Manage My Page
9 days ago

Manage My Page

RSA My Page is a web portal that provides a secure way to manage authenticators and access applications. Each user can use it to register the following authenticators:

  • One Software Authenticator app.

  • Up to five SecurID 700 hardware OTP authenticators, RSA DS100 OTP authenticators, or OATH HOTP authenticators.

  • Up to five FIDO authenticators.

Authenticator Configuration Impact
RSA Authenticator application (available on Android, iOS, Windows, and macOS)Each user can register only one software authenticator app, which can be either an RSA authenticator app or a custom mobile authenticator app.
Custom Mobile Authenticator application

Using RSA SDK, you can build your own Mobile Authenticator application, which can then be registered via My Page.

SID 700 hardware OTP

RSA DS100 OTP

OATH HOTP

Users must go to My Page to register their SID 700 hardware OTP authenticators, RSA DS100 auhenticators, or OATH HOTP authenticators.
FIDO

You can enable users to register FIDO Authenticators through My Page. If My Page portal has not been enabled for users, they can register FIDO Authenticators as part of their initial authentication. When My Page portal is enabled for users, they can then only register FIDO Authenticators via My Page.

Note:  Windows Hello authenticator cannot be registered during the initial authentication process; it can only be registered via My Page.

This topic includes the following:

 

Before you begin 

  • You must be a Super Admin in the Cloud Administration Console.

  • Know which access policy to use for additional authentication.

  • If you want to use SMS or Voice OTP, you need to get a specific add-on for your subscription plan. For details, please contact your RSA sales representative.

  • If you require users to register their FIDO authenticators using My Page, make sure that the access policy to My Page does not mandate the use of a FIDO authenticator.

  • If you want to use a third-party identity provider for primary authentication, it must be created.

 

Set Up Applications Settings

Applications configuration settings provide administrators with the ability to manage user authorization required to access applications and user sessions.

Procedure 

  1. In the Cloud Administration Console, click Access > My Page.

  2. Click the Applications tab.

  3. Set the Applications toggle to Enabled to make it available on My Page.

  4. In the Authentication section, in the 2.0 Access Policy for Authentication drop-down list, select a 2.0 access policy to use for primary and additional authentication.

  5. In the User Sessions section, provide the session duration and inactivity timeout in minutes. After the specified duration or inactivity timeout, users will be signed out. The default values for Session Duration and Inactivity Timeout are 60 minutes and 10 minutes, respectively.

  6. Select the Limit Concurrent Sessions to check box and enter a value to restrict the number of concurrent logins. No more user login will be allowed after this limit. The value must be between 1 and 99. If you do not select this check box, unlimited concurrent logins will be allowed.

  7. To require users to sign in again if the system detects that the IP address has changed within the same sign-in session, select Validate Session IP Address. This option can help to prevent unauthorized use of a sign-in session. If this setting is blank, a user can change IP addresses within the same session without being prompted to sign in again. This can be useful, for example, to accommodate users moving from workplace to home and changing IP addresses as a result.

  8. (Optional) If you want to redirect users to a specific URL after they sign out of My Page, enter the URL in the Logout URL field.

    If you do not specify a URL, users are redirected to the My Page URL. Note that this field is not available if you select Password, SecurID, or FIDO as the primary authentication method.

  9. If you are configuring My Page for single sign-on in a SAML unsolicited response flow, copy the Assertion Consumer Service (ACS) URL for Unsolicited Responses value into your identity provider configuration settings.

  10. Click Save.

 

Set Up Authenticators Settings

You can enable and configure My Page. In addition, you can select the primary authentication method and the policy to be used for additional authentication to sign into My Page.

Procedure 

  1. In the Cloud Administration Console, click Access > My Page.

  2. Set the Authenticators toggle to Enabled to make it available on My Page.

  3. If the Applications setting is enabled on My Page, in the 1.0 Access Policy for Authentication drop-down list, select a 1.0 access policy to be used for additional authentication if primary authentication succeeds. If the Applications setting is disabled, in the 2.0 Access Policy for Authentication drop-down list, select a 2.0 access policy to use for primary and additional authentication.

  4. In the Configuration section, enable or disable the types of authenticators your users can register, set the credential type (OTP or Passkey), and select the supported operating systems. The following authenticators and options are available:

    • RSA Authenticator App: Supports OTP and passkey credentials. Available on iOS and Android apps (OTP and passkey support), and on Windows and macOS (OTP support only).

    • RSA DS100: Supports OTP and passkey credentials.

    • Windows Hello: Supports passkey credentials.

    • Other FIDO2-Certified Authenticators: Support passkey credentials. To define which FIDO2-certified authenticators can be used for authentication, see Customize FIDO Authentication.

    • RSA SID 700: Supports OTP credentials

    • OATH HOTP: Supports OTP credentials.

    • Deleting Authenticators: Enable or disable whether users can delete registered authenticators from My Page, for example, if they lose an authenticator or need to replace an existing one.

  5. Select the operating systems on which the users can register and use the RSA Authenticator app. If you disable (restrict) any operating system that was selected previously, the Grace Period For RSA Authenticator appears.
    For users who already have a registered RSA Authenticator on the operating system that you are disabling, configure a grace period by setting a Grace Period End Date. During this time, users can continue using the app on the disabled operating system for authentication.
    You can configure the grace period for a minimum of 1 day and a maximum of 30 days, and it will expire at midnight (UTC) on the specified end date.

    Note:  If the users do not migrate to a supported operating system before the grace period expires, authentication using the restricted (disabled) operating system will be blocked. The impacted users will receive email notifications prompting them to migrate to a supported operating system in the following scenarios: when you publish configuration changes, when users authenticate with the restricted operating system during the grace period, and when users attempt authentication after the grace period expires. Emails are triggered once every seven days when the user logs in. Notifications continue until the user migrates to a supported operating system or the grace period expires.

  6. Click the link in the Email Settings section to navigate to My Account > Company Settings > Email Notifications and configure CAS to automatically send a confirmation email to users when specific events occur.

  7. (Optional) To redirect users to a specific URL after they sign out of My Page, enter the URL in the Logout URL field.

    If you do not specify a URL, users are redirected to the My Page URL.

  8. To configure My Page for single sign-on in an unsolicited response flow, copy the Assertion Consumer Service (ACS) URL for Unsolicited Responses value into your identity provider configuration settings.

  9. Click Save.

Note:  The Authenticators tab will not be available to the end user (on My Page) if it is disabled by the administrator, or access is denied by the configured policy for Authenticators.

 

Set Up Enrollment and Recovery Settings

Enrollment Settings provide administrators the ability to generate a one-time code and to provide users with an enrollment URL to register their first authenticator device on RSA My Page.

Recovery Settings provide administrators the ability to activate a URL that allows users to recover their account in case their authenticator is lost, stolen, damaged, or otherwise.

Using the Validation Code Settings, you can set the attribute for the source of the email address and the validity duration of the code.

Before you begin 

  • Enable Authenticators under Access > My Page > Authenticators.

Procedure 

  1. In the Cloud Administration Console, click Access > My Page.

  2. Click the Enrollment and Recovery tab.

  3. Select Enable under Enrollment Settings to enable users to register their first authenticator via My Page. If you disabled the Enrollment Settings, users will not be able to access their enrollment URL.

  4. Select Enable under Recovery Settings to enable users to recover their account in case their authenticator is lost, stolen, damaged, or otherwise. If you disabled the Recovery Settings, users will not be able to recover their accounts if their authenticator is lost, stolen, or damaged, or otherwise.

    Note:  When SID700 and OATH hardware authenticators are reported as unusable, the authenticator and its seed will be deleted. To enable the user to register the hardware authenticator again, administrators will have to re-import its seed.

  5. In the Validation Code Settings section, follow these steps:

    1. Select the Source for Email Address, which corresponds to a user attribute. Then, select the validity period for the email address. The default validity time for the email address is set to 10 minutes, with the option to extend it to a maximum of 24 hours.

      To add a new attribute to this list, navigate to Users > Identity Sources, edit the required identity source, and go to the Attributes tab. Check the box in the Policies column next to the attribute you want to use. For more information, see Directory Server Attributes Synchronized for Authentication.

    2. In the SMS Phone and Voice Phone fields, you can set the validity period for SMS and Voice OTPs. The validity period can be set from 1 to 10 minutes.

      The SMS/Voice authentication feature is available as an add-on. For more information about ID Plus plans or to include this feature, please contact your RSA Sales Representative.

    Note:  Changing the validity period for SMS/Voice OTPs will also update the duration that SMS/Voice authentication codes remain valid, affecting both the enrollment process and the authentication flow.

  6. Click Save.

  7. Click Publish Changes.

 

Set Up Customization Settings

Customize My Page and all the sign-in pages using your company logo, display name, icon, color, background color, and background image that are specific to your organization and meaningful to your user audience. You can also customize the domain name of My Page URL. For more information, see Customize and Configure Domain Name.

Note:   The Customization Settings are available only for ID Plus E2 and E3 plans.

Procedure 

This is an optional procedure.

  1. In the Cloud Administration Console, click Access > My Page.

  2. Click the Customization tab.

  3. Provide a Page Title. This will act as the title on the browser when My Page is accessed. There is a default title that you can use. This field is required.

  4. Provide a Company Display Name. This will appear on all the sign-in pages.

  5. Specify the Accent Color for the title text (for example, Enter UserID and Password), the button (for example, Submit), and the footer bar, using a hexadecimal value (for example, #FF0000).

  6. Specify the Authentication Screen Background Color to change the background color of the entire authentication screen (for example, My Page sign-in screen and error screens) using a hexadecimal value (for example, #FF0000). If you do not specify a value, the default color will be white.

  7. Upload Favicon to be displayed on the browser for My Page and all the sign-in pages.
    If you do not specify an icon, browser shows RSA icon. To delete an existing icon, click the minus sign.

  8. Click Upload Logo and select your company logo to display on My Page and all sign-in pages.
    If no logo is uploaded, the RSA logo will appear by default on My Page and the sign-in pages. To remove an existing logo, click the minus icon.

  9. Upload Background Image. You can use this image to display your company’s Help Desk or other contact information.

  10. Enter a label and the corresponding URL for each link in the Custom Links fields. You can add up to four links to the sign-in page for quick access to external resources or important information.

  11. Enter a Disclaimer Text to display on the sign-in page. You can enter up to 2000 characters and include URLs.

    Note:  This text can include certain HTML tags, such as <a>, <b>, <div>, <em>, <i>, <p>, <span>, <strong>, and <u>. The <a> tag is allowed to have one attribute: href. The href value must be a valid URL.

  12. (Optional) To preview your customized settings, click Preview.

  13. Click Save.

  14. Click Publish Changes.

 

Enable OTP Authenticator Resynchronization

OTP hardware authenticators may become out of synchronization with the Cloud Access Service (CAS), preventing successful authentication. When this feature is enabled, users who are unable to authenticate can resynchronize their OTP hardware authenticators by entering the device’s serial number and two consecutive OTPs via the "sync" URL.

If resynchronization is disabled, users will no longer be able to access the "sync" link.

Procedure

  1. In the Cloud Administration Console, click Access > My Page.

  2. Click the Resync OTP Authenticators tab.

  3. Enable the Allow Resync of OTP Hardware Authenticators by an Unauthenticated User option.

  4. Click Save.

  5. Click Publish Changes.

 

Don't see what you're looking for?