000012089 - How to setup On-Demand Authentication (ODA) in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Apr 16, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000012089
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueThis article explains how to setup, configure and enable On-Demand Authentication (ODA) in RSA Authentication Manager 8.x
CauseThe On-Demand Authentication (ODA) enablement process has changed. In earlier versions of RSA Authentication Manager you logged into the Self Service Console to request an On-Demand tokencode.  In Authentication Manager 8.x, you create the user's On-Demand PIN, and you login with the PIN first, then wait for email that contains the On-Demand tokencode.

Before completing the steps below, ensure you have successfully configured on-demand tokencode delivery. For more information see the online help topic entitled Configure On-Demand Tokencode Delivery.

You must have an Enterprise License for On-Demand Authentication or Risk Based Authentication (RBA).  Confirm this in the Security Console under Setup > License Status.

Enable ODA for the user 

  1. Search for the user in the Security Console under Identity > Users > Manage Existing.
  2. When the user in question is returned, click on the context arrow next to the user name and select SecurID Tokens.
  3. Hardware and software tokens assigned to the user are listed at the top of the page. Scroll down to the section labeled On-Demand Authentication (ODA).
  4. Check the option to enable the user for on-demand authentication.
    1. Optionally, you can set an expiration for this on-demand token.
    2. For Send On-Demand Tokencodes, ensure the correct attribute is set and update if needed.
    3. For the attribute, enter the email address or mobile number.
    4. For Associated PIN, choose to require the users to set the PIN through the Self-Service Console or set the initial PIN for the user.  
  5. When done, click Save.

Using the On-Demand Token

  1. The user opens a browser window, VPN client or Windows login page and accesses the company web portal or protected resource (also known as an authentication agent).
  2. When prompted, the user enters their user ID and PIN
  3. A one time tokencode is sent to the users mobile phone via SMS or email.
  4. The user enters the tokencode into the browser/login page.
  5. The user gains access to the protected resource

You do not need to enable ODA or ODT on an agent.  Check the RSA Ready implementation Guides for support on partner platforms with either SecurID or RADIUS protocol.

Legacy Article IDa65473