Testing Your Risk-Based Authentication Integration

Test your risk-based authentication (RBA) integration to verify that Authentication Manager can authenticate users for the agent. If the test is unsuccessful, troubleshoot the setup, and repeat the test until it succeeds.

The Authentication Activity Monitor logging detail can be used for troubleshooting if the test is unsuccessful.

Procedure

  1. Create a test user in the Security Console by adding a new user to the internal database and the default security domain (SystemDomain).

    For instructions, see Add a User to the Internal Database.

  2. Verify that the RBA policy associated with the default security domain (SystemDomain) has the following configuration and edit the policy if necessary:

    • Automatic enablement is allowed.

    • Silent collection is allowed.

    For instructions on editing an RBA policy, see Edit a Risk-Based Authentication Policy.

  3. Start the Authentication Activity Monitor in the Security Console.

    Click Start Monitor to view real-time authentication activity.

  4. Do one of the following:

    • Go to another computer on the same network, start the browser, and go to the logon page for your web-based application.

    • Start a different browser application on the same machine if you have more than one installed. For example, if you used Firefox to access the Security Console, you may use Internet Explorer to access the logon page for your web-based application.

    The logon page for your web-based application automatically redirects you to the Authentication Manager logon page. If you are not redirected to this page, troubleshoot the test. For more information, see Troubleshooting the Authentication Test.

  5. Enter the logon credentials for the test user.

  6. Verify that your browser loads the correct landing page for the network resource that you are trying to access.

  7. Review authentication logging in the Authentication Activity Monitor. If the test succeeded, familiarize yourself with entries that are logged for successful authentication. If the test is unsuccessful, review the entries and review Troubleshooting the Authentication Test.

Troubleshooting the Authentication Test

If the authentication test is unsuccessful, follow the recommended troubleshooting methods in the following table based on the system behavior that you observed during the test.

System Behavior

Action

Browser displays the default logon page for your web-based application instead of the Authentication Manager logon page.

  • Verify that you generated and deployed the RBA integration script correctly. For more information, see the implementation guide for your web-based application.

  • Verify that the integration script file for your web-based application is encoded as ISO-8859-1 (also referred to as Latin-1) or ASCII. Other file encoding formats are not supported.

Web-based application redirects you to a logon page that does not load.

  • Verify that your browser allows JavaScript. For more information, see your browser documentation.

  • Verify that your browser has cookies enabled. For more information, see your browser documentation.

  • Verify that you are using a supported browser. For a list of supported browsers, see the RSA Authentication Manager Setup and Configuration Guide.

  • Do one of the following:

    • For a deployment with a web tier, verify that the URL resolves to the virtual host and virtual host port.

    • For a deployment without a web tier and with a load balancer, verify that the URL resolves to the load balancer and the load balancer port.

    • For a deployment without a web tier and a load balancer, verify that the URL resolves to the primary instance and primary instance port.

  • Verify that all firewalls are configured to allow inbound traffic to the host and port that are specified in the URL.

  • Verify that the Domain Name System (DNS) server has the appropriate hostnames and IP addresses for RBA. See Planning for Domain Name System Updates.

  • Also, verify that any Network Address Translation (NAT) or load balancers do not interfere with requests that must be routed to an Authentication Manager host, which is either the web tier or an Authentication Manager instance, depending on your deployment scenario.

    These actions can resolve issues in which the browser enters a redirect loop.

  • Verify that web tier instances can communicate with the primary and replica instances. Also, if your deployment includes a load balancer, verify that it can communicate with the web tier instances.

If none of these methods resolves the issue, RSA recommends the following:

Generate and redeploy the integration script to the logon page for your web-based application. For more information, see the implementation guide for your web-based application.

The web-based application redirects you to a page with the error message “Agent Integration Error”.

  • Verify that you created an agent record in Authentication Manager. For more information, see Add an Authentication Agent.

  • Generate and redeploy the integration script to the logon page for your web-based application. For more information, see the implementation guide for your web-based application.

  • If your deployment includes a load balancer, verify that the load balancer has persistence configured. Persistence, which is also called “session affinity” or “sticky sessions,” allows a load balancer to send a client to the same server during a session. For Authentication Manager, the load balancer must send the client to the same Authentication Manager instance or web tier during an authentication session. For more information, see your load balancer documentation.

  • Find a more detailed error message in rsa-console.log. For instructions, see.Download Troubleshooting Files

Page error occurs after you log on as the test user.

Verify that you are using a supported deployment scenario for RBA. For supported deployment scenarios, see the RSA Authentication Manager Planning Guide.

After you enter the logon credentials for the test user, you are prompted to log on again.

Do the following:

  • Verify that the account settings in Authentication Manager allow the test user to log on. The user must exist and belong to the default security domain (SystemDomain), and the account must be enabled. The account must not be expired, and the user must not be locked out. For more information, see Enable a User Account.

  • Verify that the RBA policy for the default security domain (SystemDomain) allows automatic enablement and silent collection. For more information, see Risk-Based Authentication Policies.

  • Verify that the user is enabled for RBA, if RBA does not allow automatic enablement.

  • Verify that the Authentication Activity Monitor displays all the required log entries. You will see the following entry types: authentication method success with password and SecurID, authentication method success with RBA, artifact generation success, and artifact delivery success.

If this does not resolve the issue, RSA recommends clearing the node secret for Authentication Manager and your web-based application. For more information on clearing the node secret for Authentication Manager, see Manage the Node Secret. For more information on clearing the node secret for your web-based application, see your web-based application documentation.