The Cloud Authentication Service is an access and authentication platform with a hybrid cloud architecture. The Cloud Authentication Service enables your company to control how users access resources with centralized access and authentication policies and can accelerate user productivity with single sign-on (SSO).
The Cloud Authentication Service helps protect SaaS and on-premises web applications, third-party SSO solutions, and on-premises resources that support RADIUS. The Cloud Authentication Service includes transparent and interactive authentication methods for multifactor identity assurance. These methods include biometric methods such as fingerprint verification, hardware devices such as RSA SecurID Token and FIDO authenticators, and context-based authentication using factors such as the user's location and network. Confidence in a user's identity can also be established through risk analytics, based on user characteristics such as past behavior, authenticators previously used for authentication, and other factors.
The following graphic illustrates how the Cloud Authentication Service works.
The Cloud Authentication Service provides the following key benefits:
Integration with RSA Authentication Manager 8.x to extend your RSA SecurID Access deployment by making additional authentication methods available to protect Authentication Manager resources.
Convenient multifactor authentication (MFA) that leverages capabilities built into devices through the RSA SecurID Authenticate app.
Centralized access control policies that consistently enforce different security requirements for applications based on assurance levels.
Support of relying parties, RADIUS-capable devices, SAML and non-SAML applications, and SaaS and on-premises web applications for MFA.
SSO with out-of-the-box connectivity to popular applications.
Single point of access to protected applications with the application portal.
LDAP directory server user passwords stay on-premises and are not synchronized to the Cloud Authentication Service.
RSA SecurID Authentication API, a REST-based programming interface that allows you to develop clients that process multifactor, multistep authentications through RSA Authentication Manager and the Cloud Authentication Service. The interface definition can be integrated with any programming language. For instructions, see the RSA SecurID Authentication API Developer's Guide.
RSA Cloud Administration REST APIs, web service interfaces you can use to create clients that perform administrative operations. These operations include importing audit log events into your security information and event management (SIEM) solution, retrieving event logs from the Cloud Administration Service, and performing certain Help Desk functions. For instructions, see Using the Cloud Administration APIs.
Cloud Authentication Service Components
A Cloud Authentication Service deployment consists of four main components: the Cloud Authentication Service (which is both the name of the managed server and the name for the set of components), the Identity Router, the Cloud Administration Console, and the RSA SecurID Authenticate app installed on user devices.
Cloud Authentication Service
The Cloud Authentication Service performs run-time authentication for the protected resources. The Cloud Authentication Service also allows RSA to modify and improve authentication capabilities.
The Cloud Authentication Service runs on Microsoft Azure, a cloud computing platform that is hosted through a global network of Microsoft data centers. RSA SecurID Access uses a multi-tenant database in an environment that shares infrastructure while segregating customer data to ensure privacy. Service levels and operational procedures are standardized for all customers due to the shared nature of the platform.
The identity router is a virtual appliance that enforces authentication and access for users of protected resources. The identity router can be hosted on-premises within your network or in the Amazon Web Services cloud. Regardless of where you deploy the identity router, the Cloud Authentication Service provides the same features, security, and authentication flows for RADIUS, relying party, and SSO Agent deployments. For more information, see Amazon Web Services Identity Router Deployment Models.
The Identity Router contains the access policies and connects to the LDAP directory server. Administrators create access policies to control which applications users can access and how users authenticate to those applications. For example, an administrator might create a policy that allows only your sales team to access an application with sensitive customer information. Access policies are based on session information, such as IP addresses (for example, within a corporate network or not). Access policies also determine when additional authentication is needed and which authentication methods are required.
The identity router connects to an identity source in real-time and synchronizes only a limited subset of user data to the Cloud Authentication Service. A minimum amount of user data is required to register authenticators. LDAP directory server user passwords are never synchronized and remain secure on your directory server.
The identity router can also connect to RSA Authentication Manager to enable authentication with RSA SecurID tokens or RSA SecurID Authenticate Tokencodes from all access points controlled by Authentication Manager. The identity router includes a built-in RADIUS server that you can configure to protect network access with SecurID Access authentication.
You typically install the identity router in the DMZ for your on-premises network or in a subnet in your Amazon cloud environment where it can accept connections from the public Internet and act as a secure proxy for enabling remote access to applications that are not publicly accessible, such as Microsoft SharePoint or an on-premises web application.
To install the identity router, you use a virtual machine image, which includes all necessary identity router components. Your deployment may include multiple identity routers, which can operate in clusters to provide additional features and reliability.
Cloud Administration Console
The Cloud Authentication Service component contains a hosted, multi-tenant Cloud Administration Console that Super Admins use to perform setup and daily management tasks. Super Admins and Help Desk administrators both use the console to troubleshoot user issues. This is a partial list of tasks that can be performed using the console:
- Configure your company domain and certificates, if necessary.
- Add and manage identity routers.
- Add identity sources so the identity router can verify user attributes to allow or deny access to resources.
- Add resources, such as relying parties, RADIUS clients, and applications.
- Configure assurance levels that can be used by protected resources.
- Configure access policies to determine user access to protected resources.
- Configure the RSA SecurID Access Application Portal.
- Troubleshoot user issues with the Event Monitor.
- Unlock tokencodes for users.
- Manage user authenticators and known browsers.
The RSA SecurID Authenticate App
RSA SecurID Access My Page helps provide a secure way for users to complete registration with the RSA SecurID Authenticate app, using MFA and QR or numeric registration codes. My Page guides users through registration, including downloading the RSA SecurID Authenticate app from the Apple App Store, Google Play, or Microsoft Store. The administrator provides users with the My Page URL. After successful registration, users can complete authentication for applications that require it.