Protect the Cloud Administration Console with Additional (Step-Up) Authentication
All administrators sign into the Cloud Administration Console using their passwords configured in My Account > Profile, but you can protect the console with additional (step-up) authentication such a tokencode or push notification (Approve). After you enable additional authentication, the console is automatically configured as a SAML service provider, while Cloud Access Service (CAS) acts as the SAML identity provider.
Note: If no Super Admins in your company can provide the required authentication credentials to access the console, RSA Customer Support can temporarily disable the additional authentication requirement, allowing administrators to gain access using only their passwords. RSA sends all Super Admins an email notification after additional authentication has been disabled.
Before you begin
- You must be a Super Admin for the Cloud Administration Console.
- Confirm that each administrator who uses the Cloud Administration Console has two accounts: a user account in an identity source that is synchronized with CAS, and an administrator account in the Cloud Administration Console. Both accounts must use the same email address. To add an administrator to the console, see Add, Edit, or Delete an Administrator in the Cloud Administration Console.
Procedure
Verify that the identity source containing the administrator accounts is synchronized, ensuring that the administrators' identity information is available to CAS. You can click Users > Management to see if specific administrators have been synchronized.
Note: After identity source synchronization, administrators continue to sign in to the Cloud Administration Console using the passwords configured in My Account > Profile. Identity source passwords are never used to access the console.
Add an access policy to configure the console authentication requirements. For instructions, see Add, Clone, or Delete an Access Policy. The policy must meet these criteria:
- Include the identity source containing the administrators' accounts.
- Allow you to access the console.
- Not include FIDO in the selected assurance level or higher levels. FIDO is not supported for protecting the console.
Make sure all administrators are enrolled to use the authenticators they need to access the console. For example, each person might need an RSA supported Hardware Authenticator or the RSA Authenticator app installed on a registered device. These authenticators must be specified in the access policy.
- Enable additional authentication for the console and select an access policy.
- In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.
- In the Additional Authentication field, set the toggle to Enabled.
- In the 1.0 Access Policy for Additional Authentication field, select a 1.0 policy to enforce additional authentication requirements for the console.
- Click Save Settings.
- Click Publish Changes to activate the settings. Additional authentication is required immediately after you publish.
Related Articles
How to configure additional authentication for the RSA SecurID Access Cloud Administration Console Number of Views SBR RADIUS returning a string attribute with an additional character in the Access-Accept packet Number of Views Adding an additional Operations Console administrator fails with the error message Encrypted data could not be updated in … Number of Views Manage Administrators for the Cloud Administration Console Number of Views Requesting RSA to create additional Super Administrator accounts for the RSA SecurID Access Cloud Authentication Service Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
