Configure High Availability OTP

If Cloud Access Service (CAS) cannot be reached because the connection is temporarily unavailable or too slow, RSA Authentication Manager (AM) can use downloaded High Availability OTP records to prompt users for Authenticate Tokencode. When High Availability OTP is enabled, users who authenticate with methods supported by the RSA Authenticator app, such as Approve and Device Biometrics, are prompted for an Authenticate Tokencode or RSA SecurID passcode. This feature does not support forwarding RADIUS authentication to CAS or authentication to SaaS applications.

Before you begin 

When High Availability OTP is enabled, AM creates a new authenticator record for these users. This does not increase license usage in AM. CAS authenticators are not counted against the AM license.

Procedure 

1. Connect RSA Authentication Manager to Cloud Access Service.

   You must have either a direct connection between AM 8.5 or later and CAS or a connection that uses the embedded identity router in AM. This feature does not support a connection that uses identity routers on platforms in your on-premises network or in the Amazon Web Services cloud.

2. CAS mapping for Primary Username and AM mapping for UID must point to the same attribute in the identity source.
3. Enable High Availability OTPs in Cloud Administration Console:
   1. In the Cloud Administration Console, click Platform > Authentication Manager.
   2. In the High Availability OTP field, click Enable.
   3. Click Publish Changes to apply the configured settings.