Configure High Availability Tokencodes

If the Cloud Authentication Service cannot be reached because the connection is temporarily unavailable or too slow, RSA Authentication Manager can use downloaded High Availability Tokencode records to prompt users for Authenticate Tokencode. Users who authenticate with methods that are supported by the Authenticate app, such as Approve and Device Biometrics, are prompted for Authenticate Tokencode or SecurID authentication. This feature does not support forwarding RADIUS authentication to the Cloud Authentication Service or authentication to SaaS applications.

Before you begin

License usage does not increase for users who already have a registered authenticator.


  1. Connect RSA Authentication Manager to the Cloud Authentication Service.

    You must have either a direct connection between RSA Authentication Manager 8.5 or later and the Cloud Authentication Service or a connection that uses the embedded identity router in Authentication Manager. This feature does not support a connection that uses identity routers on platforms in your on-premises network or in the Amazon Web Services cloud.

  2. The Cloud Authentication Service mapping for Primary Username and Authentication Manager mapping for UID must point to the same attribute in the identity source. When the Cloud Authentication Service sends token records to Authentication Manager, Authentication Manager uses the securIDUsername field from the token records to find users in the identity source that is synchronized to the Cloud Authentication Service.
  3. Enable High Availability Tokencodes in the Cloud Administration Console:
    1. In the Cloud Administration Console, click Platform > Authentication Manager.
    2. In the High Availability Token field, click Enable.
    3. Click Publish Changes to apply the configured settings.