RSA Authentication Manager Secure Proxy Server for the Cloud Authentication Service

You can use RSA Authentication Manager 8.7 SP1 as a secure proxy server that sends authentication requests to the Cloud Authentication Service. This feature offers the following benefits:

  • Creates one secure connection to the Cloud Authentication Service for authentication requests as opposed to connecting to the Cloud Authentication Service with many authentication agents.

    There is no need to configure firewall rules for multiple authentication agents. You can prevent certain users from accessing external resources, but allow these users to authenticate to the Cloud Authentication Service through Authentication Manager.

  • Supports all authentication methods supported by REST protocol authentication agents, whether verified by Authentication Manager or the Cloud Authentication Service.
  • Provides high availability using Authenticate Tokencode or SecurID passcodes when RSA Authentication Manager cannot communicate with the Cloud Authentication Service.
  • Supports offline authentication to Authentication Manager or the Cloud Authentication Service for the authentication agents that support this feature.

To configure this feature, see Configure RSA Authentication Manager as a Secure Proxy Server for the Cloud Authentication Service.

The following table shows the possible deployment options. For more specific information, see your authentication agent documentation.

Scenario Authentication Methods High Availability

Direct connection to RSA Authentication Manager 8.5 or later with the UDP protocol or the REST protocol.

RSA Authentication Manager is not connected to the Cloud Authentication Service.

Authentication Manager handles authentication, for example, SecurID hardware and software tokens, on-demand authentication, and Authentication Manager emergency access methods.

Does not apply.

Direct connection to the Cloud Authentication Service with the REST protocol.

Authentication Manager is not connected to the Cloud Authentication Service.

The Cloud Authentication Service handles authentication, for example, Approve, Device Biometrics, Authenticate Tokencode, SecurID hardware and software tokens, Emergency Tokencode, SMS Tokencode, and Voice Tokencode.

Does not apply.

Direct connection to RSA Authentication Manager 8.5 or later with the UDP protocol or the REST protocol.

Authentication Manager is connected to the Cloud Authentication Service.

Authentication Manager always validates SecurID hardware and software tokens, on-demand authentication, and Authentication Manager emergency access methods, and Authentication Manager always sends other authentication methods to the Cloud Authentication Service, for example, Authenticate Tokencode, Approve, and Device Biometrics.

Authentication Manager automatically downloads High Availability Tokencode records from the Cloud Authentication Service using a batch job that automatically runs each day.

When the Cloud Authentication Service is not available, Authentication Manager prompts users for local authentication with Authenticate Tokencode or SecurID authentication.

Direct connection to the Cloud Authentication Service with the REST protocol is updated to use RSA Authentication Manager 8.5 or later as a secure proxy server.

Authentication Manager is connected to the Cloud Authentication Service.

 Authentication Manager sends all authentication requests which are to be proxied to the Cloud Authentication Service, for example, Approve, Device Biometrics, Authenticate Tokencode, SecurID hardware and software tokens, Emergency Tokencode, SMS Tokencode, and Voice Tokencode. When the Cloud Authentication Service is not available, Authentication Manager prompts users for local authentication with Authenticate Tokencode or SecurID authentication.

RADIUS client agent directly connected to RSA Authentication Manager 8.5 or later.

Authentication Manager is connected to the Cloud Authentication Service.

Authentication Manager always validates SecurID hardware and software tokens and Authentication Manager always sends other authentication methods to the Cloud Authentication Service, for example, Authenticate Tokencode, Approve, and Device Biometrics.

 When the Cloud Authentication Service is not available, Authentication Manager prompts users for local authentication with Authenticate Tokencode or SecurID authentication.

High Availability Tokencode for the Secure Proxy Server

When Authentication Manager acts as a secure proxy server for the Cloud Authentication Service and the high availability feature is configured, users can access SecurID protected resources when the Cloud Authentication Service or the connection is temporarily unavailable or too slow.

Authentication Manager automatically downloads High Availability Tokencode records from the Cloud Authentication Service. Authentication Manager determines if the Cloud Authentication Service is reachable, and if local authentication is needed.

When the Cloud Authentication Service is not reachable, authentication proceeds as follows:

  • Authentication agents prompt users for Authenticate Tokencode or SecurID passcode.
  • The access policy in the Cloud Authentication Service is not applied. For example, a user who normally authenticates with Approve or Device Biometrics is prompted for Authenticate Tokencode or SecurID passcode.
  • If the Authenticate Tokencode is in Next Token mode or New PIN mode, Authentication Manager uses the downloaded tokencode records to successfully authenticate.
  • Authentication Manager determines whether a user is enabled, disabled, or locked. User status from the Cloud Authentication Service is not available until the connection is restored

Authentication records and information about the status of communication between Authentication Manager and the Cloud Authentication Service is recorded in log files and the Authentication Manager System Activity Monitor.

An internal REST protocol agent called @#RSAHighAvailability_#@_InternalAgent1#@ provides High Availability Tokencodes to users when the connection to the Cloud Authentication Service is not available. You cannot edit, enable, disable, or delete this internal agent.

For configuration instructions, see Configure High Availability Tokencodes.

Offline Authentication for RSA Authentication Agents

When you use RSA Authentication Manager 8.7 SP1 as a secure proxy server, some authentication agents support offline authentication to the Cloud Authentication Service:

  • Offline emergency access codes can be automatically downloaded for users who access the authentication agent. Users can continue to authenticate if the connection to Authentication Manager or the Cloud Authentication Service is not available. For more information, see Emergency Tokencode.
  • Authentication agents automatically download offline data day files through Authentication Manager for uninterrupted authentication to the Cloud Authentication Service. If an authentication agent is unable to access Authentication Manager, then the authentication agent uses the downloaded day files for authentication. For instructions on configuring offline authentication, see your agent documentation.

Related Tasks

Configure RSA Authentication Manager as a Secure Proxy Server for the Cloud Authentication Service