Connect RSA Authentication Manager to the Cloud Authentication Service

Document created by RSA Information Design and Development on Aug 19, 2019Last modified by George Spagnoli on Sep 6, 2019
Version 3Show Document
  • View in full screen mode

 

You can easily deploy and manage new mobile authentication methods for your RSA Authentication Manager users. These users will be able to access agent-protected resources using the RSA SecurID Authenticate app on their registered devices. You do not need to replace or update your existing agents or RSA Ready products.

 

You can use the RSA Authentication Manager Security Console to seamlessly connect Authentication Manager to the Cloud Authentication Service, and to invite users to download the RSA SecurID Authenticate app and register their devices using the cloud-based RSA SecurID Access My Page. After users complete registration, use the Security Console User Dashboard to monitor users' authentication activity and perform other user management tasks, such as enabling and disabling users and deleting registered devices. To configure the connection, perform these steps:

 

 

To learn about the authentication flow, see How Authentication Manager Works with the Cloud Authentication Service.

 

For additional information, see:

 

 

Note:  To view this page as a PDF, click Actions > View as PDF.

 

Step 1: Prepare the Cloud Authentication Service Environment

 

Before you connect RSA Authentication Manager to the Cloud Authentication Service, complete the following steps to ensure that your Cloud Authentication Service deployment is ready.

 

  1. Get Sign-In Credentials for the Cloud Administration Console

  2. Deploy the Cloud Authentication Service

  3. Configure an Access Policy to Protect Your Sensitive Resources

  4. Enable My Page and Select an Access Policy to Protect My Page

  5. Generate the Registration Code and Registration URL

 

Get Sign-In Credentials for the Cloud Administration Console

 

If you need to obtain this information, contact your RSA Sales representative at 1 800 995-5095 and choose Option 1. After your sales order is processed, RSA provisions your deployment in the US-, EMEA- or ANZ-based Microsoft Azure cloud. RSA sends an email to the contact email address for your company with instructions needed to start using the product, including the Cloud Administration Console URL and your initial Super Admin credentials. Note that the email address was provided to RSA Sales or the RSA Partner your company works with.

 

Deploy the Cloud Authentication Service

 

You must deploy at least one identity router. Also make sure your RSA Authentication Manager users are synchronized to identity sources that are configured for the Cloud Authentication Service. See the following instructions:

 

 

Note:  You do not need to enable RADIUS or single sign-on to connect Authentication Manager to the Cloud Authentication Service.

 

Configure an Access Policy to Protect Your Sensitive Resources

 

An access policy determines which users can access your agent-protected resources and which authentication methods they are required to use. This access policy controls access for all users who authenticate using the new connection. You can configure the policy to allow access to only selected users who meet certain criteria, or to allow all users. For example, you can restrict access only to users who use a certain network or who work in certain departments. For more information, see Access Policies and Add an Access Policy.

 

Confirm that your Cloud Authentication Service deployment meets these criteria:

 

  • At least one assurance level must contain Authenticate Tokencode and/or the Approve authentication method. For information, see Assurance Levels.

  • That assurance level must be specified in the access policy you plan to use.

 

For example, this sample policy allow access to all users who authenticate with Approve or Authenticate Tokencode.

 

 

Note:  You can edit settings within the access policy at any time without reconfiguring the connection. However, if you decide to rename the policy or if you select a different policy at a later date, you must reconnect Authentication Manager to the Cloud Authentication Service.

 

Enable My Page and Select an Access Policy to Protect My Page

 

RSA SecurID Access My Page is a web portal that helps provide a secure way for users to complete device registration and delete their devices (if necessary). By default, My Page is disabled. You must enable it in Platform > My Page before users can use My Page. You must also select the primary authentication method and access policy to use for additional authentication for signing into My Page. This policy must meet the following criteria:

 

  • Specify an identity source that is configured for both Authentication Manager and the Cloud Authentication Service.

  • Require an authentication method your Authentication Manager users can provide when they access My Page. For example, LDAP password or RSA SecurID Token.

 

For instructions see Manage RSA SecurID Access My Page.

 

Generate the Registration Code and Registration URL

 

In the Cloud Administration Console, generate the Registration Code and Registration URL as described in Step 3: Connect to the Cloud Authentication Service. The code is valid for 24 hours. You can either copy this information to a text file now and save it for later, or leave this window open so that you can copy this information when you configure the connection from the wizard-based interface in the Security Console.

 

Step 2: Set User Expectations for Device Registration and Authentication

 

Your RSA SecurID token users must learn how to access protected resources using the new authentication methods. You must educate these users to ensure that the onboarding process goes smoothly and that users know exactly what to expect when they register devices and authenticate for the first time. You can provide customized instructions to your users in the e-mail template as described in Customize the Cloud Authentication Service Invitation.

 

What Happens During Device Registration

 

Users complete RSA SecurID Authenticate device registration so that they can use the RSA SecurID Authenticate app (registered on a phone, tablet, or desktop or PC) to authenticate to protected applications.

 

Device registration binds the device to the user. After device registration, when the user needs to authenticate to an application, RSA SecurID Access prompts the user for Approve with PIN or Authenticate Tokencode. Users who do not register a device using the Authenticate app are not presented with authentication methods that require the app. For a description of how device registration works and what users experience, see the RSA SecurID Access End User Toolkit on RSA Link.

 

What Happens During Authentication

 

Users can access agent-protected resources with the following methods:

 

 

Approve (Push Notifications)

 

To use the Approve method, the user attempts to access the application and is prompted to enter a passcode. The user enters the PIN, then taps a button on an Authenticate device. The user can also tap an interactive notification on the device or on an Apple Watch or Android Wear watch paired to the device. The user must respond within one minute. Otherwise, the method times out and is considered a failed authentication. If the Cloud Authentication Service access policy includes Approve as an authentication method, then the user is enrolled for this method automatically after device registration.

 

Note:  The PIN required for Approve authentication is different from the PIN that may be required to unlock the Authenticate Tokencode in the app.

 

Using PINs During the First Approve Authentication

 

The Approve authentication experience differs slightly among users depending on whether they already have a valid RSA SecurID Token and PIN. The following table describes what the user must enter after you have enabled Cloud Authentication Service authentication from the Security Console and the user has registered a device.

 

What the User HasUser Action During First Approve Authentication
One valid RSA SecurID Token and PINThe user enters the RSA SecurID PIN, then taps Approve.
Multiple valid RSA SecurID Tokens and PINsThe user enters one PIN associated with any valid, assigned RSA SecurID token, then taps Approve.
Valid RSA SecurID Token and expired PINThe user enters the expired PIN and is prompted to change the PIN, then taps Approve. Or the user can reset the RSA SecurID PIN before device registration, then use that RSA SecurID PIN during device registration.
No valid RSA SecurID Token or PINs (for example, RSA SecurID Token expired)The user enters the Authenticate Tokencode from his or her registered device, is prompted to create a new PIN, then taps Approve.

 

Note:   It is important to tell your users that, in all cases, the PIN they enter during the first Approve authentication will be required in future Approve authentications.

 

RSA SecurID Authenticate Tokencode

 

Similar to RSA SecurID Tokens, RSA SecurID Authenticate Tokencode employs a one-time, randomly generated number called a tokencode. This tokencode is generated on a device where the RSA SecurID Authenticate app is installed. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires. These tokencodes display for one minute, but are valid for up to five minutes after they are generated and displayed on a user's device. If the Cloud Authentication Service access policy includes Authenticate Tokencode as an authentication method, then the user is enrolled for this method automatically after device registration.

 

Authenticate Tokencode cannot be used with an RSA SecurID PIN or for offline authentication.

 

License Impact After Authentication

 

After a user successfully authenticates using either an Authenticate Tokencode or Approve, the RSA SecurID Authenticate app is listed in the User Dashboard as one of the user's assigned tokens. If the user does not have an another assigned authenticator in Authentication Manager, the license count increases by one. If the users already had another assigned authenticator in Authentication Manager, the license count is not increased.

 

Support for Users Prior to Authentication Manager 8.4 Patch 4

 

After you connectAuthentication Manager 8.4 Patch 4 to the Cloud Authentication Service, users who installed the RSA SecurID Authenticate app and registered devices with the Cloud Authentication Service prior to Patch 4 can use PIN + Approve authentication if allowed by the access policy. You can also manage these users in the Security Console User Dashboard.

 

Step 3: Connect to the Cloud Authentication Service

 

The easiest way to connect RSA Authentication Manager to the Cloud Authentication Service is by starting the wizard from the Security Console Home page. After you finish, invited users will be able to download the RSA SecurID Authenticate app, register their devices, and access agent-protected resources.

 

RSA Authentication Manager connects to the Cloud Authentication Service on port 443. No in-bound connections from the Cloud Authentication Service to Authentication Manager are required.

 

Before you begin 

 

  • Confirm that your network infrastructure allows the Authentication Manager server to connect to the Cloud Authentication Service Registration URL. You might need to change your network configuration.

  • Confirm that all of the primary and replica instances in your deployment can connect to the Cloud Authentication Service IP addresses assigned to your region. See Test Access to Cloud Authentication Service for the list of addresses.

  • Confirm that the Manage Cloud Authentication Service Users permission is enabled on the General Permissions tab in the Security Console for your Help Desk Administrators. This permission allows these administrators to view and manage Cloud Authentication Service users in the Security Console User Dashboard. For more information, see Edit Permissions for an Administrative Role.

  • Decide if you want to customize the email template that will be used to invite users to register their devices. You can customize it now or later. For more information, see Customize the Cloud Authentication Service Invitation.

 

Procedure 

 

  1. In the Security Console, go to the Home page.

  2. Click Configure the connection.

  3. Verify that you have met the requirements for configuring the connection. Click Next.

  4. Do the following:
    • Copy and paste the Registration Code and the Registration URL from the Cloud Administration Console or from a text file into the connection wizard.

    • (Optional) If Authentication Manager is behind an external firewall, click Configure a Proxy Connection:
      • In the Proxy Host field, enter the hostname or IP address of the proxy server. If you have an HTTP proxy server, enter the hostname. For example, www.example.com.

      • In the Proxy Port field, enter the port used by the proxy server.

      • In the Proxy Username field, enter the unique username for the proxy server.

      • In the Proxy Password field, enter the unique password for your proxy server.

    Click Next.

  5. Keep the Enable Cloud Authentication checkbox selected, and click Next.

    When enabled, all authentication agents that previously required an RSA SecurID token will allow users to authenticate using both RSA SecurID Tokens and the RSA SecurID Authenticate app. You can manage Cloud users from the Security Console.

  6. After the connection succeeds, keep the window open. Go to the RSA SecurID Access My Page URL. You can register a device and test cloud-based authentication. Return to the Security Console, and click Next.

  7. You can invite users to download the Authenticate app and register devices. After registration, users can access your protected resources with the supported authentication methods.
    • To invite users later, click No, Invite users later. The next page displays the procedure for inviting users later.

    • To invite users now, click Yes, Invite more users.

  8. You can customize the email message that is sent to users. For instructions, see Customize the Cloud Authentication Service Invitation.

  9. Click Close to exit.

 

After you finish 

 

If you have not yet invited users to register their devices and authenticate using the Authenticate app, see Send an RSA SecurID Authenticate Invitation to Users.

 

Supported Authentication Methods

 

RSA Authentication Manager 8.4 Patch 4 supports the following authentication methods.

 

MethodUser Action During Authentication
Approve (push notifications)

Users enter a PIN and tap Approve on their registered devices.

Authenticate Tokencode

Users enter the tokencode displayed in the app.

 

Note:  Approve with PIN can be used with a logon alias in Authentication Manager.

 

How Authentication Manager Works with the Cloud Authentication Service

 

The following graphic shows how a user with a registered mobile phone can access an agent-protected resource using the Approve method.

 

 

Manage Users in the Security Console

 

After completing the integration, you can use the Security Console to manage users and perform routine maintenance. See the following topics on RSA Link for more information.

 

If you want to perform this taskSee
Use the Security Console User Dashboard to manage users who have already registered their devices.User Dashboard
Instruct users on how to register their devices and authenticate with Approve and Authenticate Tokencode.Customize the Cloud Authentication Service Invitation
Invite additional Authentication Manager users to register devices.Send an RSA SecurID Authenticate Invitation to Users
Manage user PINsManage PINs for Approve Authentication

 

 

 

 

 

We want your feedback! Tell us what you think of this page.

 

You are here

Contents > Connect RSA Authentication Manager to the Cloud Authentication Service

Attachments

    Outcomes