Configure RSA Authentication Manager as a Secure Proxy Server for Cloud Authentication Service
You can configure RSA Authentication Manager 8.5 and later to act as a secure proxy server for Cloud Authentication Service (CAS). User authentication requests are automatically forwarded to Cloud Authentication Service, and you can configure high availability, which allows authentication to continue when Cloud Authentication Service or the connection is unavailable or too slow.
You may need to do additional configuration steps to use these features.
Procedure
- REST protocol authentication agents require credentials to securely access AM. See Configure the RSA SecurID Authentication API for Authentication Agents.
- Connect AM to Cloud Authentication Service.
For instructions, see the following:
- To connect with an embedded identity router, see Quick Setup - Connect RSA Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router.
While connecting, select the Send Multifactor Authentication Requests to the Cloud checkbox.
- If you are using identity routers on other platforms in your on-premises network or in the Amazon Web Services cloud, see Connect RSA Authentication Manager to the Cloud Authentication Service.
After you establish the connection, use the Security Console to select the Send Multifactor Authentication Requests to the Cloud checkbox. See Edit Cloud Authentication Service Connection.
Note: To use High Availability Tokencode with this feature, you must connect again after upgrading from version 8.4 Patch 4 or later.
- To connect with an embedded identity router, see Quick Setup - Connect RSA Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router.
- In the Cloud Administration Console, create an access policy for the authentication agents that are connected to Cloud Authentication Service, or plan to use an existing access policy. For instructions, see Planning Resource Protection with Access Policies and Access Policies.
- Configure your authentication agents to use AM to direct authentication requests toCloud Authentication Service. For instructions, see your agent documentation.
After you finish
- When RSA Authentication Manager cannot communicate with Cloud Authentication Service, users can access RSA SecurID protected resources with RSA SecurID authentication and Authenticate Tokencode. AM always validates RSA SecurID authentication. AM must download High Availability Tokencode records to prompt users for Authenticate Tokencode. See Configure High Availability OTP.
- Some newer authentication agents can automatically download offline emergency access codes for users who access the authentication agent. Users can continue to authenticate if the connection to AM or Cloud Authentication Service is not available. For more information, see Emergency Tokencode.
- AM automatically downloads offline data day files that some newer authentication agents can use for uninterrupted authentication to Cloud Authentication Service. For instructions, see your authentication agent documentation.
Related Articles
RSA Authentication Manager Secure Proxy Server for Cloud Authentication Service Number of Views Enable Secure Shell on the Appliance Number of Views Skyhigh Secure Web Gateway (Cloud using Browser Setting) - SAML Relying Party Configuration - RSA Ready Implementation Guide Number of Views Configure a Proxy Server Number of Views RSA Authentication Manager as a Proxy Server to the Cloud Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
