RSA Authentication Manager Secure Proxy Server for the Cloud Authentication Service

Document created by RSA Information Design and Development Employee on Jul 27, 2020Last modified by RSA Link Admin on Sep 18, 2020
Version 2Show Document
  • View in full screen mode

You can use RSA Authentication Manager as a secure proxy server that sends authentication requests to the Cloud Authentication Service. Authentication Manager always validates RSA SecurID hardware and software tokens and on-demand authentication, and Authentication Manager always sends Approve and Device Biometrics to the Cloud Authentication Service.

Authentication Manager sends Authenticate Tokencode to the Cloud Authentication Service. If Authentication Manager cannot communicate with the Cloud Authentication Service, Authentication Manager provides high availability by performing local authentication using Authenticate Tokencode.

When Authentication Manager is used as a proxy server, requests for other authentication methods are automatically sent to the Cloud Authentication Service. Authentication methods that are forwarded include SMS Tokencode, Voice Tokencode, and Authentication conditions requiring combinations of methods (such as Approve AND RSA SecurID token). For more information, see Authentication Methods for Cloud Authentication Service Users.

Configuring Authentication Manager as a secure proxy server offers the following benefits:

  • Creates one secure connection to the Cloud Authentication Service for authentication requests as opposed to connecting to the Cloud Authentication Service with many authentication agents. There is no need to configure firewall rules for multiple authentication agents. You can prevent certain users from accessing external resources, but allow these users to authenticate to the Cloud Authentication Service through Authentication Manager.
  • Supports all authentication methods supported by REST protocol authentication agents, whether verified by Authentication Manager or the Cloud Authentication Service.
  • Provides high availability using Authenticate Tokencode to the Cloud Authentication Service for users and authentication agents.

By default, this feature is enabled when you connect to the Cloud Authentication Service or upgrade to RSA Authentication Manager 8.5 after connecting to the Cloud Authentication Service with version 8.4 Patch 4 or later. To use high availability with this feature, you must connect again after upgrading from version 8.4 Patch 4 or later. This configuration supports cloud-based authentication for REST protocol authentication agents, such as RSA Authentication Agent 8.0 or later for PAM, MFA Agent 2.0 for Microsoft Windows, and RSA Authentication Agent 2.0 or later for Microsoft AD FS.

For configuration instructions, see Configure RSA Authentication Manager as a Secure Proxy Server for the Cloud Authentication Service.

Offline Authentication for RSA Authentication Agents

For some newer authentication agents, such as the RSA MFA Agent 2.0 for Microsoft Windows, using Authentication Manager as a secure proxy server provides high availability for authentication methods that require the Cloud Authentication Service:

  • Offline emergency access codes can be automatically downloaded for users who access the authentication agent. Users can continue to authenticate if the connection to Authentication Manager or the Cloud Authentication Service is not available. For more information, see Emergency Tokencode.
  • Authentication agents automatically download offline data day files through Authentication Manager for uninterrupted authentication to the Cloud Authentication Service. If an authentication agent is unable to access Authentication Manager, then the authentication agent uses the downloaded day files for authentication. This feature is enabled in the Cloud Authentication Service. For instructions, see your agent documentation.

High Availability Tokencodes for the Secure Proxy Server

When Authentication Manager is used as a secure proxy server for the Cloud Authentication Service, users can access RSA SecurID protected resources with Authenticate Tokencode when RSA Authentication Manager cannot communicate with the Cloud Authentication Service. For configuration instructions, see Configure High Availability Tokencodes.

Note:   If High Availability Tokencode is not configured and Authentication Manager cannot communicate with the Cloud Authentication Service, users are prompted for Authenticate Tokencode, but cannot authenticate.

When this feature is configured, Authentication Manager automatically downloads High Availability Tokencode records from the Cloud Authentication Service. Authentication Manager determines if the Cloud Authentication Service is reachable, and if local authentication is needed.

When the Cloud Authentication Service is not available, authentication proceeds as follows:

  • Users who require the Cloud Authentication Service for authentication are prompted for Authenticate Tokencode and not the authentication methods specified by the access policy, for example, Device Biometrics or a combination of Approve AND RSA SecurID token.
  • If the Authenticate Tokencode is in Next Token mode or New PIN mode, Authentication Manager uses the downloaded tokencode records to successfully authenticate.
  • Authentication Manager determines whether a user is enabled, disabled, or locked. User status from the Cloud Authentication Service is not available until the connection is restored.

Authentication records and information about the status of communication between Authentication Manager and the Cloud Authentication Service is recorded in log files and the Authentication Manager System Activity Monitor.

An internal REST protocol agent called @#RSAHighAvailability_#@_InternalAgent1#@ provides High Availability Tokencodes to users when the connection to the Cloud Authentication Service is not available. You cannot edit, enable, disable, or delete this internal agent.

 

 

 

You are here
Table of Contents > RSA Authentication Manager as a Proxy Server to the Cloud > RSA Authentication Manager Secure Proxy Server for the Cloud Authentication Service

Attachments

    Outcomes