High-Level Authentication Flows for the SSO Agent

Document created by RSA Information Design and Development on Jul 13, 2016Last modified by RSA Information Design and Development on Oct 20, 2017
Version 22Show Document
  • View in full screen mode
  

The following sections illustrate how RSA SecurID Access authenticates a user for applications in a deployment with an SSO Agent. The process flow depends on the following factors:

  • If the application requires additional authentication after the user accesses the application portal.
  • If the user has recently authenticated to another application with similar authentication requirements.

In these examples, the user accesses the applications through the RSA SecurID Access Application Portal. Depending on your configuration, users can also access the applications through a custom portal or other methods (for example, a bookmark or using the application URL).

 

Authentication Flow without Additional Authentication Example

 

In this example, the company is using the RSA SecurID Access Application Portal. The administrator has assigned an access policy to App A that does not require additional authentication.

 
  1. The user enters sign-in credentials to access the RSA SecurID Access Application Portal. Or, if the administrator has configured Integrated Windows Authentication (IWA), the user navigates to the portal URL and is automatically signed into the portal.
  2. The identity router checks the identity source to confirm the user's credentials and checks the access policies for all applications available to the user.
  3. The user is signed into the portal.
  4. The user clicks the App A icon to open an app.
  5. The identity router enforces the access policy for the application, which does not require the user to complete additional authentication.
  6. The identity router sends the access request to App A.
  7. The identity router opens App A in a new browser tab.
  8. The user accesses App A.
 

Authentication Flow with Additional Authentication and Single Sign-On Example

 

In this example, the company is using the RSA SecurID Access Application Portal. The administrator has assigned an access policy that uses the Low assurance level to App B and App C. (An assurance level defines the authentication methods required to access applications during additional authentication.)

 
  1. The user enters sign-in credentials to access the RSA SecurID Access Application Portal. Or, if the administrator has configured IWA, the user navigates to the portal URL and is automatically signed in to the portal.
  2. The identity router checks with the identity source to confirm the user's credentials and checks the access policies for all applications available to the user.
  3. The user is signed into the portal.
  4. The user clicks the App B icon to open the app.
  5. The identity router enforces the access policy for App B. App B requires additional authentication using the Low assurance level (Approve authentication method).
  6. Because additional authentication is required, the identity router sends the request to the Cloud Authentication Service.
  7. In a new browser tab, RSA SecurID Access provides instructions in the browser for the user to follow and sends a notification to the RSA SecurID Authenticate.
  8. The user taps Approve in the Authenticator to complete authentication.
  9. The Authenticator sends the response to the Cloud Authentication Service.
  10. The Cloud Authentication Service sends the authentication status to the identity router.
  11. The identity router sends the access request to App B.
  12. The identity router opens App B.
  13. The user accesses App B.
  14. In the application portal, the user clicks the App C icon to open the app.
  15. The identity router enforces the access policy for App C. App C also uses the Low assurance level. Because the user's session is still active from authenticating to App B (which uses the same assurance level as App C), the user does not need to provide the additional authentication required by App C.
  16. The identity router sends the access request to App C.
  17. In a new browser tab, RSA SecurID Access opens App C.
  18. The user accesses App C.

 

 

You are here
Table of Contents > RSA SecurID Access Product Overview > High-Level Authentication Flows for the SSO Agent

Attachments

    Outcomes