Cloud Authentication Service POC Quick Setup Guide

Document created by RSA Information Design and Development Employee on Sep 29, 2020Last modified by RSA Information Design and Development Employee on Nov 17, 2020
Version 2Show Document
  • View in full screen mode

Welcome to the Cloud Authentication Service! This guide helps you get up and running in less than an hour in your own test environment.

Step 1: Plan

Step 2: Deploy the Identity Router

Step 3: Connect to Active Directory

Step 4: Add an Access Policy

Step 5: Protect the Cloud Administration Console

Step 6: Test

To download a PDF version of this guide, sign in to RSA Link and click Action > View as PDF.

Step 1: Plan

There are a few things you need to plan to deploy your system.

What You Need to Have

                           
ItemDescription
Sign-in credentials to the Cloud Administration Console

Sign-in credentials are emailed to you after you request an environment from RSA Sales or your partner or complete the trial form.

Be sure that the email address that you provide to RSA is for a real user in your Active Directory and not, for example, a group alias or general account.

For browser requirements, see Supported Browsers for the Cloud Administration Console.

Virtual appliance infrastructure

Hardware requirements for image file:

  • Disk space: 54 GB

  • Memory: 8 GB

  • Virtual CPUs: 4

  • Network interface: Two E1000 virtual network adapters
  • Network interface:

VMware software requirements:

  • VMware Platform: VMware ESXi 5.5 or later (currently 6.x series)

  • VMware vSphere Client: Any version that works with the supported ESXi deployments

Microsoft Active Directory 2008 or 2012

Create a group of a limited number of users (for example, RSA SecurID Access Test Group) to synch and test with.
A mobile device or Windows PC
  • iOS 11.0 or later
  • Android 6.0 or later
  • Windows 10 Version 1511 or later

What You Need to Know

RSA SecurID Access uses a hybrid architecture that consists of two components:

  • The Cloud Authentication Service is a cloud service that provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.

  • The identity router is an on-premises virtual appliance that securely connects your on-premises resources, such as Active Directory, to the Cloud Authentication Service. This VM has two network interfaces. Place one interface in a public-facing network and the other in a private network where it can reach your Active Directory.

Add your values to the following worksheet. You will use this information in the next section and during setup.

                                   

Item

Your Values

Cloud Administration Console and

Cloud Authentication Service

  • US region:<authentication_service_domain>, *.access.securid.com, (52.188.41.46, 52.160.192.135).

  • ANZ region:<authentication_service_domain>, *.access-anz.securid.com (20.37.53.30, 20.39.99.202)

  • EMEA region: <authentication_service_domain>, *.access-eu.securid.com (51.105.164.237, 52.155.160.141)

Your authentication service domain appears in the Cloud Administration Console on the Platform > Identity Router > Registration page when you add an identity router.

For instructions on checking the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console.

To test access to the IP addresses, see Test Access to Cloud Authentication Service.

Active Directory server

  • IP address
  • FQDN
  • Base DN of users (the root where users will be synchronized from, for example, DC=company, DC=com)
  • Administrator account credentials that RSA SecurID Access can use to connect to the directory server
 

DNS server IP address

See Identity Router DNS Requirements.

 
NTP server IP address 

Identity router management interface (private, required for all deployments)

  • IP address
  • Netmask
  • Gateway
  • Short hostname
  • FQDN
 

Identity router portal interface (public, required for SSO Agent deployments with on-premises identity router)

  • IP address
  • Netmask
  • Gateway
  • Short hostname
  • FQDN

 

Connectivity Requirements

Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules. Update your firewall rules before continuing with the next step.

                                                   

Source

Destination Protocol and PortPurpose

0.0.0.0/0

 

Cloud Authentication Service

TCP 443

External user access to Cloud Authentication Service

< Your administrators>

 


<Your identity router management interface IP address>

On-premises (two network interfaces):

TCP 443

One network interface or Amazon:

TCP 9786

Identity Router Setup Console

<Your identity router portal interface IP address>

Cloud Administration Console and Cloud Authentication Service

Note:  If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and the Cloud Authentication Service IP addresses for your region are whitelisted.

TCP 443Identity router registration

<Your identity router management interface IP address>

<Your Active Directory server IP address>

TCP 389

LDAP directory user authentication and authorization

<Your identity router portal interface IP address or identity router management interface IP address>

<Your DNS server IP address>

 

UDP 53DNS

<Your identity router portal interface IP address or identity router management interface IP address>

<Your NTP server IP address> UDP 123Network time server synchronization

Step 2: Deploy the Identity Router

Add an Identity Router

Procedure 

 
  1. Sign into the Cloud Administration Console using the URL and credentials that RSA emailed to you.
  2. Click Platform > Identity Routers.
  3. On the Identity Routers page, click Add an Identity Router, and follow the instructions.

    Under Registration Details, copy the Registration Code and Authentication Service Domain to a location where you can access them later on.

  4. Click Close.

Install the Identity Router Virtual Appliance or Machine

You can install the virtual appliance image using a VMware administration client such as vSphere, by either connecting to the VMware vCenter Server, or connecting directly to the VMware ESXi host.

Procedure 

  1. In the Cloud Administration Console, click Platform > Identity Routers.
  2. Click Download Identity Router Image>Download OVA (for VMware), and save the image to a location accessible by VMware.

  3. To install the identity router virtual appliance, sign into the VMware client and do the following:

      1. Follow the VMware client documentation to install the virtual appliance from the image. When prompted, enter the following data:

        • Name to use for the virtual appliance
        • VMware host or cluster for the virtual appliance
        • Resource pool for the virtual appliance
        • Storage location or data store to use for the virtual appliance
        • Format for storing virtual disks
        • Networks to be used for the virtual appliance
      2. Power on the virtual machine.

Configure Initial Network Settings Using the Identity Router VM Console

You use the Identity Router VM Console to configure IP addresses and static routes for on-premises identity routers deployed in your VMware or Hyper-V environment.

Procedure 

  1. Connect to the identity router using your VMware management client.
  2. Sign into the Identity Router VM Console:

    Username: idradmin

    Password: s1mp13

    You are prompted to change these credentials the first time you sign in.

  3. Refer to the planning worksheet for the values to complete the Management sections.  

    Use the Up and Down arrows to navigate the main menu. Press Enter to select a menu option or configure its settings. Use Tab and Shift + Tab to navigate between settings and back to the main menu. When the cursor is in the settings panel, press F10 to save or Esc to revert. Press F10 after you complete each section to save your values.

  4. Select Commit in the left-hand frame to save the network configuration settings.
  5. Write down the URL that appears.

Connect Identity Router to Cloud Administration Console

Procedure 

 
  1. Open a web browser and go to the URL that you wrote down in the previous section.
  2. Sign into the Identity Router Setup Console:

    Username: idradmin

    Password: s1mp13

    You are prompted to change these credentials the first time you sign in.

  3. Add any DNS servers that you did not add in the Identity Router VM Console.

    Note:  These DNS server settings do not apply for identity routers in the Amazon cloud. Edit the DHCP option set in your Amazon Web Services environment if you need to add DNS servers for an Amazon cloud-based identity router.

  4. If you enabled two network interfaces in the Identity Router VM Console, update the IDR Portal Interface Information section with appropriate details.

  5. Click Update IDR Setup Configuration.

  6. Click Connect Administration Console.

  7. In the Registration Code field, enter the Registration Code displayed when you added the identity router in the Cloud Administration Console.

  8. In the Authentication Service Domain field, enter the Authentication Service Domain displayed when you added the identity router in the Cloud Administration Console.

  9. Click Submit.

    A confirmation message appears when the identity router is connected to the Cloud Administration Console. Also, note that the Identity Router Setup Console contains other pages that provide network diagnostics and detailed logs for the identity router.

  10. Sign into the Cloud Administration Console to check the status of the identity router (Platform > Identity Routers).

    When the identity router is connected to the Cloud Administration Console, the status reads Active. This process usually takes up to five minutes.

  11. In the Cloud Administration Console, click Publish Changes to apply the configuration settings for the new identity router.

Step 3: Connect to Active Directory

Add a Connection to Active Directory

Procedure 

  1. In the Cloud Administration Console, click Users > Identity Sources.
  2. Click Add an Identity Source > Select next to Active Directory.
  3. Enter the identity source name and root (the base DN for users from the planning worksheet).
  4. In the SSL/TLS Certificate section, unselect Use SSL/TLS encryption to connect to the directory servers.
  5. In the Directory Servers section, add each directory server in the identity source, and test the connection.
  6. Click Next Step.
  7. On the User Attributes page, click Refresh Attributes, and verify that a valid list of attributes appears.
  8. Select Use selected policy attributes with the Cloud Authentication Service.

  9. In the Policies column, select sAMAccountName, virtualGroups, and memberOf or other attributes that you might use to identify users.

  10. Click Next Step.
  11. In the User Search Filter field, specify your test group using a filter. The following is an Active Directory example:

    (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=<yourgroup_distinguishedName>))

    Where <yourgroup_distinguishedName> is the name of your test administrator group.

    For example, (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=CN=SecurIDAccessUsers,OU=Groups,DC=Corp,DC=local))

  12. Click Save and Finish.
  13. Click Publish Changes.

Synchronize Active Directory for the Cloud Authentication Service

Synchronize data between the Cloud Authentication Service and your LDAP directory to ensure that the Cloud Authentication Service reflects any updates made to the LDAP directory.

During synchronization, users are added and attribute values that you selected in the previous step are copied to the Cloud Authentication Service. User passwords are not synchronized.

Procedure 

  1. In the Cloud Administration Console, click Users > Identity Sources.
  2. Next to your identity source, select Synchronization from the drop-down menu.
  3. In the Identity Source Details section, click Synchronize Now.

    Depending on the number of users you are synching, this process can take a number of minutes.

Step 4: Add an Access Policy

Create an access policy that you will assign to RSA SecurID Access My Page (a web portal used for authenticator registration) when you configure it. For simplicity, this access policy will not require additional authentication of users. You can change this policy in the future.

Procedure 

  1. Sign in to the Cloud Administration Console.
  2. Click Access > Policies.
  3. Click Add a Policy.
  4. Enter the name (for example, No Additional Authentication), and select the identity source.
  5. On the Rule Sets page, do the following:

    1. In Apply to, select All Users.
    2. In the Access, specify Allowed.
    3. In Additional Authentication, select Not Required.

     

     
  6. Click Save and Finish.

  7. Click Publish Changes.

   

Step 5: Protect the Cloud Administration Console

Procedure 

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.

  2. In the Additional Authentication field, click Enable.

  3. In the Access Policy for Additional Authentication field, select the policy.

  4. Click Save Settings.

  5. Click Publish Changes.

Step 6: Test

Register a Device with the RSA SecurID Authenticate App

Procedure 

  1. On one device (for example, your computer), do the following:

    1. Go to RSA SecurID Access My Page.
    2. Enter your email address.

    3. Enter your RSA SecurID passcode or password, depending on what you configured.

    4. Complete any additional authentication that you are prompted for.

    5. Click RSA SecurID Authenticate app >Get Started.

  2. On another device ( iOS, Android, or Windows 10 ), download the RSA SecurID Authenticate app:

  3. On your computer, on the Registration page, click Next.

  4. On your mobile device, do the following:

    1. Open the RSA SecurID Authenticate app.

    2. Tap Allow to allow the Authenticate app to send notifications.

    3. Allow or deny Google Analytics data collection. You can select either option to use the Authenticate app.

    4. Accept the license agreement.

    5. Tap Scan QR Code.

    6. Allow the app to access your camera.

    7. Scan the QR code that displays in My Page.

    8. Tap OK after setup is complete.

    9. Swipe through the tutorial.

    10. The app home screen appears, and the app is ready for use.

  5. On your computer, on the Registration page, click Test Now.

  6. RSA SecurID Access sends a notification to your registered device.

  7. On your mobile device, tap the notification and approve it.

  8. The My Page home screen displays. You have successfully registered and tested your device.

Sign Into the Cloud Administration Console

Procedure 

  1. Sign out of the Cloud Administration Console.

  2. At the sign-in prompt, enter your user ID and password.

  3. Click Sign In.

  4. Tap Approve on your mobile device.

  5. Select Remember this browser, and click Continue.

You are signed into the Cloud Administration Console!

 

 

 

 

You are here
Cloud Authentication Service POC Quick Setup  Guide

Attachments

    Outcomes