Cloud Access Service Rollout to Users

After you finish setting up your Cloud Access Service (CAS) deployment, roll out authentication options to your users. The rollout involves communicating information about the user experience, for example, the application portal for an IDR SSO Agent deployment, the RSA Authenticator app or other authenticators and optionally RSA My Page, emergency access, and system requirements.

For a sample e-mail that you might use to communicate this information, see Sample Rollout Email for ID Plus Users.

Application Portal

Provide both the portal application URL and sign-in credentials (if applicable) to users.

Item	Description
URL	If you are using the standard portal and have only one identity router, the application portal URL is the Portal Hostname that you specified when you added an identity router in the Cloud Administration Console. To see the hostname, edit the identity router. When users enter the portal hostname, CAS automatically redirects them to the application portal. For example, when users go to https://portal.sso.domain.com, CAS automatically redirects users to https://portal.sso.domain.com/WebPortal. If you are using the standard portal and have a cluster of identity routers for high availability, the application portal URL is the Load Balancer DNS Name that you specified when you added a cluster. To see the name, edit the cluster. If you are using the custom portal, the application portal URL is the Login Page that you specified when you configured custom portal settings in the Cloud Administration Console. To see the login page, edit the custom portal settings.
Sign-in credentials	Instruct users to sign in with their user ID (username or e-mail address, depending on your configuration) and password. If you have configured Integrated Windows Authentication (IWA), the CAS automatically authenticates eligible users to the application portal without prompting them for their username and password.

Item

Description

URL

If you are using the standard portal and have only one identity router, the application portal URL is the Portal Hostname that you specified when you added an identity router in the Cloud Administration Console. To see the hostname, edit the identity router.
When users enter the portal hostname, CAS automatically redirects them to the application portal. For example, when users go to https://portal.sso.domain.com, CAS automatically redirects users to https://portal.sso.domain.com/WebPortal.
If you are using the standard portal and have a cluster of identity routers for high availability, the application portal URL is the Load Balancer DNS Name that you specified when you added a cluster. To see the name, edit the cluster.
If you are using the custom portal, the application portal URL is the Login Page that you specified when you configured custom portal settings in the Cloud Administration Console. To see the login page, edit the custom portal settings.

Sign-in credentials

Instruct users to sign in with their user ID (username or e-mail address, depending on your configuration) and password. If you have configured Integrated Windows Authentication (IWA), the CAS automatically authenticates eligible users to the application portal without prompting them for their username and password.

RSA Authenticator App

If you are using authentication methods available in the RSA Authenticator App, instruct users to complete registration with the app. If you are using RSA My Page, follow the provided instructions to register your app.

Note: If your company uses SSL interception, iOS or Android users must complete registration using cellular data or a Wi-Fi network not associated with your company. If users use corporate Wi-Fi, they will see an Untrusted Connection error message during registration that instructs them to use cellular data or a different Wi-Fi network to continue.

Provide the following information to users to enter during registration:

Item	Description
My Page URL	(Optional) Your company's My Page URL is displayed in the Cloud Administration Console in Access > My Page.
User email address	User's email address in the identity source.
Registration Code	Instruct users to scan the displayed QR code on My Page. Users who cannot use My Page must either enter their identity source passwords or obtain a Registration Code from their administrator during registration. Administrators generate this code only for users who cannot obtain one from any other source.

The RSA Authenticator app uses notifications to simplify the authentication process. An app user can disable notifications but must perform an extra step to authenticate using certain authentication methods (such as Approve or Device Biometrics). After the user sees the Sending Sign-in Request screen in the browser or is sent a notification as part of a RADIUS flow, the user must open the app or pull down on the top of the app to manually retrieve the notification to continue the authentication process.

FIDO Authenticators

If you are using FIDO authenticators, instruct your users to complete registration on My Page. Depending on your My Page configuration and if you are only using security keys, users can also complete registration during first-time authentication to a protected application.

Emergency Access

Instruct users what to do if they cannot use their preferred authentication methods. This situation may occur for a variety of reasons, for example, if the user lost an RSA credential or FIDO authenticator, or the user cannot locate the mobile phone where the RSA Authenticator app is registered, or the mobile phone cannot be charged. In such cases, several methods are available for emergency access, including SMS OTP. See Emergency Access for Cloud Access Service Users for more information.

System Requirements

See Cloud Access Service User System Requirements.

Reference Materials

Sample Rollout Email for ID Plus Users

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change