Quick Setup - Connect RSA Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router

Document created by RSA Information Design and Development Employee on Jun 7, 2020Last modified by RSA Information Design and Development Employee on Jan 19, 2021
Version 7Show Document
  • View in full screen mode

This guide helps you quickly set up your production deployment for the Cloud Authentication Service with an embedded identity router in RSA Authentication Manager 8.5 Patch 1 or later.

An identity router is software that enforces authentication and access for users of protected resources. By downloading and configuring the embedded identity router to the Authentication Manager primary and each replica instance, you can save the time and cost of deploying separate identity routers in your network.

The embedded identity router supports authentication only to third-party SSO solutions that use the Cloud Authentication Service as the identity provider (IdP) for managing authentication, as described in Relying Parties. It does not support authentication to applications through RADIUS in the Cloud Authentication Service, or single sign-on (SSO) using the RSA SecurID Access Application Portal. To use these features, you must deploy your identity router on another platform.

Perform these steps:

Note:   To view this page as a PDF, click Actions > View as PDF.

Step 1: Plan

You need to plan a few things:

Review the Planning Guide for a conceptual overview of the Cloud Authentication Service.

What You Need to Have

                               
ItemDescription
RSA Authentication Manager 8.5 Patch 1 or later.Authentication Manager must be deployed in your environment.
A Cloud Authentication Service account with sign-in credentials for the Cloud Administration Console.

If you do not already have an account, call 1 800 995-5095 and choose Option 1 to speak to your RSA Sales Representative.

Microsoft Active Directory 2008 or 2012 or LDAPv3 directory serverCreate a group of a limited number of users (for example, RSA SecurID Access Test Group) to synchronize and test with.
SSL/TLS certificate from your LDAP directory serverUsed for an encrypted connection (LDAPS) to your directory server. Download the SSL/TLS certificate from your directory server. If your directory server does not have a certificate, install one. See Cloud Authentication Service Certificates.
A mobile device or Windows PCSee RSA SecurID Authenticate Device Requirements.

What You Need to Know

RSA SecurID Access uses a hybrid architecture that consists of two components:

  • The Cloud Authentication Service is a cloud service that provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.

  • An identity router that does the following:
    • Connects the Cloud Authentication Service to your identity sources.

    • Sends authentication requests to the Cloud Authentication Service for validation.

    • Enforces access policies to determine which applications users can access, when additional authentication is needed, and which authentication methods are required.

You are deploying an embedded identity router, which is easier to set up than a standalone identity router.

Add your values to the following worksheet. You will use this information later.

                       
ItemYour Values 
Cloud Administration Console and Cloud Authentication Service
  • US region:<authentication_service_domain>, *.access.securid.com, (52.188.41.46, 52.160.192.135).

  • ANZ region:<authentication_service_domain>, *.access-anz.securid.com (20.37.53.30, 20.39.99.202)

  • EMEA region: <authentication_service_domain>, *.access-eu.securid.com (51.105.164.237, 52.155.160.141)

Your authentication service domain appears in the Cloud Administration Console on the Platform >Identity Router > Registration page when you add an identity router.

To check the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console.

To test access to the IP addresses, see Test Access to Cloud Authentication Service.

 

LDAP directory server

  • IP address
  • FQDN
  • Base DN of users (the root where users will be synchronized from, for example, DC=company, DC=com)
  • Administrator account credentials that RSA SecurID Access can use to connect to the directory server
  

Connectivity Requirements

Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. Update your connectivity settings before continuing with the next step.

                                                   
SourceDestinationProtocol and PortPurpose
0.0.0.0/0Both Cloud Authentication Service environmentsTCP 443External user access to Cloud Authentication Service

The embedded identity router supports the use of one network interface.


<Your identity router management interface IP address>

Cloud Administration Console and both Cloud Authentication Service environments

Note: If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and the Cloud Authentication Service IP addresses for your region are whitelisted. Also, confirm that you can access both environments.

TCP 443Identity router registration
<Your identity router management interface IP address><Your LDAP directory server IP address>TCP 636LDAP directory user authentication and authorization
<Your identity router portal interface IP address or identity router management interface IP address><Your DNS server IP address>UDP 53DNS
<Your identity router portal interface IP address or identity router management interface IP address><Your NTP server IP address>UDP 123Network time server synchronization
RSA Authentication Manager internal firewallAuthentication ManagerTCP 9786Identity router configuration and to communicate with Authentication Manager

Step 2: Set Up the Cloud Connection

If your RSA Authentication Manager deployment is not connected to the Cloud Authentication Service or if you connected before upgrading to version 8.5, you must configure the connection.

Before you begin 

Know which access policy will be applied to all users who access these resources, or configure a new access policy. An access policy determines which users can access your protected resources and which authentication methods they are required to use. You can use a preconfigured policy or create your own. For more information, see Access Policies.

Procedure 

  1. Obtain a Registration Code and Registration URL from the Cloud Authentication Service. In the Cloud Administration Console, click Platform > Authentication Manager, select an access policy, generate the Registration Code and Registration URL, and save this information in a text file.

  2. In the Security Console, click Setup > System Settings.

  3. Click Cloud Authentication Service Configuration.

  4. If RSA Authentication Manager is behind an external firewall that restricts outbound traffic, you must configure a proxy server.

  5. Connect Authentication Manager to the Cloud Authentication Service:
    1. Under Register Authentication Manager with the Cloud Authentication Service, copy and paste the Registration Code and the Registration URL.
    2. Click Connect to the Cloud Authentication Service.

    A message indicates that the connection is established. The Cloud Authentication Service details are automatically updated and saved.

  6. Under Cloud Authentication Service Configuration, click Enable Cloud Authentication.

  7. Optionally, select the Send Multifactor Authentication Requests to the Cloud checkbox.

    When selected, Authentication Manager acts as a secure proxy server that sends authentication requests to the Cloud Authentication Service. This feature supports all authentication methods supported by REST protocol authentication agents, whether verified by Authentication Manager or the Cloud Authentication Service.

  8. Click Save.

Step 3: Deploy the Embedded Identity Router

You can download and configure the embedded identity router on the primary instance and at least one replica instance. Deploying more than one identity router provides redundancy in a promotion for maintenance or disaster recovery situation. The embedded identity router is not included in Authentication Manager backup files.

Procedure 

  1. In the Cloud Administration Console and add an identity router record. Either record the Registration Code and the Authentication Service Domain or plan to copy this information later.

  2. In the Security Console, click Setup > System Settings.

  3. Click Cloud Authentication Service Identity Router.

  4. Click Download & Install Identity Router.

    Progress messages display. The process takes a couple of minutes, depending upon your network speed.

    You can click Back to navigate away from the page without stopping the process.

    After installation is complete, you must register the identity router with the Cloud Authentication Service.

  5. Click Configure Identity Router to open the Identity Router Setup Console.

  6. The first time you log on, use these credentials:

    Username: idradmin

    Password: s1mp13

    You are prompted to change the password.

    Record this password, so that you can access it when you need it.

  7. Sign in with the new password.

  8. Find the Registration Code and Authentication Service Domain fields you copied in Step 2 and paste them into the Identity router Setup Console.

  9. Click Submit. The identity router is registered with the Cloud Authentication Service.

After you finish 

(Optional) Deploy the embedded identity router on at least one replica instance.

Step 4: Connect the LDAP Directory to the Cloud Authentication Service

Perform these steps to connect to an LDAP directory quickly using only required settings. If you want to use advanced options, see Add an Identity Source.

Procedure 

  1. In the Cloud Administration Console, click Users > Identity Sources.

  2. Click Add an Identity Source > Select next to the directory to add.

  3. Enter the identity source name and root (the base DN for users from the planning worksheet).

  4. In the SSL/TLS Certificates section:
    1. Select Use SSL/TLS encryption to connect to the directory servers.

    2. Click Add and select the SSL/TLS certificate.

  5. In the Directory Servers section, add each directory server in the identity source, and test the connection.

  6. Click Next Step.

  7. On the User Attributes page, click Refresh Attributes, and verify that a valid list of attributes appears.

  8. Select the checkbox Synchronize the selected policy attributes with the Cloud Authentication Service.

  9. In the Policies column, select sAMAccountName, virtualGroups, and memberOf or other attributes that you might use to identify users.

  10. Click Next Step.
  11. In the User Search Filter field, specify your test group using a filter. The following is an Active Directory example:

    (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=<yourgroup_distinguishedName>))

    Where <yourgroup_distinguishedName> is the name of your test administrator group.

    For example, (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=CN=SecurIDAccessUsers,OU=Groups,DC=Corp,DC=local))

  12. Click Save and Finish.

  13. Click Publish Changes.

Synchronize the LDAP Directory

Synchronize data between the Cloud Authentication Service and your LDAP directory to ensure that the Cloud Authentication Service reflects any updates made to the LDAP directory.

During synchronization, users are added and attribute values that you selected in the previous step are copied to the Cloud Authentication Service. User passwords are not synchronized.

Procedure 

  1. In the Cloud Administration Console, click Users > Identity Sources.

  2. Next to your identity source, select Synchronization from the drop-down menu.

  3. In the Identity Source Details section, click Synchronize Now.

    Depending on the number of users you are synching, this process can take a number of minutes.

Step 5: Enable My Page

RSA SecurID Access My Page is a web portal that helps provide a secure way for users to complete authenticator registration. Perform these steps to enable My Page for your company. If you want to configure advanced settings for My Page, see Manage My Page.

Procedure 

  1. In the Cloud Administration Console, click Platform > My Page.
  2. Enable My Page.

  3. Write down your My Page URL.
  4. In the Primary Authentication Method drop-down list, select the authentication method to use.

  5. In the Access Policy for Additional Authentication drop-down list, select the No Additional Authentication policy that you created earlier.

  6. Click Save.

Step 6: Protect a Resource

Configure an application to be protected by RSA SecurID Access. The application must be a third-party SSO solution that uses the Cloud Authentication Service as the identity provider (IdP) for managing authentication, as described in Relying Parties. In the configuration wizard, select the preconfigured access policy All Users Low Assurance Level. If you prefer to create a policy, see Add, Clone, or Delete an Access Policy.

For instructions for all supported applications, see the RSA SecurID Access category on RSA Ready.

Step 7: Test

Register a Device with the RSA SecurID Authenticate App

Perform these steps to quickly register a device. For additional information, see Registering Devices with RSA SecurID Authenticate App.

Procedure 

  1. On one device (for example, your computer), do the following:

    1. Go to RSA SecurID Access My Page.
    2. Enter your email address.

    3. Enter your RSA SecurID passcode or password, depending on what you configured.

    4. Complete any additional authentication that you are prompted for.

    5. Click RSA SecurID Authenticate app >Get Started.

  2. On another device ( iOS, Android, or Windows 10 ), download the RSA SecurID Authenticate app:

  3. On your computer, on the Registration page, click Next.

  4. On your mobile device, do the following:

    1. Open the RSA SecurID Authenticate app.

    2. Tap Allow to allow the Authenticate app to send notifications.

    3. Allow or deny Google Analytics data collection. You can select either option to use the Authenticate app.

    4. Accept the license agreement.

    5. Tap Scan QR Code.

    6. Allow the app to access your camera.

    7. Scan the QR code that displays in My Page.

    8. Tap OK after setup is complete.

    9. Swipe through the tutorial.

    10. The app home screen appears, and the app is ready for use.

  5. On your computer, on the Registration page, click Test Now.

  6. RSA SecurID Access sends a notification to your registered device.

  7. On your mobile device, tap the notification and approve it.

  8. The My Page home screen displays. You have successfully registered and tested your device.

Step 8: Sign Into the Protected Resource

Procedure 

  1. Start the sign-in process to the protected resource.

    RSA SecurID Access sends a notification to your phone.

  2. Tap Approve on your mobile device.

  3. Select Remember this browser, and click Continue.

    You are signed into the resource.

Step 9: Optional Next Steps

                       
TaskInstructions
Invite existing RSA SecurID users to download the Authenticate app, register an authenticator, and help you to test the deployment.
  1. Prepare users with the resources provided by Educating Your Users.

  2. Decide if you want to customize the email template that will be used to invite users. See Customize the Cloud Authentication Service Invitation.

  3. Invite users to download the RSA SecurID Authenticate app, register their authenticators, and access agent-protected resources. See Send an RSA SecurID Authenticate Invitation to UsersQuick Setup - Connect RSA Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router

View the status of the identity routers, test the identity router, and perform related tasks.Manage Identity Routers in the Cloud Administration Console
Troubleshoot identiy router issues.

Download Troubleshooting Files

Enable Emergency Debug Logging

Generate and Download the Identity Router Log Bundle

 

 

 

 

 

You are here
Quick Setup - Connect RSA Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router

Attachments

    Outcomes