Authenticators Managed in the Cloud
An AM administrator can view authenticators that are managed in Cloud Authentication Service (CAS) through the User Dashboard, which displays the following:
SecurID 700 hardware tokens that are managed in Cloud Authentication Service. An AM administrator can unassign, enable, and disable SecurID 700 hardware tokens that are managed in Cloud Authentication Service.
DS100: These FIDO-certificated authenticators provide users with a SecurID passcode for authentication. DS100 is only managed in Cloud Authentication Service.
Registered FIDO: SecurID supports FIDO-certified third-party authenticators that are managed in Cloud Authentication Service. For information on this authenticator, see FIDO.
Emergency Tokencode for Cloud Authentication Service users. An AM administrator can disable Emergency Tokencode for an individual user. For information on this form of authentication, see Emergency Tokencode.
Authenticators that are registered for SecurID Authenticate users. For more information, see Authenticator Registration.
Although some authenticators, such as DS100 and registered FIDO, are only managed in Cloud Authentication Service, you can choose whether to manage SecurID 700 hardware tokens in your AM deployment or in Cloud Authentication Service.
Cloud Sync Job
Cloud Sync Job is a batch job run by Authentication Manager to exchange data and configuration details between Authentication Manager and CAS. This batch is run after Authentication Manager is connected to CAS and every 24 hours at a random time between 1:00 AM and 5:00 AM local time.
When the cloud sync job runs, the job synchronizes various data and configurations as follows:
Token Records Synchronization Between Authentication Manager and Cloud Authentication Service
Token records synchronization is one of the data syncs that the Cloud Sync job performs when it runs daily. The job synchronizes the cloud-managed token records between the Authentication Manager and CAS. It also synchronizes the tokens assigned to Authentication Manager internal DB users that are synchronized with CAS.
The "Cloud Sync Job" performs two operations to synchronize token records:
DS100 and SecurID 700 records are synchronized from Cloud Authentication Service to AM, and AM automatically reconciles any conflicts. A cleanup job removes any token records that were already deleted in Cloud Authentication Service.
SecurID 700 records are synchronized from AM to Cloud Authentication Service. An "AM to Cloud Token Record Synchronizer" audit entry is logged in the AM System Activity Monitor with a Success or Failure status.
Token records are not synchronized from AM to Cloud Authentication Service if the synchronization from Cloud Authentication Service to AM does not start. For example, if a connection failure prevents Cloud Authentication Service from synchronizing token records to AM.
If the same token is accidentally assigned to different users in CAS and Authentication Manager, and if the CAS user is not visible in Authentication Manager, then the token is unassigned from the Authentication Manager user. A cloud managed token is not created, and the sync marker is not updated.
Note: An existing direct connection between Authentication Manager and CAS is required for automatic synchronization of token records between Authentication Manager and CAS.
User License Usage Synchronization Between Authentication Manager and CAS
In a hybrid deployment where the Authentication Manager is connected to CAS, the daily cloud sync job synchronizes the user license usage information between Authentication Manager and CAS. This process enables the CAS admin console to display the up-to-date license usage information on the dashboard of the CAS admin console. Organizations with hybrid deployment can leverage this dashboard to track their license usage across CAS and Authentication Manager.
During the user license sync process:
Authentication Manager collects the cloud licensed user information (username and email) from CAS, determines the hybrid status of each user license, and then updates the CAS with the latest license usage and authenticator statistics information.
The Authentication Manager sends the statistics of the following to CAS:
Hardware tokens
Software tokens
On-demand authentication (ODA) / Risk-based authentication (RBA)
Fixed Access Code
Users with assigned authenticators
The following scenarios also trigger the user license sync process:
When there is any change in a user’s authenticator status. For example, if the user is assigned or unassigned a token, imports or deletes a token, enables or disables RBA/ODA in the Authentication Manager or CAS.
Major events such as restoring from backup, snapshots, and registering CAS configuration.
Note: Authentication Manager tracks only those licensed cloud users that are visible to Authentication Manager.
User Password Synchronization from CAS to Authentication Manager
When Authentication Manager internal database users, synced with CAS, change their password on CAS MyPage, the password sync process initiated through the Cloud Sync job or Notification Service synchronizes the password change with Authentication Manager.
Related Articles
Configure Emergency Access for Provisioning Number of Views Emergency Access for Cloud Access Service Users Number of Views BASE libraries can't be used on platforms that haven?t been upgraded with the latest MSVCRT libraries. Number of Views Problem with SSL Server certificate installed on Netegrity Affiliate Minder Agent Number of Views OATH HOTP Hardware Authenticators Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
