Cloud Authentication Service Overview

Document created by RSA Information Design and Development Employee on Jul 13, 2016Last modified by RSA Information Design and Development Employee on Oct 20, 2020
Version 56Show Document
  • View in full screen mode

The Cloud Authentication Service is an access and authentication platform with a hybrid cloud architecture. The Cloud Authentication Service enables your company to control how users access resources with centralized access and authentication policies and can accelerate user productivity with single sign-on (SSO).

The Cloud Authentication Service helps protect SaaS and on-premises web applications, third-party SSO solutions, and on-premises resources that support RADIUS. The Cloud Authentication Service includes transparent and interactive authentication methods for multifactor identity assurance. These methods include biometric methods such as fingerprint verification, hardware devices such as RSA SecurID Token and FIDO authenticators, and context-based authentication using factors such as the user's location and network. Confidence in a user's identity can also be established through risk analytics, based on user characteristics such as past behavior, authenticators previously used for authentication, and other factors.

The following graphic illustrates how the Cloud Authentication Service works.



Note:  The identity router can be deployed on-premises, in the Amazon Web Services cloud, or on your RSA Authentication Manager server.


The Cloud Authentication Service provides the following key benefits:


  • Integration with RSA Authentication Manager 8.x to extend your RSA SecurID Access deployment by making additional authentication methods available to protect Authentication Manager resources.

  • Convenient multifactor authentication (MFA) that leverages capabilities built into devices through the RSA SecurID Authenticate app.

  • Centralized access control policies that consistently enforce different security requirements for applications based on assurance levels.

  • Support of relying parties, RADIUS-capable devices, SAML and non-SAML applications, and SaaS and on-premises web applications for MFA.

  • SSO with out-of-the-box connectivity to popular applications.

  • Single point of access to protected applications with the application portal.

  • LDAP directory server user passwords stay on-premises and are not synchronized to the Cloud Authentication Service.

  • RSA SecurID Authentication API, a REST-based programming interface that allows you to develop clients that process multifactor, multistep authentications through RSA Authentication Manager and the Cloud Authentication Service. The interface definition can be integrated with any programming language. For instructions, see the RSA SecurID Authentication API Developer's Guide.

  • RSA Cloud Administration REST APIs, web service interfaces you can use to create clients that perform administrative operations. These operations include importing audit log events into your security information and event management (SIEM) solution, retrieving event logs from the Cloud Administration Service, and performing certain Help Desk functions. For instructions, see Using the Cloud Administration APIs.

Cloud Authentication Service Components

A Cloud Authentication Service deployment consists of four main components: the Cloud Authentication Service (which is both the name of the managed server and the name for the set of components), the Identity Router, the Cloud Administration Console, and the RSA SecurID Authenticate app installed on user devices.


Note:  The identity router can be deployed on-premises, in the Amazon Web Services cloud, or on your RSA Authentication Manager server.


Cloud Authentication Service

The Cloud Authentication Service performs run-time authentication for the protected resources. The Cloud Authentication Service also allows RSA to modify and improve authentication capabilities.

The Cloud Authentication Service runs on Microsoft Azure, a cloud computing platform that is hosted through a global network of Microsoft data centers. RSA SecurID Access uses a multi-tenant database in an environment that shares infrastructure while segregating customer data to ensure privacy. Service levels and operational procedures are standardized for all customers due to the shared nature of the platform.

Identity Router

The identity router is a virtual appliance that communicates with the following components.

Cloud Authentication Service

The Cloud Authentication Service enforces access policies, which determine which applications users can access, when additional authentication is needed, and which authentication methods are required. For example, a policy might allow only your sales team to access an application with sensitive customer information. Access policies are based on session information, such as IP addresses (for example, within a corporate network or not).

Identity sources
RSA Authentication Manager

The identity router can be installed on the following platforms:

  • On VMware or Hyper-V virtual appliances on-premises within your network.

  • Amazon Web Services cloud (in a subnet)

  • RSA Authentication Manager 8.5 or later

All platforms support RADIUS and single sign-on (SSO) in the Cloud Authentication Service, except for RSA Authentication Manager 8.5 and later. For details about supported platforms and services, see Identity Router.

Cloud Administration Console

The Cloud Authentication Service component contains a hosted, multi-tenant Cloud Administration Console that Super Admins use to perform setup and daily management tasks. Super Admins and Help Desk administrators both use the console to troubleshoot user issues. This is a partial list of tasks that can be performed using the console:

  • Configure your company domain and certificates, if necessary.
  • Add and manage identity routers.
  • Add identity sources so the identity router can verify user attributes to allow or deny access to resources.
  • Add resources, such as relying parties, RADIUS clients, and applications.
  • Configure assurance levels that can be used by protected resources.
  • Configure access policies to determine user access to protected resources.
  • Configure the RSA SecurID Access Application Portal.
  • Troubleshoot user issues with the Event Monitor.
  • Unlock tokencodes for users.
  • Manage user authenticators and known browsers.

The RSA SecurID Authenticate App

RSA SecurID Access My Page helps provide a secure way for users to complete registration with the RSA SecurID Authenticate app, using MFA and QR or numeric registration codes. My Page guides users through registration, including downloading the RSA SecurID Authenticate app from the Apple App Store, Google Play, or Microsoft Store. The administrator provides users with the My Page URL. After successful registration, users can complete authentication for applications that require it.





You are here
Table of Contents > RSA SecurID Access Product Overview > Cloud Authentication Service Overview