If you want to connect RSA Authentication Manager 8.5 to the Cloud Authentication Service, you must deploy at least one identity router. By downloading and configuring the embedded identity router to each primary and replica instance, you can avoid the time and effort of deploying separate identity routers in your on-premises network or in the Amazon Web Services cloud.
The embedded identity router communicates with the Cloud Authentication Service and does the following:
- Connects the Cloud Authentication Service to your identity sources.
- Enforces access policies, which determine which applications users can access, when additional authentication is needed, and which authentication methods are required.
The embedded identity router does not support single sign-on (SSO) or RADIUS. To use these features, you must deploy your identity router on another platform. For more information, see Identity Routers.
Perform these steps:
Note: To view this page as a PDF, click Actions > View as PDF.
- Your organization must have a Cloud Authentication Service account. If you do not already have an account, call 1 800 995-5095 and choose Option 1 to speak to your RSA Sales Representative.
- Deploy the Cloud Authentication Service. See the following instructions:
If your RSA Authentication Manager deployment is not already connected to the Cloud Authentication Service or you connected before upgrading to version 8.5, follow the procedure below. To use some version 8.5 features, such as the embedded identity router, an Authentication Manager deployment that is already connected to the Cloud Authentication Service must connect again after upgrading to version 8.5.
Before you begin
- Know the access policy that will be applied to all users who access these resources, or configure a new access policy. An access policy determines which users can access your agent-protected resources and which authentication methods they are required to use. For more information, see Access Policies and Add an Access Policy.
- To establish the connection, Authentication Manager must provide a Registration Code and Registration URL to the Cloud Authentication Service. In the Cloud Administration Console, click Platform > Authentication Manager, select an access policy, generate the Registration Code and Registration URL, and save this information in a text file.
- In the Security Console, click Setup > System Settings.
- Click Cloud Authentication Service Configuration.
- If Authentication Manager is behind an external firewall, you can configure a connection to a proxy server before connecting to the Cloud Authentication Service:
- Under Cloud Authentication Service Firewall Proxy Configuration, click Enable Proxy Configuration.
- In the Proxy Host field, enter the hostname of the proxy server. For example, example.com. If you have an HTTP proxy server that does not require a certificate, you can enter either a hostname or an IP address.
- In the Proxy Port field, enter the port used by the proxy server.
- If the proxy server does not require credentials, leave these fields blank. Otherwise, enter the following:
- In the Proxy Username field, enter the unique username for the proxy server.
- In the Proxy Password field, enter the unique password for the proxy server.
- Click Save.
- To connect Authentication Manager to the Cloud Authentication Service, do the following:
- Under Register Authentication Manager with the Cloud Authentication Service, copy and paste the Registration Code and the Registration URL.
- Click Connect to the Cloud Authentication Service.
A message indicates that the connection is established. The Cloud Authentication Service details are automatically updated and saved.
- To enable users to authenticate to the Cloud Authentication Service, under Cloud Authentication Service Configuration, click Enable Cloud Authentication.
- Optionally, select the Send Multifactor Authentication Requests to the Cloud checkbox.
When selected, Authentication Manager acts as a secure proxy server that sends authentication requests to the Cloud Authentication Service. This feature supports all authentication methods supported by REST protocol authentication agents, whether verified by Authentication Manager or the Cloud Authentication Service.
- Click Save.
You can download and configure the embedded identity router on the primary instance and each replica instance.
Deploying more than one identity router provides redundancy in a promotion for maintenance or disaster recovery situation. The embedded identity router is not included in Authentication Manager backup files.
Before you begin
- Make sure Authentication Manager is connected to the Cloud Authentication Service. For instructions, see Step 2: Set Up the Cloud Connection.
- Open port 9786, TCP in the RSA Authentication Manager internal firewall. The embedded identity router must be able to use this port for identity router configuration and to communicate with Authentication Manager.
- In the Cloud Administration Console, a Super Admin must do the following:
- Add an identity router record, and either record the Registration Code and the Authentication Service Domain or plan to copy this information later. For instructions, see Add an Identity Router to the Cloud Authentication Service for RSA Authentication Manager.
- Choose an access policy that specifies the same identity sources that are linked to this identity router. For more information, see Access Policies.
In the Security Console, click Setup > System Settings.
Click Cloud Authentication Service Identity Router.
Click Download & Install Identity Router.
Identity router download and installation progress messages display. The process takes a couple of minutes, depending upon your network speed.
You can click Back to navigate away from the page without stopping the process.
After installation is complete, you must register the identity router with the Cloud Authentication Service.
Click Configure Identity Router to open the Identity Router Setup Console.
The first time you log on, use these credentials:
You are prompted to change the password.
Record this password, so that you can access it when you need it.
Sign in with the new password.
In the Registration Code and the Authentication Service Domain fields, copy and paste the information from the Cloud Administration Console.
Click Submit. The identity router is registered with the Cloud Authentication Service.
After you finish
- After you deploy the embedded identity router, the Cloud Authentication Service synchronizes users. Make sure your identity sources are configured so that the RSA Authentication Manager and the Cloud Authentication Service synchronize the same users. For more information, see:
Note: New users created in the Authentication Manager internal database, who have never had an assigned hardware or software token, are not supported for Approve, Device Biometrics, or Authenticate Tokencode authentication.
- (Optional) Deploy the embedded identity router on other Authentication Manager primary and replica instances.
You can perform these optional tasks:
- You can test authentication by registering an authenticator and authenticating to the Cloud:
- For troubleshooting identity router issues, you can Download Identity Router Log Files.
- In the Cloud Administration Console, you can view the status of the identity routers in your deployment, test the identity router, and perform related tasks. For instructions, see Manage Identity Routers.
RSA SecurID Access My Page is a web portal that helps provide a secure way for users to complete authenticator registration and delete their authenticators (if necessary).
By default, My Page is disabled. You must enable it in the Cloud Administration Console before users can use My Page.
To protect My Page, you must also select the primary authentication method and access policy to use for additional authentication for signing into My Page. This policy must meet the following criteria:
Specify an identity source that is configured for both Authentication Manager and the Cloud Authentication Service.
Require an authentication method your Authentication Manager users can provide when they access My Page. For example, LDAP password or RSA SecurID Token.
For instructions see Manage RSA SecurID Access My Page.
Now that Authentication Manager is connected to the Cloud Authentication Service and you have deployed the embedded identity router, you can optionally invite existing RSA SecurID users to download the Authenticate app, register an authenticator, and help you to test the deployment.
- Prepare users with the resources provided by Educating Your Users.
- Decide if you want to customize the email template that will be used to invite users. For instructions, see Customize the Cloud Authentication Service Invitation.
- Invite users to download the RSA SecurID Authenticate app, register their authenticators, and access agent-protected resources. Send an RSA SecurID Authenticate Invitation to Users.
You can use the Authentication Manager Operations Console to download logs and reports to use for troubleshooting. Since these log files are not included in the product backup, you can archive them by periodically downloading them. For instructions, see Download Troubleshooting Files.
Additional log files are provided in the Identity Router Setup Console. For instructions, see Enable Emergency Debug Logging and Generate and Download the Identity Router Log Bundle.
Configure an Embedded Identity Router