Sign Up
If you have not yet signed up for the trial, go to RSA SecurID Access Admin MFA Trial, and complete the form. After you confirm your email address, RSA will send you the URLs and sign-in credentials for your demo user accounts.
If you already signed up, you're ready to start by registering your device!
Register Your Device
Have your mobile device handy. In this step, you register your mobile device with RSA SecurID Access, so that you can use mobile authentication options such as push notifications (Approve).
Using the Application Portal URL in your email from RSA, sign in using your credentials.
In the application portal, you see icons for App A, App B, the hosted LDAP directory server, RSA SecurID Access My Page, the tutorial, and video.
Click My Page and sign in with your credentials.
You are prompted to share your location. You can allow or block it.
Follow the prompts to download the RSA SecurID Authenticate app onto your device, and register it using either a QR code or numeric registration code. Do the test authentication, if you want.
That's all there is to device registration. Now let's use the app to try a simple Approve authentication.
Do a Test Authentication
- Sign out of the application portal and sign in again.
Click App B. You are prompted to Approve.
You are prompted to allow the service to remember your browser, which can simplify future authentications. You can allow or block it.
You're in!
Explore the Demo Applications and Policies
Let's explore how you can use policies to control which users can access your applications and how users will authenticate. We'll examine the policy assigned to App B, which you just authenticated to. You won't make any changes right now. Just familiarize yourself with where things are.
Using the URL for the Cloud Administration Console provided in your email from RSA, sign in using your credentials.
You see the main dashboard page.
- Click Applications > My Applications to see the list of demo applications.
- For App B, click Edit. When the application opens, click the User Access tab. This is where you associate a policy with an application. Notice that the policy assigned to this application is named Allow All Authenticated Users - Low Assurance.
- Now click Access > Policies to see a list of all of the policies currently configured. Scroll down to Custom Policies and find Allow All Authenticated Users - Low Assurance. This policy governs access to App B, which you just viewed. Click Edit to open the policy.
Click the Rule Sets tab. This page provides important configuration settings you need to know about and will want to experiment with later.
The Target Population field tells you who this policy applies to. In this case, it's for all users. Later, you will be able to use this setting to target selected groups of users based on LDAP attributes such as network, job title, and department.
The Access and Additional Authentication fields tell you that users who authenticate are allowed to access applications.
The Assurance Level is the list of authentication options available for this target population.
It's easy to modify Assurance Levels so they meet your particular needs. Let's take a quick look. Click Access > Assurance Levels.
You can see that assurance levels are categorized as High, Medium, and Low. Each level contains different options with varying security strengths. You can modify each level by adding or removing options. Assurance levels help ensure that your most sensitive digital assets are protected by the strongest authentication that is appropriate for your users, while less important assets remain easier for users to access.
Notice that the High level combines multiple options for added security, while the Low level includes options that are relatively simple and convenient for users.
Leave this browser tab open.
Update an Access Policy
Now let's make a few changes to an existing access policy.
In the Cloud Administration Console, click Access > Policies.
Scroll down to Allow All Authenticated Users - Low Assurance, and click Edit.
Change the name to Managers or Non-Managers, and click Next Step > Next Step.
Enter the name exactly as shown.
Add a rule set to require non-managers to authenticate with Medium Assurance or higher:
Under Target Population, do the following:
- Click Selected Users > Add.
From the User Attribute drop-down list, select title.
From the Operation drop-down list, select Set does not contain any.
In the Value field, enter manager.
The value is case-sensitive.
- Click Save.
- Scroll up to the Rule Set Name field, and enter Non-Managers.
Under Access Details, select Medium from the Assurance Level drop-down list.
The default Medium assurance level requires users to authenticate with either a Device Biometric, such as Fingerprint or Face ID, or the Authenticate Tokencode, an eight-digit number that displays on the home screen of the Authenticate app. Users can also select from options in the High assurance level.
Add a rule set to not require additional authentication for managers:
Scroll to the top of the page, and click Add a Rule Set.
The new rule set displays below the existing rule set.
In the Rule Set Name field, enter Managers.
Under Target Population, do the following:
- Click Selected Users > Add.
From the User Attribute drop-down list, select title.
From the Operation drop-down list, select Set contains any.
In the Value field, enter manager.
The value is case-sensitive.
- Click Save.
- Under Access Details, select Allowed > Not Required.
- Click Save and Finish.
Click Publish Changes in the upper-left corner.
Try with Demo Users
Let's test our new policy requirements with two demo users, Sanjay Sample (not a manager) and Emilio Example (a manager). Refer to your email for their credentials.
On two other iOS, Android, or Windows 10 devices, register devices for Sanjay and Emilio. Follow the instructions in Register Your Device.
Do not use the device that you used for yourself in Step 4 because a device can only be registered to one user, unless it is a Windows 10 PC.
If you want Sanjay to use Device Biometrics later to access App B, be sure that biometrics (for example, Fingerprint or Face ID) are set up on Sanjay's device.
Sign out of the application portal.
Sign into the application portal as Sanjay. Open App A.
Sanjay gets in because App A does not require additional authentication beyond the credentials used to sign into the portal.
Open App B and authenticate.
Because Sanjay is not a manager, he is prompted to complete additional authentication. Notice that the Medium (and High) assurance level options are available.
- Sign out of the application portal.
Sign into the application portal with Emilio's credentials. Open App A.
Like Sanjay, Emilio gets in because App A does not require additional authentication beyond the credentials used to sign into the portal.
Open App B.
Emilio gets in because App B does not require additional authentication for managers.
Sign out of the application portal.
(Optional) Test with Danielle and Tina, the other demo users.
Review their titles to understand what authentication they will be prompted for.
Next Steps
You've now done a few test authentications with demo users and apps. Here is what to do next:
If you want to add your own users in the demo identity source or add your own SAML or RADIUS applications, go to Step 2: Test with Your Users and Your SAML or RADIUS Applications.
Note: To add a RADIUS application with the instructions in Step 2, your environment must support outbound RADIUS communication.
If you want to use your own identity source or add a RADIUS application in an environment that does not support outbound RADIUS communication, go to Step 3: Test with Your Identity Source and All Applications .
If you have finished exploring the trial and are ready to learn more about RSA SecurID Access, contact your RSA Sales representative, or call 800-995-5095 or 1-781-515-7700 and option 1 (Sales).
We want your feedback! Tell us what you think of this page.
Table of Contents > Contents > Step 1: Test with Demo Users and Demo Applications
On this page
