IBM Security Access Manager 9.0 - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Jul 30, 2019
Version 1Show Document
  • View in full screen mode

Certified: June 10, 2019

 

Solution Summary

This section describes the ways in which IBM Security Access Manager can integrate with RSA SecurID Access. Use this information to determine which use case and integration type your deployment will employ.

Use Cases

Web Reverse Proxy - When integrated, users must authenticate with RSA SecurID Access in order to access resources protected through reverse proxy server. Web Reverse Proxy can be integrated with RSA SecurID Access using Authentication Agent  and Risk Based Authentication.

Advanced Access Control - When integrated, users must authenticate with RSA SecurID Access in order to access resources protected through reverse proxy server using advanced access control. Advanced Access Control can be integrated with RSA SecurID Access using Authentication Agent.

Federation - When integrated, users must authenticate with RSA SecurID Access in order to access resources protected through reverse proxy server using federation. Federation can be integrated with RSA SecurID Access using SSO Agent and Relying Party.

 

Integration Types

SSO Agent integrations use SAML 2.0 or HFED technologies to direct users’ web browsers to RSA SecurID Access for authentication. SSO Agents also provide Single Sign-On using the RSA Application Portal.

Relying party integrations use SAML 2.0 to direct users’ web browsers to RSA SecurID Access for authentication. Primary authentication is configurable, so relying party can be a good choice for adding additional authentication (only) to existing deployments.

Authentication Agent integrations use an embedded RSA agent to provide RSA SecurID and Authenticate Tokencode authentication methods within the partner’s application. Authentication agents are simple to configure and support the highest rate of authentications.

Risk Based Authentication integrations use customized scripts to direct users’ browsers to RSA SecurID Access for authentication. Risk-Based Authentication leverages an Authentication Agent or RADIUS integration to sign in to the partner application.

Supported Features

This section shows all of the supported features by integration type and by RSA SecurID Access component. Use this information to determine which integration type and which RSA SecurID Access component your deployment will use. The next section in this guide contains the steps to integrate RSA SecurID Access with IBM Security Access Manager for each integration type.

 

IBM Security Access Manager Integration with RSA Cloud Authentication Service

                                                                         
Authentication Methods

Authentication API

RADIUS

Relying Party

SSO Agent

RSA SecurID--
LDAP Password--
Authenticate Approve--
Authenticate Tokencode--
Device Biometrics--
SMS Tokencode--
Voice Tokencode--
FIDO Tokenn/an/a

 

IBM Security Access Manager Integration with RSA Authentication Manager

                                 
Authentication Methods

Authentication API

RADIUSAuthentication Agent
RSA SecurID--
On-Demand Authentication--
Risk-Based Authenticationn/a-

 

                 
Supported
- Not supported
n/tNot yet tested or documented, but may be possible.

Configuration Summary

The following links provide instruction on how to integrate IBM Security Access Manager with RSA SecurID Access.

This document is not intended to suggest optimum installations or configurations. It assumes the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All RSA SecurID Access and IBM Security Access Manager components must be installed and working prior to the integration.

 

Integration Prerequisites

Configure Runtime Interfaces

Create Reverse Proxy Instance

Integration Configuration

Authentication Agent

Relying Party

Risk-Based Authentication

SSO Agent - SAML

Use Case Configuration

Web Reverse Proxy

Advanced Access Control

Federation

 

Certification Details

Date of testing: June 10, 2019

RSA Cloud Authentication Service

RSA Authentication Manager 8.3, Virtual Appliance

IBM Security Access Manager 9.0, Virtual Appliance

 

Known Issues

Authentication Agent for Reverse Proxy - Improper new PIN form

Problem: The field names displayed on the new PIN form are same as that of password expiry form for reverse proxy server. New PIN form displays Old Password, New Password and Confirm New Password for the field names instead of Next tokencode, New PIN and Confirm New PIN.

Workaround: In the local management interface, edit the passwd_exp.html file located under Management Root of the reverse proxy server instance and change the values appropriately.

Authentication Agent for Advanced Access Control - Missing additional authentication during new PIN mode authentication

Problem: During new PIN mode authentication, most of the RSA SecurID agent implementations will have a next tokencode authentication after setting the new PIN. But with this integration there is no additional authentication after setting the PIN.

Authentication Agent for Advanced Access Control - Missing on-demand tokencode authentication during new PIN mode for on-demand authentication

Problem: For new PIN mode with on-demand authentication, after setting the PIN, user is allowed to access the resource directly without prompting for on-demand tokencode.

Authentication Agent for Advanced Access Control - Agent logging is not working for different log levels

Problem: Changing the agent log levels has no effect in the agent logging, only failed authentications are getting logged in all log levels.

Authentication Agent integration - Node secret issue due to multiple RSA SecurID agent configurations

Problem: Security Access Manager has separate agent configurations for reverse proxy and advanced access control. If the Security Access Manager is configured with one IP address, then both the configurations will try to use the same IP address. There is no option to share the node secret between two configurations, as a result only one configuration can be possible.

Workaround: Configure Runtime Interface with additional IP address. Management IP address of the interface will be used for RSA SecurID agent configuration for reverse proxy and the addition IP address will be used for RSA SecurID agent configuration for advanced access control.

 

 

Attachments

    Outcomes