Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service

Document created by RSA Information Design and Development on Oct 31, 2017Last modified by RSA Information Design and Development on Oct 19, 2018
Version 9Show Document
  • View in full screen mode

Perform this configuration so that users with RSA SecurID tokens can access SaaS and on-premises web applications and RADIUS clients protected by the Cloud Authentication Service. The identity router for the Cloud Authentication Service acts as an agent to Authentication Manager.

For more information, see:

Authentication Process Overview

The following illustration shows the process flow for an RSA SecurID user accessing a resource protected by the Cloud Authentication Service. RSA Authentication Manager validates the SecurID tokencode and returns information to the identity router before the user is granted access.

 

 

Required Components

                   
ComponentDetails
Cloud Authentication Service

Use the Cloud Administration Console to download the identity router software.

You must deploy at least one identity router and configure the required components for a minimal deployment. See "Cloud Authentication Service Planning and Configuration" on RSA Link at https://community.rsa.com/docs/DOC-75821.

RSA Authentication Manager RSA Authentication Manager 8.0 or higher with at least one primary instance.

Required Tasks

The configuration consists of the following tasks.

                               
Person ResponsibleTask
Super Admin for the Cloud Authentication Service

1. Confirm that your network allows outbound TCP traffic from the identity router to the Authentication Manager server on port 5500.

Super Admin for RSA Authentication Manager2. For Authentication Manager versions earlier than 8.2 SP1, use the Operations Console to add the hostname and IP address for both the identity router management interface and the identity router portal interface to the Authentication Manager server hosts file. To view and modify the hosts file, sign into the Operations Console and click Administration > Network > Hosts File.
Super Admin for the Cloud Authentication Service

3. Configure a Static Route to RSA Authentication Manager

Super Admin for RSA Authentication Manager

4. Generate the Authentication Manager Configuration File

5. Add the identity router to Authentication Manager as an agent. For instructions, see the following topics on RSA Link:

Note:  Perform step 6 once for all identity routers in your deployment. Do not add an agent for each identity router.

Super Admin for the Cloud Authentication Service

6. Connect Your Cloud Authentication Service Deployment to RSA Authentication Manager

Configure a Static Route to RSA Authentication Manager

The Super Admin for the Cloud Authentication Service must configure static routes to restrict communication between a specific Authentication Manager server or network of servers and one identity router. You can configure either of the following:

  • If Authentication Manager servers are on different networks, configure a static route for each identity router in your deployment to each Authentication Manager server.
  • If all Authentication Manager servers are on the same network, configure one static route for each identity router in your deployment going to that network to restrict the connections for the entire Authentication Manager deployment.

You must configure a static route when you initially configure the Cloud Authentication Service to communicate with Authentication Manager, as well as each time an Authentication Manager instance is added or removed from the deployment.

The following graphic shows how the example IP addresses from the procedure are used to configure a static route from an identity router to the Authentication Manager appliance(s).

Procedure 

  1. In the Cloud Administration Console, click Platform > Identity Routers.
  2. Next to the identity router name, select Edit.
  3. Click Next Step to access the Settings page.
  4. In the Static Routes section, do the following.  
    • To restrict an individual Authentication Manager server to the identity router management interface, enter these settings:
      • IP Address:<Authentication Manager Server IP Address>

        For example, 192.168.20.7

      • Network Mask: 255.255.255.255
      • Gateway:<Default Gateway for Identity Router Management Interface>

        For example: 10.10.10.1

        Device: Private

    • To restrict a network containing all Authentication Manager servers, use these settings:
      • IP Address:<Authentication Manager Server Network>

        For example, 192.168.20.0

      • Network Mask:<Network Mask for Authentication Manager Server Network>

        For example, 255.255.255.128

      • Gateway:<Default Gateway for Identity Router Management Interface>

        For example: 10.10.10.1

        Device: Private

  5. Click Add.
  6. Click Next Step.
  7. Click Save and Finish.
  8. Repeat step 2 through step 6 for each identity router in your deployment.
  9. Click Publish Changes.

After you finish 

A Super Admin for RSA Authentication Manager must generate the Authentication Manager configuration file.

Generate the Authentication Manager Configuration File

You need the Authentication Manager configuration file to configure communication between your Cloud Authentication Service deployment and Authentication Manager. The Super Admin for RSA Authentication Manager must generate the AM_Config.zip file, which contains the configuration file, sdconf.rec. The sdconf.rec file contains a snapshot of the server topology as it was when the file was generated.

Procedure 

  1. In the Security Console, click Access > Authentication Agents > Generate Configuration File
  2. From the Maximum Retries drop-down menu, select the number of times you want the identity router to attempt to establish communication with Authentication Manager before returning the message “Cannot initialize agent - server communications."
  3. From the Maximum Time Between Each Retry drop-down menu, select the number of seconds that you want to set between attempts by the identity router to establish communications with Authentication Manager.
  4. Click Generate Config File.
  5. Click Download Now, and save AM_Config.zip to your local machine.

After you finish 

The Super Admin for the Cloud Authentication Service must unzip the AM_Config.zip file and upload the sdconf.rec file to the identity router. See the next task, Connect Your Cloud Authentication Service Deployment to RSA Authentication Manager.

Connect Your Cloud Authentication Service Deployment to RSA Authentication Manager

To use RSA SecurID as an authentication method, the Super Admin for the Cloud Authentication Service must connect the Cloud Authentication Service deployment to the RSA Authentication Manager server. These configuration settings allow all identity routers to communicate with Authentication Manager.

 
 

Procedure 

  1. In the Cloud Administration Console, click Platform > Authentication Manager.
  2. Click Configure Connection.
  3. In the Authentication Agent Name field, enter the exact name provided by your Authentication Manager administrator.
  4. To upload the sdconf.rec file, click Choose File and select the file.
  5. Click Save.
  6. Click Publish Changes to apply the settings to all identity routers in the deployment. You must publish before you test the connection, but remember that publishing applies these settings and all pending changes to all identity routers.
  7. Click Test Connection. A graphic shows the connection status for each configured identity router. If any components are not connected, investigate the cause.

 

After you finish

The Super Admin for the Cloud Authentication Service must make sure assurance levels and access policies are configured to require SecurID Token where appropriate. For more information, see "Access Policies" on RSA Link at https://community.rsa.com/docs/DOC-53992.

 

 

You are here
Enable RSA SecurID Token Users to Access Resources Protected by the Cloud Authentication Service

Attachments

    Outcomes