Certified: August 31, 2023
Solution Summary
This section describes HashiCorp Vault integration with RSA (or ID Plus). Use this information to determine which use case and integration type your deployment will employ.
Use Case
HashiCorp Vault can be integrated with RSA using RADIUS. When integrated, users must authenticate with RSA to sign in to HashiCorp Vault.
Integration Types
RADIUS integrations provide a text-driven interface for RSA within the partner application. RADIUS provides support for most RSA authentication methods and flows.
Supported Features
This section shows all the supported features by integration type and by RSA components. Use this information to determine which integration type and RSA component your deployment will use. The next section in this guide contains the instruction steps for how to integrate RSA with HashiCorp Vault using RADIUS integration type.
HashiCorp Vault Integration with RSA Cloud Authentication Service
| Authentication Methods |
RSA MFA API (REST) |
RADIUS |
Relying Party |
SSO |
|
Approve |
- |
| - | - |
|
LDAP Password |
- |
| - | - |
|
SecurID OTP |
- |
| - | - |
|
Authenticate OTP |
- |
| - | - |
|
Device Biometrics |
- |
| - | - |
|
SMS OTP |
- |
| - | - |
|
Voice OTP |
- |
| - | - |
|
FIDO Security Key |
- |
n/a | - | - |
HashiCorp Vault Integration with RSA Authentication Manager
|
Authentication Methods |
RSA MFA API (REST) |
RADIUS |
Authentication Agent |
|---|---|---|---|
| RSA SecurID | - | - | |
| On Demand Authentication | - | - | - |
| Risk-Based Authentication | - | - | - |
|
|
Supported |
|
- |
Not supported |
|
n/t |
Not yet tested or documented, but may be possible |
|
n/a |
Not applicable |
Configuration Summary
This section contains instruction steps that show how to integrate HashiCorp Vault with RSA using the RADIUS integration type.
This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components.
All RSA and HashiCorp Vault components must be installed and working prior to the integration.
This section of the guide includes links to the appropriate sections for configuring both sides for each use case.
Integration Configuration
RSA Cloud Authentication Service
RSA Authentication Manager
RSA Terminology Changes
The following table describes the differences in the terminologies used in the different versions of RSA products and components.
|
Previous Version |
New Version |
Examples/Comments |
|---|---|---|
| Company ID | Organization ID | |
| Account | Credential | |
| Token | OTP Credential |
SecurID OTP Credential |
| Tokencode | OTP/Access Code |
SecurID OTP, SMS OTP, Voice OTP Emergency Access Code, Disable Access Code |
| Hardware Token | Hardware Authenticator | |
| Device Serial Number | Binding ID | |
| Device | Credential/Authenticator | |
| Device Registration Code | Registration Code | |
| Authenticate App | Authenticator App |
Known Issues
Cloud Authentication Service
To enable two-factor authentication, use Cloud Authentication Service only applies access policy for additional authentication while configuring the connector. Multi-factor authentication is not supported in this integration since it requires a second screen. The alternative configuration using password is not recommended.
Authentication Manager
Since HashiCorp Vault does not show a second screen for RADIUS integration:
- The tests that require a second screen such as setting a new PIN cannot be performed.
- On-demand authentication cannot be tested.
Replica authentication server functionalities are not supported.
Certification Details
RSA Cloud Authentication Service
RSA Authentication Manager 8.7 Patch 1, Virtual Appliance or later
HashiCorp Vault 1.14.0
