Enable Cloud Authentication Service Users to Access Resources Protected by RSA SecurID

Document created by RSA Information Design and Development on Oct 31, 2017Last modified by RSA Information Design and Development on Jul 20, 2018
Version 11Show Document
  • View in full screen mode
 

Perform this configuration so that users with a registered the RSA SecurID Authenticate app can access agents protected by Authentication Manager. This process allows you to keep all of your RSA Authentication Agents in place while leveraging the Cloud Authentication Service to validate tokencodes generated by the Authenticate app. Users of the RSA SecurID Authenticate app can access traditional on-premises resources, like VPNs and wireless access points protected by Authentication Manager.

Users with both RSA SecurID tokens and Authenticate Tokencodes can access all protected resources with the same username or e-mail address.

Authentication Process Overview

The following illustration shows the process flow for an RSA SecurID Authenticate app user accessing a resource protected by an RSA Authentication Agent. The Cloud Authentication Service validates the Authenticate Tokencode and returns information to Authentication Manager before the user is granted access.

 

Required Components

                   
ComponentDetails
Cloud Authentication Service

Use the Cloud Administration Console to download the identity router software.

You must deploy at least one identity router and configure the required components for a minimal deployment. See "Cloud Authentication Service Planning and Configuration" on RSA Link at https://community.rsa.com/docs/DOC-75821.

RSA Authentication Manager

RSA Authentication Manager 8.2 Service Pack 1 or later with at least one primary instance.

Version 8.2 is also supported.

Authentication Manager Version Support

RSA Authentication Manager 8.2 SP1 or later supports the following:

  • Users can use the Authenticate app to access agents and use the same identity source sign-in credentials for Authentication Manager and the Cloud Authentication Service.
  • Users can use single sign-on (SSO) to access web applications protected by the Cloud Authentication Service

RSA Authentication Manager 8.2 supports the following:

  • Authentication Manager 8.2 users who are in an RSA SecurID Access trusted realm can authenticate to the Cloud Authentication Service. Offline authentication is not supported because offline authentication data cannot be generated.
  • Users who are using both SecurID and Authenticate Tokencode must be configured with different database attributes for each form of authentication. For example, you can use the SAMAccountName attribute for SecurID authentication and an e-mail attribute for the Authenticate Tokencode. In this case, users can use both SecurID and Authenticate Tokencode if they remember to use the correct username or e-mail address required to access each protected resource.

Required Tasks

The configuration consists of the following tasks.

                   
Person ResponsibleTask
Super Admin for the Cloud Authentication Service

1. If the SSO Agent is disabled, you must upload your own certificate using My Account > Company Settings. For instructions, see https://community.rsa.com/docs/DOC-54076.

2. Enable Access to the Identity Router API

3. Provide Configuration Information to the RSA Authentication Manager Administrator

Super Admin for RSA Authentication Manager with Operations Console credentials

1. Make sure you have credentials to access the Operations Console.

2. Perform this task if you have RSA Authentication Manager 8.2 SP1 and users are stored in identity sources for both Authentication Manager and the Cloud Authentication Service:

Configure RSA Authentication Manager to Accept Authenticate Tokencodes.

Perform this task if you have RSA Authentication Manager 8.2 SP1 and users are stored in identity sources for the Cloud Authentication Service but not for Authentication Manager, or if you have RSA Authentication Manager 8.2:

Add an RSA SecurID Access Deployment to RSA Authentication Manager as a Trusted Realm

You need the rsaadmin password and either RSA Authentication Manager Super Admin or Trust Administrator privileges.

Note:  To use the RSA SecurID Authenticate app, users must be in an identity source connected to the Cloud Authentication Service.

Enable Access to the Identity Router API

The identity router API is a REST-based web services interface that allows RSA Authentication Manager to access runtime information, such as user profiles, from the identity router. A Super Admin for the Cloud Authentication Service must enable access to support RSA SecurID Authenticate Tokencode integration between RSA Authentication Manager and the Cloud Authentication Service. You need to generate an Access ID and Access Key, which are credentials associated with a Super Admin account that was created for this purpose. RSA Authentication Manager uses these credentials access the identity router.

Procedure 

  1. Obtain the IP address (or address range) and network mask for the part of your network that requires access to the identity router API. For example, the part of your network where RSA Authentication Manager is deployed.
  2. Add a Super Admin account using credentials that do not belong to a specific individual. This account is used exclusively to manage identity router API access. For example, you can create a new email address specifically for this account, or use an address that is jointly monitored by all Super Admins in your deployment. Super Admins can modify the identity router API access configuration by editing this account.
  3. In the Cloud Administration Console, click My Account > Administrators.
  4. Click Edit next to the Super Admin account that you want to grant API access.
  5. In the Enable Identity Router API field, select the checkbox to enable access to the identity router API.
    After you select the checkbox, RSA SecurID Access generates values in the Access ID and Access Key fields. Copy these values to a secure location. You will need to provide them to the RSA Authentication Manager administrator who is integrating the Cloud Authentication Service.

    Note:  The Access ID and Access Key are sensitive data. Store these values securely, and share them only with other Super Admins.

  6. In the IP Address and Netmask fields, enter values to specify the part of your network from which the API will be accessible. To support API requests from sources without static IP addresses, you can specify an IP address range. These fields do not support CIDR notation.
  7. If you want to add another network, click Add, then repeat step 4.
  8. Click Save.
  9. Click Publish Changes.

Provide Configuration Information to the RSA Authentication Manager Administrator

The Super Admin for the Cloud Authentication Service performs this task to allow users with RSA SecurID tokens and RSA SecurID Authenticate Tokencodes to access resources protected by the same RSA Authentication Agent.

Collect the following information and provide it to the Super Admin or Trust Administrator for Authentication Manager:

  • The identity router API Access ID and Access Key generated when you enabled API access
  • The management interface IPv4 address for each identity router to which Authentication Manager will connect
  • The identity router API port: 443
  • The URL prefix for the identity router API service: https://<management interface IP address>:443/api/v1
  • The RSA SecurID Access root certificate. This certificate was configured on the My Account > Company Settings page in the Cloud Administration Console. Check to see if you have a local copy of the certificate, or open the Identity Router Setup Console and export it from the browser.

The Authentication Manager Super Admin or Trust Administrator performs the remaining tasks to complete the integration.

Configure RSA Authentication Manager to Accept Authenticate Tokencodes

A Super Admin for RSA Authentication Manager performs this task to connect Authentication Manager to the identity routers for tokencode verification. After a user successfully authenticates, the user's record is updated to include the RSA SecurID Authenticate app. The Authenticate app counts against the default limit of three active tokens per user. Perform this task if you have RSA Authentication Manager 8.2 SP1 or later and users are stored in identity sources for both Authentication Manager and the Cloud Authentication Service.

If your users are in an identity source for the Cloud Authentication Service but not for Authentication Manager (or in the internal database), or if you have Authentication Manager 8.2 without SP1, and you want these users to access resources protected by authentication agents, you must add a trusted realm as described in Add an RSA SecurID Access Deployment to RSA Authentication Manager as a Trusted Realm.

Before you begin 

Obtain the required identity router information, including the identity router root certificate, from the Cloud Authentication Service Super Admin. The Super Admin either has a local copy of the certificate, or can open the Identity Router Setup Console and export it from the browser. Store the certificate in a location that is accessible to the Operations Console on the primary instance.

You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses.

For example, you can map multiple identity router IP addresses to the logical hostname identityrouter.rsa-securid.com. Authentication Manager uses round robin load balancing to send authentication requests to each consecutive IP address in the list. Failover is provided, because Authentication Manager can use the next IP address if an identity router does not respond.

Procedure 

  1. Add the identity router management IP addresses and hostname to the hosts file on each RSA Authentication Manager appliance in your Authentication Manager deployment.

    Note:  Do not edit the hosts file outside of the Operations Console, or the file may become unreadable.

    1. In the Operations Console, click Administration > Network > Hosts File.
    2. Enter the IPv4 addresses and the hostname of the identity routers. Click Add New, and enter:

      • The IPv4 address for an identity router. For example, 192.168.255.255.
      • The hostname for the identity routers. Every hostname and FQDN has a limit of 255 characters, and this field has a limit of 1024 characters. Example hostname: identityrouter.rsa-securid.com.

        To associate different IP addresses with the same hostname, you must add a row for each IP address. For example, you can create multiple rows with different identity router IP addresses for the same RSA SecurID Access hostname.

      • Comments, if any.

        Note:  You cannot repeat an IP address or hostname that is in the Read-only Content section of the hosts file.

    3. Click Save.
  2. In the Operations Console on the primary instance, click Deployment Configuration > RSA SecurID Authenticate App.
  3. Select the Authenticate App checkbox to configure the connection to the identity routers that can verify Authenticate Tokencodes.
  4. In the Access URL field, enter the URL that Authentication Manager uses to communicate with the identity routers. The URL consists of an IP address or a hostname, which is defined by an Authentication Manager administrator or a Cloud Authentication Service Super Admin, an API port that is provided by a Cloud Super Admin, and the prefix /api/v1. For example, https://identityrouter.rsa-access.com/api/v1.
  5. In the Access ID and Access Key fields, enter the information that the Cloud Authentication Service administrator provided for the identity router API.
  6. In the Identity Router Root Certificate field, click Browse and select the certificate that Authentication Manager requires to trust the Cloud Authentication Service deployment. Certificates in DER or PEM format are supported.
  7. Click Test Connection. If the connection test fails, you can edit the fields, select a new certificate, clear the Authenticate App checkbox to make the Identity Router Connection Settings fields unavailable, or click Cancel to exit the page without saving any changes.
  8. Click Save. The connection details are saved, and the root certificate is trusted.

After you finish 

  • Some Authentication Manager users who need the Authenticate app to access agent-protected resources may not be assigned an active RSA SecurID hardware or software token. For example, this group includes users who rely soley upon on-demand authentication or risk-based authentication. An Authentication Manager Super Admin must enable these users to use the app. For instructions, see "Enable the RSA SecurID Authenticate App for Specific Users" on RSA Link at https://community.rsa.com/docs/DOC-76736.
  • If you experience any issues, see "RSA SecurID Authenticate Tokencode Integration Issues and Solutions" on RSA Link at https://community.rsa.com/docs/DOC-76955.
  • The Super Admin for the Cloud Authentication Service must roll out the RSA SecurID Authenticate app to users so they can register their devices. For instructions, see "RSA SecurID Access Rollout to Users" on RSA Link at https://community.rsa.com/docs/DOC-54129.

Add an RSA SecurID Access Deployment to RSA Authentication Manager as a Trusted Realm

You must add an RSA SecurID Access deployment to RSA Authentication Manager as a trusted realm in either of the following cases:

  • You have RSA Authentication Manager 8.2 SP1 or later and you want users who are in an identity source configured for the Cloud Authentication Service but not in one configured for RSA Authentication Manager (or in the internal database) to use the RSA SecurID Authenticate app to access resources protected by RSA Authentication Agents.
  • You want Authentication Manager 8.2 users to use the RSA SecurID Authenticate app to access resources protected by RSA Authentication Agents.

An RSA Authentication Manager deployment can support only one RSA SecurID Access deployment as a trusted realm. However, you can use the Operations Console to add IP addresses for multiple identity routers in this trusted realm. Doing this allows Authentication Manager to use round robin load balancing, high availability, and failover for authentication requests. The trusted realm relationship exists if at least one identity router is available.

Before you begin 

Obtain the required identity router information from the Cloud Authentication Service Super Admin. You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses.

For example, you can map multiple identity router IP addresses to the logical hostname identityrouter.rsa-securid.com. Authentication Manager uses round robin load balancing to send authentication requests to each consecutive IP address in the list. Failover is provided, because Authentication Manager can use the next IP address if an identity router does not respond.

Note:  If you map multiple identity router IP addresses, you must maintain the .hosts file when identity routers are added or removed from the deployment.

Procedure

  1. Add the identity router IP addresses and hostname to the hosts file on each RSA Authentication Manager appliance in your Authentication Manager deployment.

    Note:  Do not edit the hosts file outside of the Authentication Manager Operations Console, or the file may become unreadable.

    1. In the Operations Console, click Administration > Network > Hosts File.
    2. Click Add New, and enter:

      • Identity router IPv4 address. For example, 192.168.255.255.
      • Identity router hostnames. Each hostname and FQDN is limited to 255 or fewer characters. Do not exceed 1024 characters in this field. For example, identityrouter.rsa-securid.com.

        To associate different IP addresses with the same hostname, you must add a row for each IP address. For example, you can create multiple rows with different identity router IP addresses for the same hostname.

      • Comments, if any. Double quotation marks, hash characters, and any non-printing characters are not supported, and are removed when the hosts file is saved.

        Note:  Do not repeat an IP address or hostname that is in the Read-only Content section of the hosts file.

    3. Click Save.

    Note:  (Optional) After you log on to the appliance operating system, you can manually save a copy of the hosts file for each appliance. The hosts file is not included in an Authentication Manager backup file.

  2. To log on to the appliance operating system using Secure Shell (SSH), you must enable SSH:
    1. In the Operations Console, click Administration > Operating System Access.
    2. Select each NIC on which you want to enable SSH.
    3. Click Save.
  3. Log on to the appliance with the User ID rsaadmin and the operating system password that you defined during Quick Setup:
    • On a hardware appliance, log on to the appliance using an SSH client.
    • On a virtual appliance, log on to the appliance using an SSH client, the VMware vSphere client, the Hyper-V System Center Virtual Machine Manager Console, or the Hyper-V Manager.
  4. Change directories to /opt/rsa/am/utils. Type:

    cd /opt/rsa/am/utils/

    and press ENTER.

  5. Type:

    ./rsautil manage-securid-access-trusts -a create

    and press ENTER. You are prompted for the required options.

  6. When prompted, do the following:
    1. Enter the Authentication Manager Super Admin or Trust Administrator username, and press ENTER.
    2. Enter the Authentication Manager Super Admin or Trust Administrator password, and press ENTER.
    3. Enter the full REST API URL Prefix for the Cloud Authentication Service deployment. The URL is the hostname that you defined or an IP address, the API port that was provided by the Cloud Authentication Service Super Admin, and the prefix /api/v1. For example, https://identityrouter.rsa-securid.com:443/api/v1.

      Press ENTER.

    4. Enter the Access ID provided by the Cloud Authentication Service Super Admin, and press ENTER.
    5. Enter the Access Key provided by the Cloud Authentication Service Super Admin, and press ENTER.
    6. Verify the displayed details of the identity router root certificate. RSA Authentication Manager must obtain the root certificate from the identity router so that Authentication Manager can trust the Cloud Authentication Service deployment.

      Note:  It is critical that Authentication Manager only sends authentication requests to a legitimate identity router running the SSO Agent. You must carefully examine and verify the certificate.

    7. When prompted, add the identity router root certificate to the RSA Authentication Manager trust store. Enter y, and press ENTER.
    8. After obtaining the root certificate, you must enter credentials for the Authentication Manager instance and other information that is required to create the trust.
    9. Enter a name for the trusted realm. You can use the hostname for the identity routers, for example, identityrouter.rsa-securid.com. Press ENTER.
    10. (Optional) Enter any notes and press ENTER.
  7. When prompted to enable a trusted realm, enter y, and press ENTER. Users can authenticate to an enabled Cloud Authentication Service trusted realm.
  8. When prompted to enable the trusted realm for authentication, enter y, and press ENTER. This trusted realm option does not apply to a Cloud Authentication Service trusted realm.

    RSA Authentication Manager tests the connection to the trusted realm. After 30 seconds, a message indicates whether the connection test succeeded or failed.

    If the test fails, you can view the details in the imsTrace.log file in the /opt/rsa/am/server/logs directory.

    Note:  Replica instances require an additional time to accept the root certificate that RSA Authentication Manager obtained from the identity router. Wait at least ten minutes before testing the trusted realm or authenticating with Authenticate Tokencodes on any replica instance.

After you finish 

  • For each authentication agent that is being used with Cloud Authentication Service deployment trusted realm, select Enable Trusted Realm Authentication when you add the authentication agent. For instructions, see "Add an Authentication Agent" on RSA Link at https://community.rsa.com/docs/DOC-77208.
  • If you experience any RSA SecurID Access trusted realm integration issues, see "RSA SecurID Authenticate Tokencode Integration Issues and Solutions" on RSA Link at https://community.rsa.com/docs/DOC-76955.

 

 

You are here
Enable Cloud Authentication Service Users to Access Resources Protected by RSA SecurID

Attachments

    Outcomes