Configure Company Information and Certificates

Configure settings that affect your entire deployment. These settings include:

• Configure Secure Sockets Layer (SSL) private keys and certificates to protect the Application Portal.

• Define a Protected Domain Name for SSO Agent deployments.

• Disable or enable the following settings:

  • Data collection for identity confidence and location.

  • Disable the Remember This Browser prompt during authentication

  • Saving of the last used primary authentication method per policy

  • Agent inventory data collection

  • Mobile Lock for threat detection on mobile devices

Note:  The Company Information page displays the Customer Site ID, which is required when you register with RSA Customer Support.

Certificate Requirements

Certificates are required in either of the following situations:

• The IDR SSO Agent is enabled on the identity router.

• Cloud Access Service (CAS) is integrated with Authentication Manager 8.4 Patch 3 or earlier.

Procedure 

1. In the Cloud Administration Console, click My Account > Company Settings and select the Company Information tab.

2. In the Protected Domain Name field, enter the Protected Domain Name value from your Quick Setup Guide. This is a unique domain name for your deployment, such as sso.example.com. Deployments that use the IDR SSO Agent must have a protected domain name in order to publish changes to the identity router.

   Note:  Protected Domain Name value is required only for IDR proxied applications (HTTP Federation Proxy, Trusted Header, and NTLM).

   

3. Upload the following files:

   • The Private Key that matches the public certificate. Ensure that the private key is not password protected.

   • The Public Certificate that was issued from the certificate authority (CA) for your domain.

   • The Certificate Chain that was provided by the CA, which is valid for your public certificate.

     Note:  Keys and certificates are required only for IDR proxied applications (HTTP Federation Proxy, Trusted Header, and NTLM).

   

4. In the Organization ID field, enter the Organization ID that users provide when registering the RSA Authenticator app on their devices. The first time you sign in to the Cloud Administration Console and access your account information, this field is preconfigured. Edit this field to your company specifications.
   Do not exceed 255 characters. Use only alphanumeric characters with no spaces. This value must be unique across all RSAcustomers.

   Note:  If you change the Organization ID, you must instruct users to provide the new value when registering the RSA Authenticator app. Authenticators that are already registered are not affected.
   

5. When used in access policies, the Identity Confidence attribute allows RSA to establish high or low confidence in a user's identity based on data it has collected about the user over a period of time. RSA recommends that you leave data collection enabled. However, if required by your company, you can disable Identity Confidence Collection to prevent CAS from collecting this data from users during authentication. Do not use the Identity Confidence attribute in access policies when this field is disabled. For more information, see Identity Confidence.

   Identity Confidence Collection and Identity Confidence Threshold Adjustment fields are available with the ID Plus E3 plan and can be added as an add-on for the ID Plus E1 and E2 plans.

   Note:  The identity confidence attribute requires location data collection to be enabled to provide the most accurate results.

6. By default, RSA collects location data from users using HTML5 geolocation. This data is used by the Trusted Location, Identity Confidence, and Country attributes to evaluate users' authentication requirements when they try to access protected resources. RSA recommends that you leave data collection enabled. However, if required by your company, you can disable Location Collection during authentication.

   Note:  When disabled, do not use the Trusted Location in access policies and be aware that the location calculations for the Country and Identity Confidence attributes are less accurate.

7. By default, CAS prompts users to click Remember This Browser during authentication. Disabling the prompt has the following impact:

   • Users are never prompted to click Remember This Browser during authentication.

   • CAS ignores the Known Browser attribute in access policies and always assumes the browser is unknown, even if it was previously "known."

     Note:  If you disable this prompt, you should also remove the Known Browser attribute from access policies.

8. When you enable the Primary Authentication Preference setting, a user's last successfully used primary authentication method and its associated policy will be stored as the preferred method in a browser cookie. Therefore, a user will be prompted to use the same saved primary authentication method when they authenticate again. If you disable this setting, the default authentication method specified in a policy will be presented to users.
9.  RSA Mobile Lock detects critical threats to a mobile device and restricts the user’s ability to authenticate until the threat issue is resolved. For more information, see RSA Mobile Lock. If you have requested this add-on feature, in the Mobile Lock section, you can create your account for the RSA Mobile Lock Console as follows:
   
   • In the Valid Corp Email ID field, your email address or corporate email ID will be automatically displayed. If the email address or corporate email ID is not a valid one, you can update it. Then, click Send OTP to receive a passcode via your email address. In the One Time Passcode field, enter the passcode that was sent to your email and click Verify.
     After you verify your corporate email ID, click Create. you will receive an email from Zimperium, RSA Partner for delivering the RSA Mobile Lock capability, to activate your account and set your password.

   • Click Confirm if you can access the RSA Mobile Lock Console using your account successfully.

   • Click Enabled. By default, this setting is disabled.

   Please note the following:

   • You can access the RSA Mobile Lock Console before enabling the Mobile Lock feature for your account to review or configure your settings prior to enabling this feature for users.

   • When the Mobile Lock feature is enabled for the first time, you need to click the Publish Changes button in the Cloud Administration Console to apply the new configuration settings to your account and complete the Mobile Lock activation. For more information on RSA Mobile Lock, see the following links:

     • RSA Authenticator for iOS and Android Administrator Guide - Mobile Lock

     • Mobile Lock: Technical FAQs

10. The Unified Directory is a new user identity store for CAS that will enable full Cloud-only deployments in the future. RSA Unified Directory has the ability to create and store local users and their passwords using the open standard System for Cross-domain Identity Management (SCIM) API. Administrators can add and manage local users from the Cloud Administration Console. In the Cloud Administration Console, administrators can upload a CSV file to import new users. Users can manage themselves using the My Page self-service portal. Local user passwords are completely validated within CAS and are optional. For details on user provisioning using SCIM API, see User Provisioning Using SCIM API.
    
11. Click Save Settings.