First, add an identity attribute definition

1.  Log on to the Security Console.

2.  Click Identity > Identity Attribute Definitions > Add New.

In the Attribute Name field, enter a unique attribute name for example, SMSPhoneNumber. The attribute name is a user-friendly name for the value mapped from the directory. It is the name that you will see in the RSA Security Console on the Add User and Edit User pages. The attribute name must not exceed 255 characters. 

3.  Optional. In the Category field, specify the category to which this attribute belongs. The drop-down menu displays categories that are defined on the Identity Attribute Categories page. If you do not specify a category, the default category is Attributes.

4.  Optional. In the Entry Type field, indicate if the new attribute field is Optional, Required, or Read-Only. Optional and required attributes can be edited. If an attribute is required, you must enter a value for it when you add the user in order to save the user's record.  If the attribute is stored in the internal database, leave this field blank. 

Important: Your administrative permissions determine whether you can specify attributes for a user. On the Add Users and Edit Users pages, you can only specify attributes that your role permits you to modify, even if the attribute is required. If you do not have permission to edit a required attribute, you cannot add the user.

5.  Optional. In the Notes field, enter important information about the identity attribute definition. You can enter up to 255 characters.

6.  From the Data Type drop-down list, select the type of data you want to store in the new attribute.

7.  Optional. In the Predefined List Entries fields, create a list of predefined values for administrators to select from when adding or editing a user record. Click Add to add each value you define to the list. The values you add will display in a drop-down list on the Add and Edit User pages.

8.  In the Value field, enter the value that you want passed to the data store when each label is selected.  For example, suppose you add an attribute called Location, with a data type equal to string. If you have locations in Boston, New York, and San Jose, you might enter those locations in the Value field.

9.  Optional. Select Stored Internally if the attribute is in the internal database schema. When selected, this attribute applies to all users stored in the internal database. This attribute only applies to the realm associated with the internal database. This attribute is mapped to the physical name of the attribute in the internal database. You can not change the attribute mapping once you save the attribute.

10.  Optional. In the Tooltip field, specify text to use as a rollover tooltip. Make sure the text is descriptive enough to help the administrator who is entering data on the Add User or Edit User pages.

11.  Optional. If you want to allow the attribute to have more than one value, select Multi-Value. Boolean and Date attributes cannot store more than one value.

12.  Optional. Select Use for Scope Restriction if you want to limit the scope of an administrative role based on the value of this attribute.

13.  In the System IS or AD-STORE field, enter the physical name of the attribute in the identity source schema. If this attribute does not map to a specific identity source, leave it blank.

14.  Click Save and Add Another.  Repeat this process to also add an identity attribute definition for the email address field you want to map.

Next you will need to configure Authentication Manager for on-demand tokencode authentication

1.  Click Setup > Component Configuration > Authentication Manager > On-Demand Tokencodes.

2.  Select the Delivery by SMS checkbox to enable on-demand tokencode delivery to users' cell phones.

3.  If you selected Delivery by SMS, from the User Attribute to Provide SMS Destination drop-down menu, select the attribute that provides the cell phone numbers used to deliver on-demand tokencodes to users.  For example, this attribute may be a custom identity attribute that you create with the RSA Security Console or an LDAP attribute that you have mapped to an RSA attribute.

4.  Optional. If you selected Delivery by SMS, from the Default Country Code drop-down list, select a country code to prepend to the destination cell phone numbers.  Country codes are required for all on-demand tokencode destination cell phone numbers. Only select a country code if the cell phone numbers to which you send on-demand tokencodes are not already stored with country codes.

5.  If you selected Delivery by SMS, configure the following fields:

• In the API ID field, enter the API ID provided to you by your service provider.
• In the Account User Name field, enter the user name for your SMS service provider account. This is provided by your service provider.
• In the Account Password field, enter the password for your SMS service provider account. This is provided by your service provider.
• Optional. In the HTTP Proxy Hostname, if your HTTP traffic is routed through a proxy server, enter the proxy hostname.
• Optional. In the HTTP Proxy Port, if your HTTP traffic is routed through a proxy server, enter the proxy port.

6. Optional. Click Test SMS Provider Integration to test the integration with your SMS service provider. Note that all your changes are saved before the test is conducted.

7.  Select the Delivery by E-mail checkbox to enable on-demand tokencode delivery to users' e-mail addresses.

8.  If you selected Delivery by E-mail, from the User Attributes to Provide E-mail Destination drop-down menu, select the attribute that provides the e-mail addresses used to deliver on-demand tokencodes to users.

9.  If you selected Delivery by E-mail, configure the email server connection.  You must do this for each instance in your deployment.

10.  If you selected Delivery by E-mail, in the On-Demand Tokencode Message field, enter the text you want to appear in the e-mail message that contains the on-demand tokencode.

11.  You must leave the $OTT variable in the message. The on-demand tokencode is inserted in place of this variable.

12.  In the On-Demand Tokencode Lifetime field, enter the length of time that on-demand tokencodes are valid after they are delivered to the user.

13.  Click Save.