RSA SecurID Access Cloud Only Trial Tutorial

Document created by RSA Information Design and Development on Oct 11, 2018Last modified by RSA Information Design and Development on Oct 15, 2018
Version 4Show Document
  • View in full screen mode

Welcome the RSA SecurID® Access Cloud Only Trial. This trial lets you harness the power of RSA SecurID Access from end-user to administration and setup. You’ll be able to see how RSA can provide secure and convenient access to your users for any application cloud to ground. Experience RSA SecurID Access's administrative policies, create and manage users, and perform modern mobile authentication like push to approve with the RSA SecurID Authentication App in minutes. Then apply what you learn to add your own applications and users.

What You Get With Cloud Only Trial

                           
Hosted ResourceDescription
Cloud Administration Console A web-based interface for setup and daily management.
Cloud Authentication Service Performs run-time authentication for protected resources.
RSA SecurID Authenticate appUser-downloadable app found in the Apple App Store, Google Play, or Microsoft Store used to register your devices.
A web-based application portalProvides links to available applications.

You also get four demo applications in the Cloud and four demo user accounts in the hosted LDAP directory server. You cannot use your on-premises LDAP directory server.

If you have any questions, contact your RSA Sales representative, or call 800-995-5095 or 1-781-515-7700 and option 1.

Step 1: Sign Up

If you have not yet signed up for the trial, go to RSA SecurID Access Cloud Only Trial, and complete the form. After you confirm your email address, RSA will send you the URLs and sign-in credentials for your demo user accounts.

If you already signed up, you're ready to start! Go to step 2.

Step 2: Explore the Demo Applications and Policies

Let's explore how you can use policies to control which users can access your applications and how users will authenticate. We'll examine the policy assigned to App B, a demo SAML application.

  1. Using the URL for the Cloud Administration Console provided in your email from RSA, sign in using your administrator credentials.

    You see the main dashboard page.

  2. Click Applications > My Applications to see the list of demo applications.
  3. For App B, click Edit. When the application opens, click the User Access tab. This is where you associate a policy with an application. Notice that the policy assigned to this application is named Allow All Authenticated Users - Low Assurance.
  4. Now click Access > Policies to see a list of all of the policies currently configured. Scroll down to Custom Policies and find Allow All Authenticated Users - Low Assurance. This policy governs access to App B, which you just viewed. Click Edit to open the policy.
  5. Click the Rule Sets tab. This page provides important configuration settings you need to know about and will want to experiment with later. (Don't change any settings now, though.)

     

    The Target Population field tells you who this policy applies to. In this case, it's for all users. Later, you will be able to use this setting to target selected groups of users based on LDAP attributes such as network, job title, and department.

    The Access and Additional Authentication fields tell you that users who authenticate are allowed to access applications with no conditional limitations.

    The Assurance Level is the list of authentication options available for this target population. For now, only SMS Tokencode and Voice Tokencode are available to you. The others will be available after you install the Authenticate app and register your device.

  6. It's easy to modify Assurance Levels so they meet your particular needs. Let's take a quick look. Click Access > Assurance Levels.

    You can see that assurance levels are categorized as High, Medium, and Low. Each level contains different options with varying security strengths. You can modify each level by adding or removing options. Assurance levels help ensure that your most sensitive digital assets are protected by the strongest authentication that is appropriate for your users, while less important assets remain easier for users to access.

    Notice that the High level combines multiple options for added security, while the Low level includes options that are relatively simple and convenient for users.

Leave this browser tab open.

Step 3: Try Out the Application Portal

Have your mobile device handy when you perform this step. It must have the same phone number you used to register for the trial.

  1. Open a new tab in your browser. Sign in to the application portal with your end-user credentials.

    You are prompted to share your location. You can allow or block it.

  2. You see icons for App A, App B, the hosted LDAP directory server, RSA SecurID Access My Page, the tutorial, and video. Click App B.

    You'll get an SMS code at the phone number you supplied. Before you enter the code, click Show me other options. Only SMS, Voice, and FIDO are available now, but you will see more options later.

  3. Type the SMS code into the browser and click Send Code.

    You are prompted to allow the service to remember your browser, which can simplify future authentications. You can allow or block it.

Step 4: Register a Device to Expand Your Multifactor Authentication Options

After you register a device and download the Authenticate app, more authentication options such as push notifications (Approve) and Authenticate Tokencode will be available to you.

  1. From the application portal, click on My Page and sign in with your end-user credentials.

    You are prompted to share your location. You can allow or block it.

  2. Follow the prompts to download the RSA SecurID Authenticate app from your app store, and register it using either a QR code or numeric registration code.

    That's all there is to device registration. Now let's use the app to try a simple Approve authentication.

  3. Close the application portal and sign in again. Open App B. You are prompted to authenticate.
  4. Click Show me other options and note the options that are available to you now. From that list, select Approve.

    You're in!

Step 5: Update an Access Policy

Now that you have done a simple Approve authentication, let's make a few changes to an existing access policy.

  1. In the Cloud Administration Console, click Access > Policies.
  2. Scroll down to Allow All Authenticated Users - Low Assurance, and click Edit.
  3. Change the name to Managers or Non-Managers, and click Next Step > Next Step.
  4. Add a rule set to require non-managers to authenticate with Medium Assurance or higher:

    1. Under Target Population, do the following:

      1. Click Selected Users > Add.
      2. From the User Attribute drop-down list, select title.

      3. From the Operation drop-down list, select Set does not contain any.

      4. In the Value field, enter manager.

      5. Click Save.
    2. Scroll up to the Rule Set Name field, and enter Non-Managers.
    3. Under Access Details, select Medium from the Assurance Level drop-down list.

      The default Medium assurance level requires users to authenticate with either a Device Biometric, such as Fingerprint or Face ID, or the Authenticate Tokencode, an eight-digit number that displays on the home screen of the Authenticate app. Users can also select from options in the High assurance level.

  5. Add a rule set to not require additional authentication for managers:

    1. Scroll to the top of the page, and click Add a Rule Set.
    2. In the Rule Set Name field, and enter Managers.
    3. Under Target Population, do the following:

      1. Click Selected Users > Add.
      2. From the User Attribute drop-down list, select title.

      3. From the Operation drop-down list, select Set contains any.

      4. In the Value field, enter manager.

      5. Click Save.
    4. Under Access Details, select Allowed > Not Required.
  6. Click Save and Finish.
  7. Click Publish Changes.

Step 6: Try with Other Demo Users

Let's test our new policy requirements with two demo users, Sanjay Sample (not a manager) and Emilio Example (a manager). Refer to your email for their credentials.

  1. On two other iOS, Android, or Windows 10 devices, register devices for Sanjay and Emilio. Follow the instructions in Step 4: Register a Device to Expand Your Multifactor Authentication Options.

    Do not use the device that you used for yourself in Step 4 because a device can only be registered to one user, unless it is a Windows 10 PC.

    If you want Sanjay to use Device Biometrics later to access App B, be sure that biometrics (for example, Fingerprint or Face ID) are set up on Sanjay's device.

  2. Sign out of the application portal.

  3. Sign into the application portal as Sanjay. Open App A.

    Sanjay gets in because App A does not require additional authentication beyond the credentials used to sign into the portal.

  4. Open App B and authenticate.

    Because Sanjay is not a manager, he is prompted to complete additional authentication. Notice that the Medium (and High) assurance level options are available.

  5. Sign out of the application portal.
  6. Sign into the application portal with Emilio's credentials. Open App A.

    Like Sanjay, Emilio gets in because App A does not require additional authentication beyond the credentials used to sign into the portal.

  7. Open App B.

    Emilio gets in because App B does not require additional authentication for managers.

  8. Sign out of the application portal.

  9. (Optional) Test with the other demo users.

Step 7: Try It with Your Own Users and SAML Application

You've now done a few test authentications with demo users and apps. Next let's add your own users in the hosted identity source and one of your own SAML applications to protect.

Test with Your Own Users

  1. Add your users in the hosted identity source:

    1. Sign into the application portal with your end-user credentials.
    2. Open LDAP Admin.
    3. In the left frame, expand dc=sidx,dc=net.
    4. Click on the plus sign to expand ou=People, and click Create new entry here.
    5. Click Generic: inetOrgPerson entry and enter the details of one of your users.

      Be sure to enter the mobile number of the device that will be used for device registration. Also, you can specify the title manager, if you want.

    6. Click Create Object.
    7. To add an additional attribute for the user, click Add new attribute, select the attribute from the drop-down list, and enter the value.
    8. Click Commit.
    9. Add additional users, as desired.
  2. Synchronize the hosted identity source and the Cloud Authentication Service with the latest changes:

    1. In the Cloud Administration Console, click Users > Identity Sources.
    2. From the identity source Edit drop-down list, select Synchronization.

    3. Click Synchronize Now.

      The users are now in the Cloud Authentication Service.

  3. Instruct your users to complete Step 4: Register a Device to Expand Your Multifactor Authentication Options on their own devices.
  4. Ask your non-manager users to open App B.

    They are prompted for authentication options in the Medium and High assurance levels.

Protect Your Own SAML Application

  1. On RSA Ready in the RSA SecurID Access category, find a SAML application that you use.

    Note:  The Cloud Only Trial is limited to only SAML applications.

  2. Follow the instructions in the guide.

    When you add the application in the Cloud Administration Console, you can either use an existing policy or create a new one.

  3. In the application portal, click the new application and authenticate to it.

Next Steps

Now that you have successfully completed the Cloud Only Trial basics, where do you want to go from here? There are a number of options, depending on what you want to do.

  • Continue to add your own users, policies, and applications in this environment. Remember that this environment will be deleted after 30 days.
  • For more information, contact your RSA sales representative, or call 800-995-5095 or 1-781-515-7700 and option 1.
  • Sign up for the RSA SecurID Access Cloud and On-Premises Trial, where you can install the product in your own environment and connect to any application (for example, RADIUS) with ten users.

Frequently Asked Questions

                                                           
QuestionAnswer
I’ve requested my free trial. Where do I get my sign-in credentials?You will receive an email from RSA SecurID Access Cloud Only Trial with the information you need to sign into the Cloud Administration Console and the RSA SecurID Access Application Portal.
I signed up for the trial and received a message that no environments are available.Contact your RSA Sales representative, or call 800-995-5095 or 1-781-515-7700 and option 1.
I forgot my credentials to sign into the Cloud Administration Console.

Call 1-800-995-5095 or 1-781-515-7700 and option 1 to have your account reset.

I forgot the credentials for a user.
  1. In the LDAP Admin app, review the value in the Email field. This is the user ID.
  2. If necessary, enter a new password in the Password field.
  3. Click Update Object.
I am not sure how to register a device or download the RSA SecurID Authenticate app.Follow the instructions in My Page to download the app and register a device. See Step 4: Register a Device to Expand Your Multifactor Authentication Options.
A user lost or broke a registered device and needs to complete device registration again.In the Cloud Administration Console, delete the user's device. For instructions, see Manage Users for the Cloud Authentication Service.
I want to run a report to see which users have a registered device.In the Cloud Administration Console, generate the All Synchronized Users report. For instructions, see Run User Reports.
How many users can I test with?In addition to the demo users, you can add 6 of your own users.
How do I add additional administrators?

See Add Administrators for the Cloud Administration Console.

How long is my trial good for?

This trial is valid for 30 days after registration. You will receive an email before your trial expires with options if you want to extend it.

If you want to keep using the trial, you must register again. You also must remove the previous account from your RSA SecurID Authenticate app with a simple swipe to delete and then re-register your device just as you did previously.

What LDAP user attributes are synchronized to the Cloud Authentication Service?

You can see these attributes in the Cloud Administration Console.

  1. Click Users > Identity Sources.
  2. From the hosted identity source, click Edit.

  3. Click Synchronize User Attributes.

    Review the listed attributes.

I can't sign into the application portal with the administrator credentials for the Cloud Administration Console.At this time, you cannot sign into the application portal with the administrator credentials. Sign into the application portal with the end-user credentials emailed to you.

 

 


Attachments

    Outcomes