After you finish setting up your Cloud Authentication Service deployment, roll out authentication options to your users. The rollout involves communicating information about the user experience, for example, the application portal for an SSO Agent deployment, the RSA SecurID Authenticate app and optionally RSA SecurID Access My Page, emergency access, and system requirements.
For a sample e-mail that you might use to communicate this information, see Sample Rollout Email for RSA SecurID Access Users .
Provide both the portal application URL and sign-in credentials (if applicable) to users.
|Sign-in credentials|| |
Instruct users to sign in with their user ID (username or e-mail address, depending on your configuration) and password. If you have configured Integrated Windows Authentication (IWA), the Cloud Authentication Service automatically authenticates eligible users to the application portal without prompting them for their username and password.
RSA SecurID Authenticate App
If you are using authentication methods available in the RSA SecurID Authenticate app, instruct users to complete RSA SecurID Authenticate device registration. If you are using RSA SecurID Access My Page, RSA recommends using one device (for example, a computer) to access My Page and another device (iOS, Android, or Windows 10) to install the app.
Note: If your company uses SSL interception, iOS or Android users must complete device registration using cellular data or a Wi-Fi network not associated with your company. If users use corporate Wi-Fi, they will see an Untrusted Connection error message during device registration that instructs them to use cellular data or a different Wi-Fi network to continue.
Provide the following information to users to enter during device registration:
|My Page URL||(Optional) Your company's My Page URL is displayed in the Cloud Administration Console in Platform > My Page.|
|User email address||User's email address in the identity source.|
The Authenticate app uses notifications to simplify the authentication process. An app user can disable notifications but must perform an extra step to authenticate using certain authentication methods (such as Approve or Device Biometrics). After the user sees the Sending Sign-in Request screen in the browser or is sent a notification as part of a RADIUS flow, the user must open the app or pull down on the top of the app to manually retrieve the notification to continue the authentication process.
Instruct users what to do if they cannot use their preferred authentication methods. This situation may occur for a variety of reasons, for example, if the user lost an RSA SecurID token or FIDO token, or the user cannot locate the mobile phone where the RSA SecurID Authenticate app is registered, or the mobile phone cannot be charged. In such cases, several methods are available for emergency access, including SMS Tokencode. See Emergency Access for Cloud Authentication Service Users for more information.