Identity Router

Document created by RSA Information Design and Development Employee on Jul 14, 2016Last modified by RSA Information Design and Development Employee on Oct 20, 2020
Version 53Show Document
  • View in full screen mode
 

An Identity Router is software that enforces authentication and access for users of protected resources. See the following sections:

Deployment Components

The following deployment components communicate with the identity router.

                       
ComponentPurpose
Cloud Authentication Service

The Cloud Authentication Service enforces access policies, which determine which applications users can access, when additional authentication is needed, and which authentication methods are required. For example, a policy might allow only your sales team to access an application with sensitive customer information. Access policies are based on session information, such as IP addresses (for example, within a corporate network or not).

Identity sources

Identity routers connect to identity sources in real-time and synchronize a limited subset of user data to the Cloud Authentication Service. A minimum amount of user data is required to register authenticators. LDAP directory server user passwords are never synchronized and remain secure on your directory server.

RSA Authentication Manager

Authentication Manager enables users to authenticate with RSA SecurID tokens or the RSA SecurID Authenticate app from all access points controlled by Authentication Manager.

Identity Router Platforms

To install the identity router, you use a virtual machine image, which includes all necessary identity router services. Your deployment may include multiple identity routers, which can operate in clusters to provide additional features and reliability. You can install the identity router on the following platforms:

                                 
PlatformDescriptionMore Information
VMwareThe identity router is typically installed as virtual appliance in a DMZ for your on-premises network using an Open Virtual Appliance (OVA) image for VMware.Install the Identity Router Virtual Appliance for VMware
Hyper-V

The identity router is typically installed as virtual appliance in a DMZ for your on-premises network using a Virtual Hard Disk (VHD) image for Microsoft Hyper-V.

Create the Identity Router Hyper-V Virtual Machine
Amazon Web Services cloud

The identity router is installed as a virtual instance in a subnet in your Amazon Web Services cloud-computing environment using an Amazon Machine Image (AMI). There it can accept connections from the public Internet and act as a secure proxy for enabling remote access to applications that are not publicly accessible, such as Microsoft SharePoint or an on-premises web application.

Launch the Identity Router for Amazon Web Services
RSA Authentication Manager 8.5 or later

The identity router is embedded in RSA Authentication Manager 8.5 or later and can be optionally enabled by an administrator. This platform requires minimal configuration and can be used in place of or in addition to other identity routers. The embedded identity router does not support RADIUS or SSO.

Configure an Embedded Identity Router

The image file includes all services supported for the platform. Your deployment may include multiple identity routers, which operate in clusters to provide additional features and reliability.

In an SSO Agent deployment, you can achieve high availability using a network load balancer to distribute workload among identity routers based on the available capacity. For more information, see Configure High Availability for Cloud Administration Console Deployments.

Identity Router Services

An identity router contains the following services.

Note:  RADIUS and SSO Agent services are supported for all platforms except for the embedded identity router in Authentication Manager.

                       

Service

Description

Enterprise Connector

  • Connects the Cloud Authentication Service to enterprise resources such as LDAP directory servers and RSA Authentication Manager.

  • Connects users to the Cloud Authentication Service to provide additional authentication credentials when required.

RADIUS

Hosts a RADIUS server that, when enabled, provides RSA SecurID Access authentication for VPN servers and other RADIUS-capable client devices.

SSO Agent

  • Hosts the application portal, which provides a convenient interface where users can view and access protected applications.

  • Authenticates users to the application portal and tracks sign-in sessions for protected applications.

  • Manages sign-in session duration for HTTP Federation (HFED) and trusted header applications, and the application portal.

  • Manages SSO for applications that support Security Assertion Markup Language (SAML), as well as non-SAML applications. Users who satisfy the authentication requirements to access one application are not required to re-enter the same authentication credentials to access a second application that uses the same or lower assurance level during the same SSO session.

  • Provides HFED to enable SSO for non-SAML applications.

  • Extends Integrated Windows Authentication and LDAP directory server user password SSO functionality to protected applications.

  • Supports SAML "just-in-time" user provisioning, allowing compatible applications to create new user accounts based on extended attributes contained in SAML assertions.

The RADIUS and SSO Agent services can be enabled or disabled. The Enterprise Connector service is always enabled.

For information on protecting the identity router environment, see the RSA SecurID Access Cloud Authentication Service Security Configuration Guide.

 

 

 

You are here
Table of Contents > Identity Routers > Planning Your Identity Router Deployment > Identity Routers

Attachments

    Outcomes