000012089 - How to setup On-Demand Authentication (ODA) in RSA Authentication Manager 8.x

Before completing the steps below, ensure you have successfully configured on-demand tokencode delivery. For more information see the online help topic entitled Configure On-Demand Tokencode Delivery.

You must have an Enterprise License for On-Demand Authentication or Risk Based Authentication (RBA).  Confirm this in the Security Console under Setup > License Status.

Enable ODA for the user 

1. Search for the user in the Security Console under Identity > Users > Manage Existing.
2. When the user in question is returned, click on the context arrow next to the user name and select SecurID Tokens.
3. Hardware and software tokens assigned to the user are listed at the top of the page. Scroll down to the section labeled On-Demand Authentication (ODA).
4. Check the option to enable the user for on-demand authentication.
   
   1. Optionally, you can set an expiration for this on-demand token.
   2. For Send On-Demand Tokencodes, ensure the correct attribute is set and update if needed.
   3. For the attribute, enter the email address or mobile number.
   4. For Associated PIN, choose to require the users to set the PIN through the Self-Service Console or set the initial PIN for the user.  
5. When done, click Save.

Using the On-Demand Token

1. The user opens a browser window, VPN client or Windows login page and accesses the company web portal or protected resource (also known as an authentication agent).
2. When prompted, the user enters their user ID and PIN
3. A one time tokencode is sent to the users mobile phone via SMS or email.
4. The user enters the tokencode into the browser/login page.
5. The user gains access to the protected resource

You do not need to enable ODA or ODT on an agent.  Check the RSA Ready implementation Guides for support on partner platforms with either SecurID or RADIUS protocol.