RSA Authentication Manager can accept tokencodes generated by RSA SecurID Authenticate to provide strong authentication and convenient single sign-on to corporate web applications. Users install the RSA SecurID Authenticate app on a supported device to generate tokencodes.
If your deployment includes at least one identity router and you have deployed RSA Authentication Manager 8.2 Service Pack 1 or later, you can integrate both components so that users can authenticate with RSA SecurID tokens and RSA SecurID Authenticate Tokencodes on the same RSA authentication agent. Authentication Manager sends Authenticate Tokencodes directly to the identity router, which forwards it to the Cloud Authentication Service. Users of both components can successfully authenticate with their username and their Authenticate Tokencodes or their RSA SecurID passcode or tokencode.
Online authentication is supported for local authentication client agents. Offline authentication is not supported because Authentication Manager must be available to send the authentication request to the RSA SecurID Access identity router.
An administrator can configure this functionality for two different groups of users:
- Users who are in an Authentication Manager identity source or the internal database. An Authentication Manager administrator and a Cloud Administration Console Super Admin need to configure communication between an RSA SecurID Access identity router and Authentication Manager. For instructions, see Configure RSA Authentication Manager to Handle Authenticate Tokencodes.
- RSA SecurID Access users who are not in an Authentication Manager identity source or internal database. An Authentication Manager administrator needs to add the Cloud Authentication Service as an RSA SecurID Access trusted realm. You must be an Operations Console administrator with Super Admin or Trust Administrator privileges and the rsaadmin password, and you will need to obtain information from a Cloud Authentication Service Super Admin. For instructions, see Add an RSA SecurID Access Deployment to RSA Authentication Manager as a Trusted Realm.
After a user successfully authenticates with Authenticate Tokencodes, the RSA SecurID Authenticate app is listed on the console pages that display the tokens that are assigned to the user. The Authenticate app does not affect the license count for users who already have an assigned authenticator in Authentication Manager. The Authenticate app increases the license count by one for users who do not have an assigned authenticator in Authentication Manager.
Note: RSA Authentication Manager 8.2 SP1 and 8.3 users who do not have an active RSA SecurID hardware or software token assigned to them must be enabled to use the RSA SecurID Authenticate app by an Authentication Manager Super Admin. Version 8.4 users without active tokens do not require this procedure. For instructions, see Enable the RSA SecurID Authenticate App for Specific Users.
Authentication Manager Administrative Tasks
RSA Authentication Manager administrators can perform these administrative tasks for Authenticate Tokencodes:
- An administrator can disable SecurID Authenticate for a user. This prevents the user from authenticating on RSA Authentication Agents with Authenticate Tokencodes.
Deleting SecurID Authenticate for an individual user is supported, but does not prevent authentication. A user who successfully authenticates with the RSA SecurID Authenticate app is assigned SecurID Authenticate as a supported authentication token.
- An Authenticate Tokencode user can be assigned emergency access online authentication tokencodes, such as a temporary fixed tokencode or a set of one-time tokencodes. Offline emergency access tokencodes are not supported. The emergency access online authentication tokencodes are available until they expires or until the user finds the device that has the RSA SecurID Authenticate app. The emergency access code format is defined by the token policy that is enforced for the user's security domain.
Self-Service Console users with Authenticate Tokencodes will see RSA SecurID Authenticate in the My Authenticators list. A user can click the Forgot or Lost Your Authenticator link to request an online emergency access tokencode. Users who do not have the RSA SecurID Authenticate app cannot request it through the Self-Service Console, and there is no workflow policy to automate the deployment of Authenticate Tokencodes.
Note: Emergency online authentication is supported for RSA authentication agents. Emergency online authentication is not supported for additional authentication on the Cloud Authentication Service.
- All custom reports that display RSA SecurID hardware and software tokens include Authenticate Tokencodes, except for the "Token Expiration Report." For example, the UsersWithToken report template includes Authenticate Tokencodes.
The following administrative tasks are not supported:
- Unassign or replace the RSA SecurID Authenticate app for a user.
- Clear or require an RSA SecurID PIN for an Authenticate Tokencode.
Note: A PIN Is required for Approve and Device Biometrics authentication. You can use the Security Console Home page to connect RSA Authentication Manager directly to the Cloud Authentication Service to enable PIN+Approve, PIN+Device Biometrics, and Authenticate Tokencode without a PIN. For instructions, see Connect RSA Authentication Manager to the Cloud Authentication Service.
- Resychronize an Authenticate Tokencode with Authentication Manager.
- Extend the Authenticate Tokencode lifetime.
- Import or export Authenticate Tokencodes, either through a token-only job or attached to user records.