Edit the RSA Cloud Authentication Service ConnectionEdit the RSA Cloud Authentication Service Connection
After you connect RSA Authentication Manager to the Cloud Authentication Service, you can edit the connection.
For instructions on how to configure the initial connection, see the following:
- If you are using separate identity routers on other platforms in your on-premises network or in the Amazon Web Services cloud, see Connect RSA Authentication Manager to the Cloud Authentication Service.
- To connect with an embedded identity router, see Quick Setup - Connect RSA Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router.
Before you begin
-
You must be a Super Admin.
-
A new Registration Code and Registration URL is required if you need to re-register Authentication Manager with the Cloud Authentication Service. You must re-register for any of the following reasons:
- You are configuring an embedded identity router.
- You want to enable the high availability tokencode feature, and you are upgrading from an RSA Authentication Manager 8.4 or later deployment that is already connected to the Cloud Authentication Service.
- The access policy that was used for the original connection has been replaced with a different access policy. The access policy is configured and selected in the Cloud Administration Console.
- The access policy name that was used for the original connection has changed.
- The RSA Authentication Manager API Key used for the original connection has been deleted from the Authentication API Keys page or the Administration API Key page in the Cloud Administration Console. This disconnects Authentication Manager from the Cloud Authentication Service.
- You make changes to an HTTPS proxy server, and you need to connect to the Cloud Authentication Service again and accept a new certificate. You do not need to re-register if you configure or update the connection to a HTTP proxy server.
If you need to obtain the Registration Code and Registration URL, see Connect Your Cloud Authentication Service Deployment to RSA Authentication Manager.
Procedure
-
In the Security Console, click Setup > System Settings.
-
Click RSA Cloud Authentication Service Configuration.
-
If Authentication Manager is behind an external firewall, you can configure a connection to a proxy server before connecting to the Cloud Authentication Service. For instructions, see Configure a Proxy Server.
-
To connect Authentication Manager to the Cloud Authentication Service, do the following:
- Under Register RSA Authentication Manager with the RSA Cloud Authentication Service, copy and paste the Registration Code and the Registration URL from the Cloud Administration Console, or obtain this information from a Cloud Authentication Service Super Admin and manually enter it.
For more information, see Connect Your Cloud Authentication Service Deployment to RSA Authentication Manager.
- Click Connect to the RSA Cloud Authentication Service.
A message indicates that the connection is established. The Cloud Authentication Service details are automatically updated and saved.
- Under Register RSA Authentication Manager with the RSA Cloud Authentication Service, copy and paste the Registration Code and the Registration URL from the Cloud Administration Console, or obtain this information from a Cloud Authentication Service Super Admin and manually enter it.
-
To enable users to authenticate to the Cloud Authentication Service, under RSA Cloud Authentication Service Configuration, click Enable RSA Cloud Authentication.
-
The Enable Authenticate Tokencode PIN Prompts checkbox is selected if you previously used the Security Console to connect RSA Authentication Manager to the Cloud Authentication Service before applying RSA Authentication Manager 8.5 Patch 3 or later. The Enable Authenticate Tokencode PIN Prompts checkbox is not selected if you applied Patch 3 or later before making the connection.
Clear the Enable Authenticate Tokencode PIN Prompts checkbox to prevent Authenticate Tokencode users from being prompted for PINs on their first authentication to the Cloud Authentication Service. During subsequent authentications, Authenticate Tokencode users are only prompted for a PIN if their PIN has expired, or if an administrator has cleared their PIN or requires users to create another PIN. This option does not affect other types of authentication.
-
You can use RSA Authentication Manager as a secure proxy server that sends authentication requests directly to the Cloud Authentication Service.
To manually enable this feature, select the Send Multifactor Authentication Requests to the Cloud checkbox.
-
Click Save.
After you finish
- If required by your deployment, add the Multifactor Authentication REST URL and the Help Desk Administration REST URL to a whitelist of URLs that Authentication Manager is allowed to access.
Other URLs are as follows.
Feature URL Telemetry telemetry.access.securid.com Embedded identity router US region: sidaccessovap2useast.blob.core.windows.net, sidaccessovap2uswest.blob.core.windows.net
ANZ region: sidaccessovap4auc.blob.core.windows.net, sidaccessovap4auc2.blob.core.windows.net
EMEA region: sidaccessovap3eun.blob.core.windows.net, sidaccessovap3euwest.blob.core.windows.net
Federal region: sidaccessovap5govva.blob.core.usgovcloudapi.net
-
For any administrator who needs to manage Cloud Authentication Service users in the Authentication Manager User Dashboard, you must have selected Manage RSA Cloud Authentication Service Users on the General Permissions tab. For more information, see Edit Permissions for an Administrative Role.
