Deploying an Authentication Agent That Uses the REST Protocol

An authentication agent that uses the REST protocol securely passes user authentication requests to and from the SecurID Authentication API. Unlike authentication that use the UDP protocol, authentication agents that use the SecurID Authentication API do not require or use a node secret or the Authentication Manager configuration file sdconf.rec.

Before a REST-based authentication agent can communicate with SecurID Authentication API, you must deploy the agent.

Before you begin

  • Configure the SecurID Authentication API for Authentication Agents.

  • Determine whether the authentication agent is restricted or unrestricted:

    • Unrestricted agents. Unrestricted agents process all authentication requests from all users in the same deployment as the agent.

      However, to allow a user to authenticate with a logon alias, the user must belong to a user group that is associated with the logon alias and that is enabled on the unrestricted agent.

    • Restricted agents. Restricted agents process authentication requests only from users who are members of user groups that have been granted access to the agent.

      Users who are not members of a permitted user group cannot use the restricted agent to authenticate. Resources protected by restricted agents are considered to be more secure because they process requests only from a subset of users.


  1. In the Security Console, click Access > Authentication Agents > Add New.

  2. From the Security Domain drop-down menu, select the security domain to which you want to add the new agent.

  3. Under Authentication Agent Basics, do the following:

    1. For Hostname, enter a new hostname for the agent host or a logical name for the agent.

      If you entered a hostname, click Resolve IP. The IP address is automatically entered. If you enter a new name, the name must be unique.

    2. (Optional) In the IP Address field, enter the IP address of the agent.

      If you use an existing server name, this field is automatically populated and read-only. If no address is specified, UDP agents will use auto-registration to provide the address to the server.

    3. (Optional) In the Alternate IP Addresses field, enter alternate IP addresses for the agent.

      You enter alternate IP addresses if the agent has more than one network interface card, or is located behind a static network address translation (NAT) firewall.

      If you use an existing server name, this field is automatically populated and read-only.

  4. (Optional) Under Authentication Agent Attributes, you can select the following options:

    • To specify the type of agent, select the type from the Agent Type list.

      If the agent is a web agent, select Web Agent, otherwise keep the default selection Standard Agent. The populated agent types are labels, there is no functional difference by choosing Web Agent or Standard Agent.

    • To disable the agent, select Agent is disabled.

      You might select this option to stop access to a resource temporarily.

    • To add a restricted agent, select Allow access only to members of user groups who are granted access to this agent.

      Only users who are members of user groups that have permission to access a restricted agent can use this agent to authenticate. Any user can use an unrestricted agent to authenticate.

  5. If your authentication agent supports trusted realm authentication or risk-based authentication, you can select Enable Trusted Realm Authentication or Enable this agent for risk-based authentication. If your authentication agent does not support these features, then selecting or clearing these checkboxes has no effect on the agent.
  6. Click Save.

    Note: If the hostname is not a fully qualified host name or the IP address is not specified, a Confirmation Required dialog, summarizing the hostname and the IP address is displayed. Here, you can either edit the agent details or save the agent information.