Connect RSA Authentication Manager to the Cloud Authentication Service
You can easily deploy and manage new mobile authentication methods for your RSA Authentication Manager users. These users will be able to access agent-protected resources using the RSA SecurID Authenticate app on their registered devices.
You can easily deploy and manage new mobile authentication methods for your RSA Authentication Manager users. These users will be able to access agent-protected resources using the RSA SecurID Authenticate app on their registered devices. You do not need to replace or update your existing agents or RSA Ready products.
You can use the RSA Authentication Manager Security Console to seamlessly connect Authentication Manager to the Cloud Authentication Service, and to invite users to download the RSA SecurID Authenticate app and register their devices using the cloud-based RSA SecurID Access My Page. After users complete registration, use the Security Console User Dashboard to monitor users' authentication activity and perform other user management tasks, such as enabling and disabling users and deleting registered authenticators. To configure the connection, perform these steps:
Note:If you upgraded Authentication Manager to version 8.5 and your deployment was connected to the Cloud Authentication Service, you must re-connect in order to use some version 8.5 features, such as the embedded identity router and High Availability Tokencodes. To re-establish your connection, see Edit the Cloud Authentication Service Connection.
Note:You do not need to enable RADIUS or single sign-on to connect Authentication Manager to the Cloud Authentication Service.
If you are deploying an embedded identity router in RSA Authentication Manager, you use a different procedure to connect to the Cloud Authentication Service and deploy the identity router. For instructions, see Configure an Embedded Identity Router.
After you deploy an identity router, the Cloud Authentication Service synchronizes users. Make sure your RSA Authentication Manager users are synchronized from external identity sources that are also synchronized to the Cloud Authentication Service.
Note: New users created in the Authentication Manager internal database, who have never had an assigned hardware or software token, are not supported for Approve, Device Biometrics, or Authenticate Tokencode authentication.
Configure an Access Policy to Protect Your Sensitive Resources
An access policy determines which users can access your agent-protected resources and which authentication methods they are required to use. This access policy controls access for all users who authenticate using the new connection. You can configure the policy to allow access to only selected users who meet certain criteria, or to allow all users. For example, you can restrict access only to users who use a certain network or who work in certain departments. For more information, see Access Policies and Add an Access Policy.
If you using RSA Authentication Manager 8.5 with REST protocol authentication agents, such as RSA Authentication Agent 8.0 or later for PAM, MFA Agent 2.0 or later for Microsoft Windows, and RSA Authentication Agent 2.0 or later for Microsoft AD FS, you can configure Authentication Manager as a proxy server. Authentication Manager always validates RSA SecurID tokens and on-demand authentication, but sends other multifactor authentication requests directly to the Cloud Authentication Service. With this configuration, assurance levels must contain one of your licensed authentication methods. The assurance level must be specified in the access policy you plan to use.
If your authentication agents use the UDP protocol, or if you are using RSA Authentication Manager 8.4 with Patch 4 or later, and not using RSA Authentication Manager 8.5 as a secure proxy server, confirm that your Cloud Authentication Service deployment meets these criteria:
At least one assurance level must contain Authenticate Tokencode, Approve authentication, or Device Biometrics. For information, see Assurance Levels.
If a user device does not support Device Biometrics, then the user is prompted for Approve authentication if it is allowed by the assurance level.
Authentication Manager does not support assurance levels that combine two forms of authentication. For example, the assurance level cannot require both RSA SecurID Token and Approve, but the assurance level can require only one of those options.
The assurance level must be specified in the access policy you plan to use.
For example, this sample policy allows access to all users who authenticate with Approve and Authenticate Tokencode, which are configured as low assurance level options, and also Device Biometrics, which is configured as a medium assurance level option.
Note:You can edit settings within the access policy at any time without reconfiguring the connection. However, if you decide to rename the policy or if you select a different policy at a later date, you must reconnect Authentication Manager to the Cloud Authentication Service.
Enable My Page and Select an Access Policy to Protect My Page
RSA SecurID Access My Page is a web portal that helps provide a secure way for users to complete device registration and delete their devices (if necessary). By default, My Page is disabled. You must enable it in Platform > My Page before users can use My Page. You must also select the primary authentication method and access policy to use for additional authentication for signing into My Page. This policy must meet the following criteria:
Specify an identity source that is configured for both Authentication Manager and the Cloud Authentication Service.
Require an authentication method your Authentication Manager users can provide when they access My Page. For example, LDAP password or RSA SecurID Token.
Generate the Registration Code and Registration URL
In the Cloud Administration Console, generate the Registration Code and Registration URL as described in Connect Authentication Manager to the Cloud Authentication Service. The code is valid for 24 hours. You can either copy this information to a text file now and save it for later, or leave this window open so that you can copy this information when you configure the connection from the wizard-based interface in the Security Console.
Step 2: Set User Expectations for Authenticator Registration and Authentication
Your RSA SecurID token users must learn how to access protected resources using the new authentication methods. You must educate these users to ensure that the onboarding process goes smoothly and that users know exactly what to expect when they register authenticators and authenticate for the first time. You can provide customized instructions to your users in the e-mail template as described in Customize the Cloud Authentication Service Invitation.
What Happens During Authenticator Registration
Users complete authenticator registration with the RSA SecurID Authenticate app (on a phone, tablet, or desktop or PC) to authenticate to protected applications.
Authenticator registration binds the authenticator to the user. After registration, when the user needs to authenticate to an application, RSA SecurID Access prompts the user for PIN+Approve, PIN+Device Biometrics, or Authenticate Tokencode. Users who do not register an authenticator using the Authenticate app are not presented with authentication methods that require the app. For a description of how authenticator registration works and what users experience, see Educating Your Users on RSA Link.
What Happens During Authentication
Users can access agent-protected resources with the following methods:
When RSA Authentication Manager 8.5 is configured to act as a proxy server for the Cloud Authentication Service, users can authenticate with the additional methods that are supported by their REST protocol authentication agents. If Authentication Manager cannot communicate with the Cloud Authentication Service, users are prompted for Authenticate Tokencode.
Users can access agent-protected resources with multifactor authentication using the methods specified by the access policy. They are prompted to authenticate with a method that is based upon their assurance level. For more information, see How Assurance Levels Are Used During Authentication.
The first option listed for an assurance level on the Assurance Levels page is presented as the default for each new user when he or she authenticates to an application or client assigned to that assurance level for the first time. A user can select another option at any time, as long as the assigned assurance level or a higher assurance level contains additional options that the user can complete. When a user successfully authenticates with an option, that option becomes the user's default for future authentications for that assurance level.
Approve (Push Notifications)
To use the Approve method, the user attempts to access the application and is prompted to enter a passcode. The user enters the PIN, then taps a button on an Authenticate device. The user can also tap an interactive notification on the device or on an Apple Watch or Android Wear watch paired to the device. The user must respond within one minute. Otherwise, the method times out and is considered a failed authentication.
Note:The PIN required for Approve authentication is different from the PIN that may be required to unlock the Authenticate Tokencode in the app.
Device Biometrics allows users to authenticate to applications using biometrics available on devices, such as Apple Touch ID or Face ID, Android fingerprint, or Windows Hello. To use Device Biometrics, users must first set up biometrics on their devices. RSA SecurID Access does not force users to do this.
To use Device Biometrics on Windows 10 PCs, Windows Hello must be enabled. Also, keep in mind that users can sign in using a Hello PIN.
To use Device Biometrics, the user attempts to access the application and is prompted to authenticate. The user enters a PIN, and then uses a biometric method to authenticate.
Note:The PIN required for Device Biometrics authentication is different from the PIN that may be required to unlock the Authenticate Tokencode in the app.
RSA SecurID Authenticate Tokencode
Similar to RSA SecurID Tokens, RSA SecurID Authenticate Tokencode employs a one-time, randomly generated number called a tokencode. The RSA SecurID Authenticate Tokencode app generates the tokencode on a registered device. The tokencode, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires. These tokencodes display for one minute, but are valid for up to five minutes after they are generated and displayed on a user's device.
A PIN may be required to unlock Authenticate Tokencode in the app, but Authenticate Tokencode does not require a PIN during authentication. This method cannot be used for offline authentication.
Using PINs During the First Approve or Device Biometrics Authentication
The following table describes what users must enter during their first authentication using Approve or Device Biometrics.
Note:After the initial Approve or Device Biometrics authentication, an RSA SecurID Token user can change the PIN used for Approve and Device Biometrics to be different from the RSA SecurID PIN(s). The same PIN must be used for both Approve and Device Biometrics authentication.
What the User Has
User Action During First Approve or Device Biometrics Authentication
One valid RSA SecurID Token and PIN
The user enters the RSA SecurID PIN, then taps Approve or authenticates with Device Biometrics.
Multiple valid RSA SecurID Tokens and PINs
The user enters one PIN associated with any valid, assigned RSA SecurID token, then taps Approve or authenticates with Device Biometrics.
Valid RSA SecurID Token and expired PIN
The user enters the expired PIN and is prompted to change the PIN, then taps Approve or authenticates with Device Biometrics. Or the user can reset the RSA SecurID PIN before device registration, then use that RSA SecurID PIN during device registration.
The new PIN applies to Approve and Device Biometrics authentication. To use the RSA SecurID Token, the user must create a new PIN for the token.
No valid RSA SecurID Token or PINs (for example, RSA SecurID Token expired)
The user enters the Authenticate Tokencode from his or her registered device, is prompted to create a new PIN, then taps Approve or authenticates with Device Biometrics.
Valid PIN for on-demand authentication (ODA)
The user enters the PIN and is issued one-time tokencodes because ODA has priority over other types of authentication.
Note:It is important to tell your users that, in all cases, the PIN they enter during the first Approve or Device Biometrics authentication will be required in future Approve or Device Biometrics authentications.
License Impact After Authentication
After a user successfully authenticates using either an Authenticate Tokencode, Approve, or Device Biometrics, the RSA SecurID Authenticate app is listed in the User Dashboard as one of the user's assigned tokens. If the user does not have an another assigned authenticator in Authentication Manager, the license count increases by one. If the users already had another assigned authenticator in Authentication Manager, the license count is not increased.
License Impact for High Availability Tokencode
RSA Authentication Manager 8.5 allows Authenticate Tokencode authentication to continue when the Cloud Authentication Service or the connection is temporarily unavailable or too slow. Users who authenticate with other methods that are supported by the Authenticate app, such as Approve and Device Biometrics, are prompted for Authenticate Tokencode.
This feature creates token records for every user who has a registered authenticator with the Authenticate app. Make sure that your Authentication Manager license supports these additional users.
Support for Users Prior to Authentication Manager 8.4 Patch 4
After you connect Authentication Manager 8.4 Patch 4 or later to the Cloud Authentication Service, users who installed the RSA SecurID Authenticate app and registered devices with the Cloud Authentication Service prior to Patch 4 can use Approve authentication if allowed by the access policy. After Patch 9 is applied, these users can also use Device Biometrics authentication if allowed by the access policy. Patch 4 or later allows you to manage these existing users in the Security Console User Dashboard.
Step 3: Connect to the Cloud Authentication Service
The easiest way to connect RSA Authentication Manager to the Cloud Authentication Service is by starting the wizard from the Security Console Home page. After you finish, invited users will be able to download the RSA SecurID Authenticate app, register their devices, and access agent-protected resources.
RSA Authentication Manager connects to the Cloud Authentication Service on port 443. No in-bound connections from the Cloud Authentication Service to Authentication Manager are required.
Before you begin
Confirm that your network infrastructure allows the Authentication Manager server to connect to the Cloud Authentication Service Registration URL. You might need to change your network configuration.
Confirm that all of the primary and replica instances in your deployment can connect to the Cloud Authentication Service IP addresses assigned to your region. See Test Access to Cloud Authentication Service for the list of addresses.
Confirm that the Manage Cloud Authentication Service Users permission is enabled on the General Permissions tab in the Security Console for your Help Desk Administrators. This permission allows these administrators to view and manage Cloud Authentication Service users in the Security Console User Dashboard. For more information, see Edit Permissions for an Administrative Role.
Verify that you have met the requirements for configuring the connection. Click Next.
Do the following:
Copy and paste the Registration Code and the Registration URL from the Cloud Administration Console or from a text file into the connection wizard.
(Optional) If Authentication Manager is behind an external firewall, you can configure an HTTP proxy server. Click Configure a Proxy Connection:
In the Proxy Host field, enter the hostname of the proxy server. For example, example.com.
In the Proxy Port field, enter the port used by the proxy server.
In the Proxy Username field, enter the unique username for the proxy server.
In the Proxy Password field, enter the unique password for your proxy server.
Keep the Enable Cloud Authentication checkbox selected, and click Next.
When enabled, all authentication agents that previously required an RSA SecurID token will allow users to authenticate using both RSA SecurID Tokens and the RSA SecurID Authenticate app. You can manage Cloud users from the Security Console.
You can use RSA Authentication Manager as a secure proxy server that sends authentication requests directly to the Cloud Authentication Service. By default, this feature is enabled when you connect to the Cloud Authentication Service or upgrade to RSA Authentication Manager 8.5 after connecting to the Cloud Authentication Service with version 8.4 Patch 4 or later.
The Send Multifactor Authentication Requests to the Cloud checkbox is selected by default.
After the connection succeeds, keep the window open. Go to the RSA SecurID Access My Page URL. You can register a device and test cloud-based authentication. Return to the Security Console, and click Next.
You can invite users to download the Authenticate app and register devices. After registration, users can access your protected resources with the supported authentication methods.
To invite users later, click No, Invite users later. The next page displays the procedure for inviting users later.
To invite users now, click Yes, Invite more users.