000036556 - Preventing end users from bypassing the RSA SecurID Access Cloud Authentication Service

Document created by RSA Customer Support Employee on Jul 24, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036556
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: All
RSA Version/Condition: All
IssueWhen the RSA Cloud Authentication Service is enabled for an application, it is important to make sure that end users cannot bypass the Service and access the application directly with weaker, or perhaps no authentication.
TasksCheck your application's documentation and/or the application's Integration Guide on RSA Link to see if it has a configuration option that will enforce access using only a single authentication source.  Applications that support RADIUS or Relying Party or SAML single sign-on will typically prevent authentication by any other means, once those options are enabled.  However, when HTTP Federation or Trusted Headers are used, there will probably not be a built-in means within an application that prevents bypass of the RSA Cloud Authentication Service.
ResolutionAn internal application or website protected by HTTP Federation or Trusted Headers can be limited to only accepting incoming connections from the RSA Identity Routers' management IP addresses, thereby denying access from any other source. This can be achieved with a firewall.