You can enable designated components in your deployment to access the identity router API to support certain features, such as RSA SecurID Authenticate Tokencode integration between RSA Authentication Manager and RSA SecurID Access.
The identity router API is a REST-based web services interface that allows designated components in your deployment to query and manage runtime information, such as user profiles. Access to the API is disabled by default. You can enable access to the API to support certain features in your deployment, such as RSA SecurID Authenticate Tokencode integration between RSA Authentication Manager 8.4 Patch 3 and earlier and the Cloud Authentication Service. Only a Super Admin can enable identity router API access.
You must enable access to the identity router API if you want RSA Authentication Manager to support RSA SecurID Authenticate Tokencode integration between RSA Authentication Manager and the Cloud Authentication Service. Other components may also require this access.
You need to generate an Access ID and Access Key, which are credentials associated with a Super Admin account. RSA Authentication Manager or other designated components in your deployment that need to access the identity router API can then use that Access ID and Access Key.
Before you begin
Obtain the IP address (or address range) and network mask for the part of your network that requires access to the identity router API.
Add a Super Admin account to the Cloud Administration Console using credentials that do not belong to a specific individual. This account is used exclusively to manage identity router API access. For example, you can create a new email address specifically for this account, or use an address that is jointly monitored by all Super Admins in your deployment. Super Admins can modify the identity router API access configuration through this account.
In the Cloud Administration Console, click My Account > Administrators.
Click Edit next to the Super Admin account that you want to grant API access.
In the Enable Identity Router API field, select the checkbox to enable access to the identity router API. This step generates values in the Access ID and Access Key fields. Copy these values to a secure location where you can access them when you configure the components of your deployment that use the identity router API.
Note:The Access ID and Access Key are sensitive data. Store these values securely, and share them only with other Super Admins.
In the IP Address and Netmask fields, specify the part of your network from which the API will be accessible. To support API requests from sources without static IP addresses, you can specify an IP address range. Do not use CIDR notation.
The embedded identity router in Authentication Manager requires the Gateway IP address for the identity router with the network mask 255.255.255.255. You can view the Gateway IP address on the Network Diagnostics page. For instructions, see View Network Diagnostics on an Identity Router.
If more than one Authentication Manager instance can access the embedded identity router REST API, add each Authentication Manager IP address. You view this information by logging on to the Operations Console for each Authentication Manager instance and clicking Administration > Network > Appliance Network Settings.
If you want to add another network, click Add, then repeat step 4.
Click Publish Changes.
After you finish
Provide the API Access ID and Access Key to the appropriate person who is configuring components that need to interact with the identity router API.