You can easily deploy and manage new mobile authentication methods for your RSA Authentication Manager users. These users will be able to access agent-protected resources using the RSA SecurID Authenticate app on their registered devices. You do not need to replace or update your existing agents or RSA Ready products.
You can use the RSA Authentication Manager Security Console to seamlessly connect Authentication Manager to the Cloud Authentication Service, and to invite users to download the RSA SecurID Authenticate app and register their devices using the cloud-based RSA SecurID Access My Page. After users complete registration, use the Security Console User Dashboard to monitor users' authentication activity and perform other user management tasks, such as enabling and disabling users and deleting registered devices. To configure the connection, perform these steps:
To learn about the authentication flow, see How Authentication Manager Works with the Cloud Authentication Service.
For additional information, see:
Note: To view this page as a PDF, click Actions > View as PDF.
Before you connect RSA Authentication Manager to the Cloud Authentication Service, complete the following steps to ensure that your Cloud Authentication Service deployment is ready.
If you need to obtain this information, contact your RSA Sales representative at 1 800 995-5095 and choose Option 1. After your sales order is processed, RSA provisions your deployment in the US-, EMEA- or ANZ-based Microsoft Azure cloud. RSA sends an email to the contact email address for your company with instructions needed to start using the product, including the Cloud Administration Console URL and your initial Super Admin credentials. Note that the email address was provided to RSA Sales or the RSA Partner your company works with.
You must deploy at least one identity router. Make sure your RSA Authentication Manager users are synchronized from external identity sources that are also synchronized to the Cloud Authentication Service.
Note: New users created in the Authentication Manager internal database, who have never had an assigned hardware or software token, are not supported for Approve, Device Biometrics, or Authenticate Tokencode authentication.
See the following instructions:
- The appropriate Quick Setup Guide:
Note: You do not need to enable RADIUS or single sign-on to connect Authentication Manager to the Cloud Authentication Service.
An access policy determines which users can access your agent-protected resources and which authentication methods they are required to use. This access policy controls access for all users who authenticate using the new connection. You can configure the policy to allow access to only selected users who meet certain criteria, or to allow all users. For example, you can restrict access only to users who use a certain network or who work in certain departments. For more information, see Access Policies and Add an Access Policy.
Confirm that your Cloud Authentication Service deployment meets these criteria:
At least one assurance level must contain Authenticate Tokencode, Approve authentication, or Device Biometrics. For information, see Assurance Levels.
If a user device does not support Device Biometrics, then the user is prompted for Approve authentication if it is allowed by the assurance level.
Authentication Manager does not support assurance levels that combine two forms of authentication. For example, the assurance level cannot require both RSA SecurID Token and Approve, but the assurance level can require only one of those options.
That assurance level must be specified in the access policy you plan to use.
For example, this sample policy allows access to all users who authenticate with Approve and Authenticate Tokencode, which are configured as low assurance level options, and also Device Biometrics, which is configured as a medium assurance level option.
Note: You can edit settings within the access policy at any time without reconfiguring the connection. However, if you decide to rename the policy or if you select a different policy at a later date, you must reconnect Authentication Manager to the Cloud Authentication Service.
RSA SecurID Access My Page is a web portal that helps provide a secure way for users to complete device registration and delete their devices (if necessary). By default, My Page is disabled. You must enable it in Platform > My Page before users can use My Page. You must also select the primary authentication method and access policy to use for additional authentication for signing into My Page. This policy must meet the following criteria:
Specify an identity source that is configured for both Authentication Manager and the Cloud Authentication Service.
Require an authentication method your Authentication Manager users can provide when they access My Page. For example, LDAP password or RSA SecurID Token.
For instructions see Manage RSA SecurID Access My Page.
In the Cloud Administration Console, generate the Registration Code and Registration URL as described in Connect Authentication Manager to the Cloud Authentication Service. The code is valid for 24 hours. You can either copy this information to a text file now and save it for later, or leave this window open so that you can copy this information when you configure the connection from the wizard-based interface in the Security Console.
Your RSA SecurID token users must learn how to access protected resources using the new authentication methods. You must educate these users to ensure that the onboarding process goes smoothly and that users know exactly what to expect when they register devices and authenticate for the first time. You can provide customized instructions to your users in the e-mail template as described in Customize the Cloud Authentication Service Invitation.
What Happens During Device Registration
Users complete RSA SecurID Authenticate device registration so that they can use the RSA SecurID Authenticate app (registered on a phone, tablet, or desktop or PC) to authenticate to protected applications.
Device registration binds the device to the user. After device registration, when the user needs to authenticate to an application, RSA SecurID Access prompts the user for PIN+Approve, PIN+Device Biometrics, or Authenticate Tokencode. Users who do not register a device using the Authenticate app are not presented with authentication methods that require the app. For a description of how device registration works and what users experience, see Educating Your Users on RSA Link.
What Happens During Authentication
Users can access agent-protected resources with the following methods:
Users can authenticate with methods specified by the access policy. They are prompted to authenticate with a method that is based upon their access policy. For more information, see How Assurance Levels Are Used During Authentication.
The first option listed for an assurance level on the Assurance Levels page is presented as the default for each new user when he or she authenticates to an application or client assigned to that assurance level for the first time. A user can select another option at any time, as long as the assigned assurance level or a higher assurance level contains additional options that the user can complete. When a user successfully authenticates with an option, that option becomes the user's default for future authentications for that assurance level.
To use the Approve method, the user attempts to access the application and is prompted to enter a passcode. The user enters the PIN, then taps a button on an Authenticate device. The user can also tap an interactive notification on the device or on an Apple Watch or Android Wear watch paired to the device. The user must respond within one minute. Otherwise, the method times out and is considered a failed authentication.
Note: The PIN required for Approve authentication is different from the PIN that may be required to unlock the Authenticate Tokencode in the app.
Device Biometrics allows users to authenticate to applications using biometrics available on devices, such as Apple Touch ID or Face ID, Android fingerprint, or Windows Hello. To use Device Biometrics, users must first set up biometrics on their devices. RSA SecurID Access does not force users to do this.
To use Device Biometrics on Windows 10 PCs, Windows Hello must be enabled. Also, keep in mind that users can sign in using a Hello PIN.
To use the Device Biometrics method, the user attempts to access the application and is prompted to authenticate. The user enters a PIN, and then uses a biometric method to authenticate.
Note: The PIN required for Device Biometrics authentication is different from the PIN that may be required to unlock the Authenticate Tokencode in the app.
Similar to RSA SecurID Tokens, RSA SecurID Authenticate Tokencode employs a one-time, randomly generated number called a tokencode. This tokencode is generated on a device where the RSA SecurID Authenticate app is installed. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires. These tokencodes display for one minute, but are valid for up to five minutes after they are generated and displayed on a user's device. If the Cloud Authentication Service access policy includes Authenticate Tokencode as an authentication method, then the user is enrolled for this method automatically after device registration.
Authenticate Tokencode cannot be used with an RSA SecurID PIN or for offline authentication.
The following table describes what users must enter during their first authentication using Approve or Device Biometrics.
Note: After the initial Approve or Device Biometrics authentication, an RSA SecurID Token user can change the PIN used for Approve and Device Biometrics to be different from the RSA SecurID PIN(s). The same PIN must be used for both Approve and Device Biometrics authentication.
|What the User Has||User Action During First Approve or Device Biometrics Authentication|
|One valid RSA SecurID Token and PIN|
The user enters the RSA SecurID PIN, then taps Approve or authenticates with Device Biometrics.
|Multiple valid RSA SecurID Tokens and PINs|
The user enters one PIN associated with any valid, assigned RSA SecurID token, then taps Approve or authenticates with Device Biometrics.
|Valid RSA SecurID Token and expired PIN|
The user enters the expired PIN and is prompted to change the PIN, then taps Approve or authenticates with Device Biometrics. Or the user can reset the RSA SecurID PIN before device registration, then use that RSA SecurID PIN during device registration.
The new PIN applies to Approve and Device Biometrics authentication. To use the RSA SecurID Token, the user must create a new PIN for the token.
|No valid RSA SecurID Token or PINs (for example, RSA SecurID Token expired)||The user enters the Authenticate Tokencode from his or her registered device, is prompted to create a new PIN, then taps Approve or authenticates with Device Biometrics.|
|Valid PIN for on-demand authentication (ODA)|
The user enters the PIN and is issued one-time tokencodes because ODA has priority over other types of authentication.
You can run a command line utility to prioritize Approve authentication and Device Biometrics authentication for these ODA users. For instructions, see Prioritize Approve and Device Biometrics Authentication for On-Demand Authentication Users.
Note: It is important to tell your users that, in all cases, the PIN they enter during the first Approve or Device Biometrics authentication will be required in future Approve or Device Biometrics authentications.
License Impact After Authentication
After a user successfully authenticates using either an Authenticate Tokencode, Approve, or Device Biometrics, the RSA SecurID Authenticate app is listed in the User Dashboard as one of the user's assigned tokens. If the user does not have an another assigned authenticator in Authentication Manager, the license count increases by one. If the users already had another assigned authenticator in Authentication Manager, the license count is not increased.
Support for Users Prior to Authentication Manager 8.4 Patch 4
After you connect Authentication Manager 8.4 Patch 4 or later to the Cloud Authentication Service, users who installed the RSA SecurID Authenticate app and registered devices with the Cloud Authentication Service prior to Patch 4 can use Approve authentication if allowed by the access policy. After Patch 9 is applied, these users can also use Device Biometrics authentication if allowed by the access policy. Patch 4 or later allows you to manage these existing users in the Security Console User Dashboard.
The easiest way to connect RSA Authentication Manager to the Cloud Authentication Service is by starting the wizard from the Security Console Home page. After you finish, invited users will be able to download the RSA SecurID Authenticate app, register their devices, and access agent-protected resources.
RSA Authentication Manager connects to the Cloud Authentication Service on port 443. No in-bound connections from the Cloud Authentication Service to Authentication Manager are required.
Before you begin
Confirm that your network infrastructure allows the Authentication Manager server to connect to the Cloud Authentication Service Registration URL. You might need to change your network configuration.
Confirm that all of the primary and replica instances in your deployment can connect to the Cloud Authentication Service IP addresses assigned to your region. See Test Access to Cloud Authentication Service for the list of addresses.
Confirm that the Manage Cloud Authentication Service Users permission is enabled on the General Permissions tab in the Security Console for your Help Desk Administrators. This permission allows these administrators to view and manage Cloud Authentication Service users in the Security Console User Dashboard. For more information, see Edit Permissions for an Administrative Role.
Decide if you want to customize the email template that will be used to invite users to register their devices. You can customize it now or later. For more information, see Customize the Cloud Authentication Service Invitation.
In the Security Console, go to the Home page.
Click Configure the connection.
Verify that you have met the requirements for configuring the connection. Click Next.
- Do the following:
Copy and paste the Registration Code and the Registration URL from the Cloud Administration Console or from a text file into the connection wizard.
- (Optional) If Authentication Manager is behind an external firewall, click Configure a Proxy Connection:
In the Proxy Host field, enter the hostname or IP address of the proxy server. If you have an HTTP proxy server, enter the hostname. For example, www.example.com.
In the Proxy Port field, enter the port used by the proxy server.
In the Proxy Username field, enter the unique username for the proxy server.
In the Proxy Password field, enter the unique password for your proxy server.
- Keep the Enable Cloud Authentication checkbox selected, and click Next.
When enabled, all authentication agents that previously required an RSA SecurID token will allow users to authenticate using both RSA SecurID Tokens and the RSA SecurID Authenticate app. You can manage Cloud users from the Security Console.
After the connection succeeds, keep the window open. Go to the RSA SecurID Access My Page URL. You can register a device and test cloud-based authentication. Return to the Security Console, and click Next.
- You can invite users to download the Authenticate app and register devices. After registration, users can access your protected resources with the supported authentication methods.
To invite users later, click No, Invite users later. The next page displays the procedure for inviting users later.
To invite users now, click Yes, Invite more users.
You can customize the email message that is sent to users. For instructions, see Customize the Cloud Authentication Service Invitation.
Click Close to exit.
After you finish
If you have not yet invited users to register their devices and authenticate using the Authenticate app, see Send an RSA SecurID Authenticate Invitation to Users.
RSA Authentication Manager 8.4 Patch 4 or later supports the following authentication methods. Apply the latest cumulative patch use all of the supported authentication methods.
|Method||User Action During Authentication||Minimum Required Patch|
|Approve (push notifications)|
Users enter a PIN and tap Approve on their registered devices.
|Device Biometrics||Users enter a PIN, and then use a biometric method to authenticate.||Patch 9|
Users enter the tokencode displayed in the app.
Note: Approve and Device Biometrics can be used with a logon alias in Authentication Manager.
The following graphic shows how a user with a registered mobile phone can access an agent-protected resource using the Approve or Device Biometrics method.
After completing the integration, you can use the Security Console to manage users and perform routine maintenance. See the following topics on RSA Link for more information.
|If you want to perform this task||See|
|Use the Security Console User Dashboard to manage users who have already registered their devices.||User Dashboard|
|Instruct users on how to register their devices and authenticate with Approve, Device Biometrics, and Authenticate Tokencode.||Customize the Cloud Authentication Service Invitation|
|Invite additional Authentication Manager users to register devices.||Send an RSA SecurID Authenticate Invitation to Users|
|Manage user PINs||Manage PINs for Approve and Device Biometrics Authentication|