will be able to access agent-protected resources using the RSA Authenticator app on their registered devices. You do not need to replace or update your existing agents or RSA Ready products.

You can use the AM Security Console to seamlessly connect AM to the RSA Cloud Access Service (CAS), and to invite users to download the RSA Authenticator and register their devices to CAS using RSA My Page. After users complete registration, you can use the Security Console User Dashboard to monitor users' authentication activity and perform other user management tasks, such as enabling and disabling users and deleting registered authenticators. To configure the connection, perform these steps:

Step 1: Prepare the Cloud Access Service Environment
Step 2: Connect to the Cloud Access Service
Step 3: Set User Expectations for Device Registration and Authentication

Note: When upgrading your AM deployment that is already connected to CAS, you may have to re-connect in order to be able to use some features, such as the embedded identity router and High Availability OTPs. To re-establlish your connection, see Edit the Cloud Access Service Connection.

Step 1: Prepare the Cloud Access Service Environment

Before you connect AM to CAS, complete the following steps to ensure that your CAS deployment is ready.

Get Sign-In Credentials for the Cloud Administration Console
Deploy the Cloud Access Service
Configure an Access Policy to Protect Your Sensitive Resources
Enable My Page and Select an Access Policy to Protect My Page
Generate the Registration Code and Registration URL

Get Sign-In Credentials for the Cloud Administration Console

Your organization must have a CAS account. If you do not already have an account, contact your RSA Sales representative at https://www.rsa.com/contact/.

Deploy the Cloud Access Service

You must deploy at least one identity router. You can also optionally deploy one or more identity routers. Identity router(s) are only required if CAS users are in an Active Directory or LDAPv3 identity source and/or if you will be using RADIUS or the IDR SSO Portal with CAS and/or if CAS users will be authenticating with SecurID tokens or other methods assigned to them in AM.

If you are using Hyper-V, VMware, Microsoft Azure, or Amazon Web Services to deploy identity routers in your on-premises network or in the Amazon Web Services or Microsoft Azure cloud, see the following instructions:
- RSA SecurID Access Cloud Access Service Planning Guide
- The appropriate Quick Setup Guide:
Note: You do not need to enable RADIUS or single sign-on to connect AM to CAS.
If you are deploying an embedded identity router in AM, you use a different procedure to connect to CAS and deploy the identity router. For more information, see Add an Identity Router to the Cloud Access Service for Authentication Manager.

If you have configured Active Directory or LDAPv3 identity source(s), after you deploy an identity router, CAS synchronizes users. Users must be known to both CAS and AM to use Cloud-registered authenticators with resources protected by AM. For users in external Active Directory and LDAPv3 identity sources, make sure those identity sources are configured in both CAS and AM. Users in the AM internal database are synchronized to CAS by default when AM has a connection to CAS. See Synchronize Users from Internal Database to CAS.

Configure an Access Policy for Cloud Users Accessing Resources Protected by Authentication Manager

A 1.0 access policy determines which CAS users can access your agent-protected resources and which authentication methods they are required to use. This access policy controls access for all CAS users who authenticate using the new connection. You can configure the policy to allow access to only selected users who meet certain criteria, or to allow all users. For example, you can restrict access only to users who use a certain network or who work in certain departments (except authentications through an RSA MFA Agent that is configured to use AM as a secure proxy for the Cloud. In that case, the access policy configured in the MFA Agent will be used instead). For more information, see Access Policies and Add, Clone, or Delete an Access Policy. To create a 1.0 access policy , at step 9 in section Add an Access Policy, do NOT enable Primary Authentication. Access policies with Primary Authentication enabled (2.0 access policies) are not supported for the connection between AM and CAS.

If you are using AM 8.5 or later with RSA MFA Agents (which are using REST protocol) or a custom REST Agent, you can then configure AM as a secure proxy server to the Cloud. When AM is operating as a secure proxy server for the Cloud with an MFA Agent or custom REST Agent, all authentication requests will be forwarded to the Cloud by AM. If a user authenticates with an OTP method assigned to them in AM, such as a SecurID software token, a connection from the Cloud to AM (via an Identity Router) must also be configured so that the Cloud can pass the authentication back to AM for processing. See Enable SecurID Token Users to Access Resources Protected by the Cloud Access Service. With this configuration, the Cloud access policy configured in the MFA Agent will be used, and assurance levels must contain one of the user's registered authentication methods. Assurance levels are configured within the access policy.

Enable My Page and Select an Access Policy to Protect My Page

RSA My Page is a web portal that helps provide a secure way for users to complete device registration and delete their devices (if necessary). By default, My Page is disabled. You must enable it in Access > My Page before users can use My Page. You must also select the primary authentication method and access policy to use for additional authentication for signing into My Page. This policy must meet the following criteria:

Specify an identity source that is configured for both AM and CAS.
Require an authentication method your AM users can provide when they access My Page. For example, LDAP password or SecurID OTP.

For instructions see Manage My Page. If your organization does not want to use My Page, there are other methods available for users to register their authenticators to the Cloud. See Authenticator Registration.

Generate the Registration Code and Registration URL

In the Cloud Administration Console, generate the Registration Code and Registration URL as described in the Connect Authentication Manager to the Cloud Access Service section in Connect Your Cloud Access Service Deployment to RSA Authentication Manager. The code is valid for 24 hours.

Step 2: Connect to the Cloud Access Service

The easiest way to connect AM to CAS is by starting the wizard from the Security Console Home page. After you finish, users who have downloaded the RSA Authenticator and registered their devices to the Cloud Access Service will be able to access agent-protected resources.

AM connects to CAS on port 443. No in-bound connections from CAS to AM are required.

Before you begin

Confirm that your network infrastructure allows the AM server to connect to the Cloud Access Service Registration URL. You might need to change your network configuration.
Confirm that all of the primary and replica instances in your deployment can connect to the CAS IP addresses assigned to your region. See Test Access to Cloud Access Service for the list of addresses.
Confirm that the Manage Cloud Access Service Users permission is enabled on the General Permissions tab in the Security Console for your Help Desk Administrators. This permission allows these administrators to view and manage CAS users in the Security Console User Dashboard. For more information, see Edit Permissions for an Administrative Role.
Decide if you want to customize the email template that will be used to invite users to register their devices. You can customize it now or later. For more information, see Customize the Cloud Access Service Invitation.

Note: For the least amount of disruption to functionality, RSA advises maintaining an active connection between CAS and AM.

Procedure

In the Security Console, go to the Home page.
Click Configure the connection.
Verify that you have met the requirements for configuring the connection. Click Next.
Do the following:
- Copy and paste the Registration Code and the Registration URL from the Cloud Administration Console into the connection wizard (see Generate the Registration Code and Registration URL)
- (Optional) If AM is behind an external firewall, you can configure an HTTP proxy server. See Configure a Proxy Server.
Keep the Enable Cloud Authentication check box selected, and click Next.
When enabled, all authentication agents that previously required a SecurID OTP will allow users to authenticate using both SecurID OTPs and the Cloud-assigned authenticators allowed by the access policy. You can manage Cloud users from the Security Console. See Manage Users in the Security Console below.
After the connection succeeds, click Next.
You can invite users to register an Authenticator, such as the RSA Authenticator app, and register devices. After registration, users can access your protected resources with the supported authentication methods.
- To invite users later, click No, Invite users later. The next page displays the procedure for inviting users later.
- To invite users now, click Yes, Invite more users.
You can customize the email message that is sent to users. For instructions, see Customize the Cloud Access Service Invitation.
Click Close to exit.

After you finish

If you have not yet invited users to register their devices and authenticate using the RSA Authenticator, see Send an RSA Authenticator Invitation to Users.
You can optionally configure AM to act as a secure proxy server that sends authentication requests to CAS. This feature supports all authentication methods supported by REST protocol authentication agents, whether verified by AM or CAS. See RSA Authentication Manager Secure Proxy Server for the Cloud Access Service.
You can optionally transfer SecurID 700 hardware tokens to CAS to be managed there. See Transfer SecurID 700 Hardware Authenticator Ownership to the Cloud Access Service.
If there are any issues in the connection between AM and CAS, you can attempt to repair the connection without having to reconnect to the Cloud. See Repair Connection.

How Authentication Manager Works with the Cloud Access Service

The following graphic shows how a user with a registered RSA Authenticator app can access an agent-protected resource, in this example, using the PIN+Approve or PIN+Device Biometrics method.

Transfer SecurID 700 Hardware Authenticator Ownership to the Cloud Access Service

You can choose to transfer ownership and administration of the SecurID 700 hardware authenticators that you select from AM to CAS. After the authenticator records are transferred to CAS, AM no longer manages the authenticators and can not take back ownership. For more information, see the Transfer SecurID 700 Hardware Authenticator Ownership to the Cloud Access Service section in RSA Hardware Authenticators.

Manage Users in the Security Console

After completing the integration, you can use the Security Console to manage users and perform routine maintenance. See the following topics on RSA Link for more information.

If you want to perform this task	See
Use the Security Console User Dashboard to manage users who have already registered their devices.	User Dashboard
Instruct users on how to register their devices and authenticate with Approve, Device Biometrics, and Authenticate OTP.	Customize the Cloud Access Service Invitation
Invite additional AM users to register devices.	Send an RSA Authenticator Invitation to Users
Manage user PINs	Manage PINs for Approve and Device Biometrics Authentication

Step 3: Set User Expectations for Authenticator Registration and Authentication

Your SecurID OTP users must learn how to access protected resources using the new authentication methods. You must educate these users to ensure that the onboarding process goes smoothly and that users know exactly what to expect when they register authenticators and authenticate for the first time. You can provide customized instructions to your users in the e-mail template as described in Customize the Cloud Access Service Invitation.

What Happens During Authenticator Registration

Users complete authenticator registration with the RSA Authenticator (hardware or software) to authenticate to protected applications.

Authenticator registration binds the authenticator to the user. After registration, when the user needs to authenticate to an application, RSA prompts the user for any available authentication methods. For a description of how authenticator registration works and what users experience, see Educating your users with the End User Toolkit.

What Happens During Authentication

Users can access protected resources with different authentication methods, depending on the authenticators they have registered and the authentication methods configured by the administrator. For more information, see Authentication Methods for Cloud Access Service Users.

Cloud MFA Experience for RADIUS Client Authentication

Starting from v8.8, AM supports various authentication methods when the Cloud MFA Experience is enabled for a RADIUS client configured within AM, allowing users to choose from a wider range of CAS authentication methods.

Key Features:

Supported Authentication Methods: Supports multiple authentication methods using out-of-the-box (OOTB) configurations, including Approve (Push Notification), Authenticate OTP, Device Biometric, SMS OTP, Voice OTP, Emergency Access Code, and SecurID OTP (including New PIN and Next OTP modes) for RADIUS clients.
PIN-Free Authentication: Eliminates the need for PIN when performing authentication for Approve or Device Biometrics.
Dynamic Authentication Selection: Users can dynamically change their authentication method during the authentication process, enhancing flexibility.
OTP via SMS and Voice: Supports OTP through SMS and Voice as part of the MFA experience, in addition to standard authentication methods.
Password + Step-up Authentication Method: (Optional) You can enable or disable password as the primary authentication method. If enabled, the system checks the password first before initiating the step-up authentication. If disabled, the system directly initiates step-up authentication.
Support for External AD and Internal DB Users: Both external Active Directory (AD) users and Internal Database (DB) users, who are synchronized with CAS, can use this feature, ensuring smooth integration for MFA authentication.
Unsupported Methods: FIDO, QR Code, and combinations like SecurID OTP + Approve are not supported in Cloud MFA Experience.
SecurID OTP Support: Supports SecurID OTP, including both New PIN and Next OTP modes.

How CAS RADIUS Access Policy Determines Authentication Methods

The CAS RADIUS access policy determines the authentication options available for users. Once the CAS policy is created, it is manually linked to the AM RADIUS client configuration for authentication.
Users can provide a passcode, any number (less than 4 digits), special characters, or leave the password field blank in the RADIUS client.

If a valid passcode is entered, it is checked against all AM native authenticators. If no match is found, the CAS access policy configured on the RSA Cloud Authentication Service Configuration page is applied, and the server responds with either a success or failure status.
If the entered input is not a valid passcode (for example, less than 4 digits, special characters, or a blank field), the server does not validate the passcode but instead provides the client with a list of available authentication methods based on the CAS RADIUS access policy.

User authentication options and the corresponding responses from AM depend on the configuration and the user's input in the Password field. The following scenarios describe the different configurations:

Enable Cloud MFA Experience Only
Enable Both Password Authentication and Cloud MFA Experience
Support for AM Managed SecurID OTP Authentication
High Availability (HA) Scenarios
Code Matching for Approve and Device Biometrics
Timeout Scenarios and Behavior

Enable Cloud MFA Experience Only

When only the Cloud MFA Experience is enabled for a RADIUS client, without enabling Password Authentication, the method of user authentication is determined based on the input in the Password field. AM uses the CAS access policies to select the correct authentication method for the user. The following table outlines the different authentication scenarios based on user input.

Password Input	Authentication Process
SecurID OTP or Authenticate OTP	The user enters either a SecurID OTP (4 or more digits) or Authenticate OTP (8 digits) in the password field. AM determines the method based on the number of digits entered. Note: AM uses the CAS access policy defined in the RSA Cloud Access Service Configuration to authenticate users. If the user enters either method incorrectly, each unsuccessful attempt counts against the lockout settings defined in the Configure Session and Authentication Method Settings (for Authenticate OTP) or in the Lockout Policy (for SecurID OTP).
1	User authenticates using the last successfully used method in CAS or the default method based on the assurance level defined in the access policy assigned to the RADIUS client. Note: AM responds as described in Authentication with Password set to 1 and Push Notification Disabled.
2, other digits, blank, or any character (special or alphanumeric)	The user is prompted with a list of available authentication options based on the CAS Assurance Levels. Note: Some RADIUS clients may not send null passwords, which could lead to authentication request timeouts.

Password Input

Authentication Process

SecurID OTP or Authenticate OTP

The user enters either a SecurID OTP (4 or more digits) or Authenticate OTP (8 digits) in the password field. AM determines the method based on the number of digits entered.

Note: AM uses the CAS access policy defined in the RSA Cloud Access Service Configuration to authenticate users. If the user enters either method incorrectly, each unsuccessful attempt counts against the lockout settings defined in the Configure Session and Authentication Method Settings (for Authenticate OTP) or in the Lockout Policy (for SecurID OTP).

User authenticates using the last successfully used method in CAS or the default method based on the assurance level defined in the access policy assigned to the RADIUS client.

Note: AM responds as described in Authentication with Password set to 1 and Push Notification Disabled.

2, other digits, blank, or any character (special or alphanumeric)

The user is prompted with a list of available authentication options based on the CAS Assurance Levels.

Note: Some RADIUS clients may not send null passwords, which could lead to authentication request timeouts.

Enable Cloud MFA Experience with Push Notification

When both Cloud MFA Experience and Push Notification are enabled for a RADIUS client, user authentication options depend on input in the Password field. The following table outlines the different authentication scenarios based on user input.

Password Input	Authentication Process
1 or Blank	If Approve or Device Biometrics is the default method, the RADIUS client prompts for those methods directly without forcing the user to choose an authentication method. The authentication process varies depending on whether Always Send Push Notification is selected or not: Always Send Push Notification (selected): The user authenticates using Approve or Device Biometrics, based on the assurance level defined in the access policy. Always Send Push Notification (not selected): The user authenticates using the last successfully used method in CAS or the default method based on the assurance level defined in the access policy. Note: AM responds as described in Authentication with Password Set to 1 and Push Notification Enabled (Always Send Push Notification Not Selected).
2, any digit (less than 4 digits), or any character (special or alphanumeric)	The user is prompted with a list of available authentication options based on the CAS Assurance Levels. Note: Some RADIUS clients may not send null passwords, which could lead to authentication request timeouts.

Password Input

Authentication Process

1 or Blank

If Approve or Device Biometrics is the default method, the RADIUS client prompts for those methods directly without forcing the user to choose an authentication method.

The authentication process varies depending on whether Always Send Push Notification is selected or not:

Always Send Push Notification (selected): The user authenticates using Approve or Device Biometrics, based on the assurance level defined in the access policy.
Always Send Push Notification (not selected): The user authenticates using the last successfully used method in CAS or the default method based on the assurance level
defined in the access policy.

Note: AM responds as described in Authentication with Password Set to 1 and Push Notification Enabled (Always Send Push Notification Not Selected).

2, any digit (less than 4 digits), or any character (special or alphanumeric)

The user is prompted with a list of available authentication options based on the CAS Assurance Levels.

Note: Some RADIUS clients may not send null passwords, which could lead to authentication request timeouts.

Authentication with Password set to 1 and Push Notification Disabled

When the user enters 1 in the Password field to use the last successful method or default method, AM responds as follows:

Last used method or Default method	Response
Approve or Device Biometrics	Sends a push notification.
SMS OTP or Voice OTP	Prompts the user with: SMS OTP: Enter the OTP sent to <User Phone Number>. If you didn’t receive the OTP, enter 1 to resend or 2 for more options. Voice OTP: Enter the OTP voiced on the call to <User Phone Number>. If you didn’t receive a call, enter 1 to retry or 2 for more options.
SecurID OTP, Authenticate OTP	Prompts the user with: Enter your SecurID OTP or 2 for more options.
Emergency Access Code	Prompts the user with: Enter your Emergency Access Code or 2 for more options.

Authentication with Password Set to 1 and Push Notification Enabled (Always Send Push Notification Not Selected)

If the user enters 1 in the Password field to use the last successfully used method in CAS or the default method from the assurance level, AM responds as follows:

Last used method or Default method	Response
Approve or Device Biometrics	Sends a push notification.
SMS OTP, Voice OTP, SecurID OTP, Authenticate OTP, or Emergency Access Code	Prompts the user with a list of available authentication methods and asks the user to select the desired method.

Authentication with Password Set to 1 or Blank and Always Send Push Notification Enabled

When the user enters 1 or leaves the Password field blank, AM will always send a push notification if the assurance level includes Approve or Device Biometrics.

If none of these methods include Approve or Device Biometrics, AM will present a list of available authentication options to the user. Users are prompted only for authentication methods they are eligible to complete, as defined by the CAS Assurance Levels.

Enable Both Password Authentication and Cloud MFA Experience

Once AM validates the password, it evaluates the CAS access policy based on whether Push Notification is enabled or disabled.

Push Notification: Enabled
- If Always Send Push Notification is not selected:
  - AM prompts the user with: Enter your SecurID OTP, 1 for the last used authenticator, or 2 for more options.
  - If the user enters a passcode, it is checked against all AM native authenticators. If no match is found, AM uses the CAS access policy defined in CAS configuration for authentication.
  - If the user enters options such as 1, 2, any digit (less than 4 digits), special characters, or a blank field, AM follows the CAS RADIUS access policy defined in the RADIUS Client page configuration.
- If Always Send Push Notification is selected:
  - AM automatically sends a push notification, even if Approve or Device Biometrics are not the user’s default method, provided they are available in the CAS access policy.
  - If the CAS access policy does not include Approve or Device Biometrics, AM will present other available authentication options, based on the configured CAS access policy.
Push Notification: Disabled
- AM prompts the user with: Enter your SecurID OTP, 1 for the last used authenticator, or 2 for more options.
- If the user enters a passcode, it is checked against all AM native authenticators. If no match is found, AM uses the CAS access policy defined in the CAS configuration for authentication.
- If the user enters options such as 1, 2, any digit (less than 4 digits), special characters, or a blank, AM follows the CAS RADIUS access policy defined in the RADIUS Client configuration page.

Support for AM Managed SecurID OTP Authentication

If the Cloud MFA Experience is enabled for the RADIUS client and the user has RSA SecurID tokens managed by AM, they can use those tokens to authenticate to applications. This method supports all tokens managed by AM, including New PIN and Next OTP modes.

Pre-requisites:

AM-managed SecurID Authentication: The Super Admin for CAS must connect the CAS deployment to the AM server. The AM server should be the same server connected to CAS. For more details, see Enable SecurID Token Users to Access Resources Protected by CAS.
Skip Agent List Configuration: The Super Admin must add the authentication agent name to the skip agent list using the following command: /opt/rsa/am/utils/rsautil store -a add_config auth_manager.cas.authentication.runtime.skip.agentnames "agent1" GLOBAL STRING

Where "agent1" is the authentication agent name created on AM and used by CAS. After adding the agent name, restart all services for the changes to take effect.

Note: The Super Admin must ensure that CAS Assurance Levels and Access Policies are configured to support SecurID OTP.

Note: When the Cloud MFA Experience is enabled and the user selects Authenticate OTP as their authentication method, a PIN is not required. The Create PIN and Change PIN functionalities do not apply in this case.

High Availability (HA) Scenarios

When CAS is unreachable, AM validates the OTP locally using AM-owned tokens and Cloud-owned tokens, such as SID700, DS100, or Authenticate OTP, if they are synced and available.

When Cloud MFA Experience is enabled for the RADIUS client and CAS is unreachable, the system responds as follows:

CAS Unreachable and Cloud MFA Availability: Modern cloud authenticators (for example, SMS OTP, Voice OTP, Approve, Device Biometrics, and Emergency Access OTPs) will not be available. AM prompts the user with: Enter your OTP. Note that additional MFA methods are currently unavailable.
Password + Step-Up Mode Behavior: If both Password Authentication and Cloud MFA Experience are enabled for the RADIUS client and CAS is unreachable after password authentication, modern cloud authenticators will not be available. AM prompts the user with: Enter your OTP. Note that additional MFA methods are currently unavailable.

In both Step-Up and Password + Step-Up modes, the user will be prompted to provide an OTP if CAS is unreachable. However, in Password + Step-Up mode, the user must first enter their password before being prompted for the OTP.

Code Matching for Approve and Device Biometrics

The Cloud MFA Experience now includes an option for AM to provide confirmation codes for push-eligible methods like Approve and Device Biometrics.

When Cloud MFA Experience is enabled for the RADIUS client, the user will see a confirmation code on the RADIUS client if Approve or Device Biometric is selected as the authentication method.

The user can select Approve or Device Biometrics in the authentication prompt or the CAS policy can automatically trigger it. Once the code is displayed, the user can verify it on their device using methods, such as Visual, Selection, or Input.

After successfully verifying the code on the device, the user can enter 1 in the RADIUS client to complete the authentication or 2 to choose any other eligible authenticators. For more information on how to enable the code-matching setting for Cloud tenants, see Configure Session and Authentication Method Settings.

Timeout Scenarios and Behavior

Timeout Settings for Password + Step-Up Authentication:

Timeout Configuration for Password + Step-Up Mode: Timeout behavior for Password + Step-Up authentication can be configured in the RADIUS client configuration page, allowing the user to define the timeout duration for step-up challenges after the primary password authentication.

Timeout After a System Triggered Push Notification:

Timeout Behavior and Alternate Authentication Methods: When Push Notification is enabled, the RADIUS client sends a push notification for Approve and Device Biometrics without forcing users to select a method, when Approve or Device Biometrics is the user's default authentication method.

If the push notification times out, AM will prompt the user with other available authentication options based on the CAS access policy configurations.

License Impact for High Availability OTP

AM 8.5 or later allows Authenticate OTP, SID 700 OTP, and other CAS-assigned OTPs authentication to continue when CAS or the connection is temporarily unavailable or too slow. Users who authenticate with other methods that are supported by the RSA Authenticator app, such as Approve and Device Biometrics, are prompted for Authenticate OTP.

If High Availability Tokencode is configured, Authenticate OTP records are created for each user who registered the Authenticator app with CAS. The license count increases by one for any Authenticator app user who does not currently have an assigned authenticator in AM. Make sure that your AM license supports any additional users that are required.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change