Identity Router

Document created by RSA Information Design and Development Employee on Jul 14, 2016Last modified by RSA Information Design and Development Employee on Jun 16, 2020
Version 48Show Document
  • View in full screen mode

An Identity Router is a virtual appliance that enforces authentication and access for users of protected resources. An identity router consists of the following services.




Enterprise Connector

  • Connects the Cloud Authentication Service to enterprise resources such as LDAP directory servers and RSA Authentication Manager.

  • Connects users to the Cloud Authentication Service to provide additional authentication credentials when required.


Hosts a RADIUS server that, when enabled, provides RSA SecurID Access authentication for VPN servers and other RADIUS-capable client devices.

SSO Agent

  • Hosts the application portal, which provides a convenient interface where users can view and access protected applications.

  • Authenticates users to the application portal and tracks sign-in sessions for protected applications.

  • Manages sign-in session duration for HTTP Federation (HFED) and trusted header applications, and the application portal.

  • Manages SSO for applications that support Security Assertion Markup Language (SAML), as well as non-SAML applications. Users who satisfy the authentication requirements to access one application are not required to re-enter the same authentication credentials to access a second application that uses the same or lower assurance level during the same SSO session.

  • Provides HFED to enable SSO for non-SAML applications.

  • Extends Integrated Windows Authentication and LDAP directory server user password SSO functionality to protected applications.

  • Supports SAML "just-in-time" user provisioning, allowing compatible applications to create new user accounts based on extended attributes contained in SAML assertions.

The RADIUS and SSO Agent services can be enabled or disabled. The Enterprise Connector service is always enabled.

You can deploy the identity router as a virtual appliance in your on-premises network using an Open Virtual Appliance (OVA) image for VMware or a Virtual Hard Disk (VHD) image for Microsoft Hyper-V, or you can install it as a virtual instance in your Amazon Web Services cloud-computing environment using an Amazon Machine Image (AMI). The image file includes all necessary identity router applications. Your RSA SecurID Access deployment may include multiple identity routers, which can operate in clusters to provide additional features and reliability. In an SSO Agent deployment, you can use a network load balancer to distribute workload among identity routers based on the available capacity. RSA recommends that you deploy identity routers in clusters of three. For deployment instructions, see Deploying an Identity Router.

For information on protecting the identity router environment, see the RSA SecurID Access Cloud Authentication Service Security Configuration Guide.




You are here
Table of Contents > Identity Routers > Planning Your Identity Router Deployment > Identity Routers