Portal Multifactor Authentication PolicyPortal Multifactor Authentication Policy
Deployments that use the SSO Agent can use the Portal Multifactor Authentication Policy to require users to complete additional authentication in addition to the default requirements of user ID and password to sign into the RSA SecurID Access Application Portal. RSA SecurID Access automatically creates this policy after you select this portal sign-in method on the Portal Settings page. The default settings require additional authentication with the Medium assurance level.
With this policy, after the user manually enters the user ID and password on the portal sign-in page or satisfies the requirements of Integrated Windows Authentication (IWA), RSA SecurID Access prompts the user for additional authentication.
Note: This policy is not supported with an external SAML IdP or a custom portal.
To configure this policy, complete the following:
- Select the portal policy option in the Portal Settings page to both create and enable the Portal Multifactor Authentication Policy.
Configure the additional authentication requirements for the portal policy from the Policies page.
By default, RSA SecurID Access applies the policy to all identity sources that exist for the Cloud Authentication Service when the policy is created. After you enable this policy, if you add an identity source that you want to use this policy, you must edit this policy to select this new identity source. Remember to synchronize the identity sources, so that users are prompted for additional authentication.
If you enable this policy, consider the user experience that will be required based on the assurance levels configured for the application portal and applications. Within a user session, if the user successfully authenticates to the application portal, then the user can access other applications with the same assurance level or lower without completing additional step-up authentication. Within that session, if the user accesses an application with a higher assurance level than the application portal, the user is prompted for the required step-up authentication specified by the higher assurance level.
Authentication Flow with Portal Multifactor Authentication Policy ExampleAuthentication Flow with Portal Multifactor Authentication Policy Example
In this example, the company is using the RSA SecurID Access Application Portal. The administrator has enabled the Portal Multifactor Authentication Policy with a Medium assurance level and has assigned an access policy that uses the Low assurance level to App A.
- The user navigates to the RSA SecurID Access Application Portal sign-in page and enters the user ID and password. Or, if the administrator has configured IWA, the user navigates to the portal URL and credentials are automatically provided.
- The identity router checks with the identity source to confirm the user's credentials and checks the access policies for the application portal and all applications available to the user.
- The identity router enforces the access policy for the application portal. The application portal requires step-up authentication using the Medium assurance level (in this example, Device Biometrics).
- Because step-up authentication is required, the identity router sends the request to the Cloud Authentication Service.
- RSA SecurID Access provides instructions in the browser for the user to follow and sends a notification to the mobile app.
- The user completes fingerprint verification in the mobile app.
- The mobile app sends the response to Cloud Authentication Service.
- The Cloud Authentication Service sends the authentication status to the identity router.
- The user is signed into the portal.
- The user clicks the App A icon to open the app.
- The identity router enforces the access policy for App A. App A uses the Low assurance level (in this example, Approve authentication method). Because the user's session is still active from authenticating to the application portal (which uses a higher assurance level than App A), the user does not need to provide the step-up authentication required by App A.
- The identity router sends the access request to App A.
- In a new browser tab, RSA SecurID Access opens App A.
- The user accesses App A.