000029135 - RSA SecurID Software Token Distribution to Android from RSA Authentication Manager 8.1

Document created by RSA Customer Support Employee on Aug 15, 2017Last modified by RSA Customer Support Employee on Aug 15, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029135
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Manager
RSA Version/Condition: 8.1
IssueAn administrator wants to distribute a software token to an end user with a supported Android device.
TasksTasks required before distributing a software token:
  1. Setup users in Authentication Manager.
See documentation on how to Add a User to the Internal Database or on how to Add an Identity Source to include LDAP users in Authentication Manager.

  1. Import token records into RSA Authentication Manager.
NOTE: Token seed record XML files are password protected.  Refer to documentation on how to Import Token Records.

  1. Assign tokens to users.
Refer to documentation on how to Assign Tokens to a User.

  1. Create software token profiles.
Refer to documentation on how to Add a Software Token Profile.  Note that you must be a super admin in order to create software token profiles.
To make things easier for admins who are assigning tokens to users, create profile names based on profile settings.  For example, a profile for a fob-style Android token with a tokencode duration of 60 seconds with a tokencode of eight digits that is sent via CTF can have a token profile name of Android 1.x 60-8-Fobstyle-CTF.  
User-added image
Other examples are 

  • User-added image
  1. Install the RSA SecurID Software Token app.
The end user downloads and installs the RSA SecurID Software Token app onto their device.  Download the app from Google Play, from RSA Link or by scanning the QR code below with the device:

User-added image

  1. During the install the user is required to read and accept the license agreement to continue.
User-added image

  1. On the Welcome page, the Device ID is displayed.  This value will be required during the software token distribution process:
User-added image

Distribute the software token assigned to a user.

In this example; the software token profile used is for an Android device, the tokencode duration is 60 seconds, the tokencode length is 8 digits, the authentication type is where the PIN is integrated with the tokencode (PINPad-style) and the delivery is Compressed Token Format (CTF).
  1. Logon to the Security Console and navigate to Identity > Users > Manage Existing.
  2. Search for the user by changing the search criteria.  
  3. When the user is found, click on the User ID and select SecurID Tokens.
  4. Click on the token serial number and click Distribute from the pop up menu.
User-added image

  1. Select the appropriate software token profile from the list.
User-added image

  1. Enter the appropriate device ID captured in step 6 above.  
User-added image

Note that entering the Device ID into the DeviceSerialNumber will bind this specifc software token to this specific device. Should someone else get hold of the Compressed Token Format URL and use it on another device, the following error is seen during the import process:

Invalid device binding. Token import failed. Contact your administrator.

  1. Select a password protection option, entering a password if needed.  
  2. Click Save and Distribute.
  3. The software token is issued.  In this case, as a CTF string.
User-added image

  1. Use a mail client, such as Microsoft Outlook and send an email to the end user with the CTF URL.  For example, 

From: IT, Department
Sent: <date and time>
To: <end user>
Subject: Distribution of RSA SecurID Software Token

Dear <end user>

The embedded compressed token format URL in this email requires the RSA SecurID Software Token app to be installed.

Having installed the RSA SecurID Software Token app, click the compressed token format URL to import it:

The default PIN for first time usage is ‘0000’ so please visit the Self Service Console at URL https://am81p.company.com:7004/selfservice-console to logon using the software token and set up your PIN.

Please contact the IT department should you have any technical issues.

Kind Regards,
IT Department

  1. Note that some end users will be prompted to complete the import using a browser or the RSA SecurID app.  Have them select RSA SecurID and tap Always.
User-added image

  1. Once the token has been imported the end user has a default PIN of 0000 and needs to perform an authentication to set up a unique PIN.  This can be done through third-party products like the Cisco Any Connect client but we recommend using the RSA Self-Service console.
During the token import process, the end user may be prompted to enter a password (if the software token profile created above requires it).  

User-added image

When the token imports successfully:

User-added image

The end user is now prompted to enter a PIN:

User-added image

Clicking the menu button provides the token list, information about the token and online help.

User-added image
NotesClick the link for more information on the RSA SecurID Software Token 2.0 for Android.