Prioritize Approve and Device Biometrics Authentication for On-Demand Authentication Users

After you use the Security Console wizard to connect AM to Cloud Access Service (CAS), on-demand authentication (ODA) users can have the same PIN for authenticating with ODA, Approve, and Device Biometrics. When these ODA users enter their PINs, they are issued one-time tokencodes because ODA has priority over other types of authentication.

RSA Authentication Manager 8.4 Patch 7 or later allows you to prioritize Approve authentication for these ODA users, and Patch 9 extends this functionality to Device Biometrics authentication. When ODA users enter their PINs, they are prompted for Approve or Device Biometrics authentication.

Before you begin 

Obtain the rsaadmin operating system password.

Procedure 

1. Log on to the appliance using an SSH client.
2. When prompted for the user name and password, enter the operating system User ID, rsaadmin, and the operating system account password.
3. Change directories:

   cd /opt/rsa/am/utils

4. To add the parameter that lets you specify whether ODA has priority over other types of authentication, enter:

   ./rsautil store -o admin -a add_config auth_manager.cas.authentication.runtime.precedence.enabled false GLOBAL 500

5. To prioritize Approve or Device Biometrics authentication for ODA users, enter:

   ./rsautil store -o admin -a add_config auth_manager.cas.authentication.runtime.precedence.enabled true GLOBAL 500

6. Restart the services on the primary instance. If there are replica instances, restart the services after replication is complete.
   1. Change directories:

      cd /opt/rsa/am/server

   2. Run the following:

      ./rsaserv restart all