Manage My PageManage My Page
RSA SecurID Access My Page is a web portal that helps provide a secure way for users to manage their authenticators. Users can complete registration and delete their authenticators (if necessary).
You must enable My Page if you want to use it. You select the primary authentication method and the policy used for additional authentication for signing into My Page.
Each user can use My Page to register two authenticators: one device that supports Android, iOS, or Windows, and one FIDO authenticator.
|Android, iOS, or Windows||After you enable My Page, all users must go to My Page to register these devices using multifactor authentication and QR or numeric registration codes.|
After you enable My Page, if you are using security keys as FIDO authenticators, all users can register their FIDO authenticators during authentication the first time they attempt to use their authenticators. However, Windows Hello or Android phone authenticators cannot be registered during first time authentication.
To enable registration for all FIDO authenticators, you must enable both My Page and FIDO authenticator registration on Platform > My Page. After both functions are enabled, users can no longer register FIDO authenticators during authentication.
Before you begin
- You must be a Super Admin in the Cloud Administration Console.
Know which access policy to use for additional authentication.
Confirm that the access policy contains authentication methods that are not used for primary authentication and can be completed by the user without the RSA SecurID Authenticate app, for example, SMS or Voice Tokencode. If you are not already using SMS or Voice Tokencode, contact your RSA sales representative for additional information
If you will require users to register their FIDO authenticators using My Page, confirm that the access policy does not require a FIDO authenticator.
- (Optional) Select your company logo to display in My Page. The image file must be JPG or PNG format, and no larger than 50 KB. The maximum logo size is 220 x 80 pixels. The same logo can also be used to display on additional authentication prompts.
In the Cloud Administration Console, click Platform > My Page.
Enable My Page.
In the Authentication section, in the Primary Authentication Method drop-down list, select the authentication method to use. Note the following:
If you select FIDO, note that users cannot complete registration when authenticating for the first time with FIDO as a primary authentication method. Be sure that users can first complete registration by accessing an application or My Page that requires FIDO as additional authentication. Then users can use FIDO authenticators as primary authentication for this application.
If you want to allow Emergency Tokencode as a replacement for FIDO (for example, if a user lost the FIDO authenticator), select Allow Emergency Tokencode to replace FIDO. Emergency Tokencode does not need to be in an assurance level to use it for primary authentication.
If you select the Emergency Tokencode option, consider the following additional authentication implications:
If Emergency Tokencode is an authentication option based on the selected access policy, the user is granted access to the protected resource after entering the Emergency Tokencode one time and is not prompted for the Emergency Tokencode twice.
If Emergency Tokencode is not an authentication option in the selected access policy, the user is prompted for additional authentication based on the policy.
If you select Managed by Cloud Identity Provider, select the Cloud identity provider from the list.
In the Access Policy for Additional Authentication drop-down list, select the access policy to apply if primary authentication succeeds.
If you selected Managed by Cloud Identity Provider in the previous step, you might want to select an access policy that does not require additional authentication, so users are automatically authenticated to My Page by the Cloud identity provider.
(Optional) In the Configuration section, click Upload Logo, and select the company logo to display in My Page.
If you do not specify a logo, My Page contains only the RSA SecurID Access logo. To delete an existing logo, click the minus sign.
If you want the same logo to appear on pages used for additional authentication, select Use custom logo for additional authentication prompts. If you do not select this option, no logo appears during additional authentication.
If you want to allow users to delete their authenticators in My Page (for example, when they get new mobile devices and need to complete registration), leave the box selected. If not, clear the Users can delete authenticators in My Page box.
If you clear the box, administrators can delete users' current authenticators as described in Manage Users for the Cloud Authentication Service .
If you want to require users to register their FIDO authenticators in My Page, select Users can register FIDO authenticators in My Page and select the authenticators to allow registration for. My Page must also be enabled.
If you want the Cloud Authentication Service to automatically send emails to users when they complete registration with the RSA SecurID Authenticate app, add or delete additional accounts, or delete registered devices, click Device Registration & Deletion Emails and follow the instructions on that page.
(Optional) If you want to redirect users to a specific URL after they sign out of My Page, enter the URL in the Logout URL field.
If you do not specify a URL, users are redirected to the My Page URL. Note that this field is not available if you select Password, SecurID, or FIDO as the primary authentication method.
(Optional) If you want to redirect users to a specific URL after they encounter an error, enter the URL in the Error URL field.
If you do not specify a URL, users are redirected to the logout URL or the My Page URL (if the logout URL is not specified). Note that this field is not available if you select Password, SecurID, or FIDO as the primary authentication method.
If you are configuring My Page for single sign-on in an unsolicited response flow, copy the Assertion Consumer Service (ACS) URL for Unsolicited Responses value into your identity provider configuration settings.
- Click Save.