Configure RSA Authentication Manager to Handle Authenticate Tokencodes

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Feb 12, 2018
Version 3Show Document
  • View in full screen mode

A Super Admin for RSA Authentication Manager performs this task to connect Authentication Manager to the identity routers for tokencode verification. After a user successfully authenticates, the user's record is updated to include the RSA SecurID Authenticate app. The Authenticate app counts against the default limit of three active tokens per user. Perform this task if you have RSA Authentication Manager 8.2 SP1 or later and users are stored in identity sources for both Authentication Manager and the Cloud Authentication Service.

If your users are in an identity source for the Cloud Authentication Service but not for Authentication Manager (or in the internal database), or if you have Authentication Manager 8.2 without SP1, and you want these users to access resources protected by authentication agents, you must add a trusted realm as described in Add an RSA SecurID Access Deployment to RSA Authentication Manager as a Trusted Realm.

Before you begin 

  • Authentication Manager Operations Console Administrator credentials are required.
  • Contact a Cloud Authentication Service administrator in the deployment that Authentication Manager will trust. The Cloud Authentication Service Super Admin must have permission to use the Super Admin account that was created to manage identity router API access. Do the following:
    1. Provide the Authentication Manager IP address and netmask.
    2. Ask the Cloud Authentication Service Super Admin to enable access to the identity router API. The Cloud Authentication Service Super Admin must enter the Authentication Manager IP address and netmask. The procedure generates the Access ID and the Access Key credentials that Authentication Manager requires.
    3. Ask the Cloud Authentication Service Super Admin for the following information:
      • Access ID
      • Access Key
      • The IPv4 addresses for one or more identity router management interfaces.
      • Decide what hostname to use for the identity routers.

        You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostnamethat only Authentication Manager uses.

        For example, you can map multiple identity router IP addresses to the logical hostname Authentication Manager uses round robin load balancing to send authentication requests to each consecutive IP address in the list. Failover is provided, because Authentication Manager can use the next IP address if an identity router does not respond.

    4. Ask the Super Admin for the Cloud Authentication Service for the RSA SecurID Access root certificate. The Super Admin either has a local copy of the certificate, or can open the Identity Router Setup Console and export it from the browser. Store the certificate in a location that is accessible to the Operations Console on the primary instance.


  1. Add the identity router management IP addresses and hostname to the hosts file on each RSA Authentication Manager appliance in your Authentication Manager deployment.

    Note:  Do not edit the hosts file outside of the Operations Console, or the file may become unreadable.

    1. In the Operations Console, click Administration > Network > Hosts File.
    2. Enter the IPv4 addresses and the hostname of the identity routers. Click Add New, and enter:

      • The IPv4 address for an identity router. For example,
      • The hostname for the identity routers. Every hostname and FQDN has a limit of 255 characters, and this field has a limit of 1024 characters. Example hostname:

        To associate different IP addresses with the same hostname, you must add a row for each IP address. For example, you can create multiple rows with different identity router IP addresses for the same RSA SecurID Access hostname.

      • Comments, if any.

        Note:  You cannot repeat an IP address or hostname that is in the Read-only Content section of the hosts file.

    3. Click Save.
  2. In the Operations Console on the primary instance, click Deployment Configuration > RSA SecurID Authenticate App.
  3. Select the Authenticate App checkbox to configure the connection to the identity routers that can verify Authenticate Tokencodes.
  4. In the Access URL field, enter the URL that Authentication Manager uses to communicate with the identity routers. The URL consists of an IP address or a hostname, which is defined by an Authentication Manager administrator or a Cloud Authentication Service Super Admin, an API port that is provided by a Cloud Super Admin, and the prefix /api/v1. For example,
  5. In the Access ID and Access Key fields, enter the information that the Cloud Authentication Service administrator provided for the identity router API.
  6. In the Identity Router Root Certificate field, click Browse and select the certificate that Authentication Manager requires to trust the Cloud Authentication Service deployment. Certificates in DER or PEM format are supported.
  7. Click Test Connection. If the connection test fails, you can edit the fields, select a new certificate, clear the Authenticate App checkbox to make the Identity Router Connection Settings fields unavailable, or click Cancel to exit the page without saving any changes.
  8. Click Save. The connection details are saved, and the root certificate is trusted.

After you finish 

  • Some Authentication Manager users who need the Authenticate app to access agent-protected resources may not be assigned an active RSA SecurID hardware or software token. For example, this group includes users who rely soley upon on-demand authentication or risk-based authentication. An Authentication Manager Super Admin must enable these users to use the app. For instructions, see "Enable the RSA SecurID Authenticate App for Specific Users" on RSA Link at
  • If you experience any issues, see "RSA SecurID Authenticate Tokencode Integration Issues and Solutions" on RSA Link at
  • To see RSA SecurID Authenticate configuration changes on a replica instance before replication occurs, log on to the Operations Console on the replica instance and flush the cache. For instructions, see Flush the Cache.
  • The Super Admin for the Cloud Authentication Service must roll out the RSA SecurID Authenticate app to users so they can register their devices. For instructions, see "RSA SecurID Access Rollout to Users" on RSA Link at