Authenticators Managed in the Cloud

An Authentication Manager administrator can view authenticators that are managed in the Cloud Authentication Service through the User Dashboard, which displays the following:

  • SecurID 700 hardware tokens that are managed in the Cloud Authentication Service. An Authentication Manager administrator can unassign, enable, and disable SecurID 700 hardware tokens that are managed in the Cloud Authentication Service.

  • Registered FIDO. SecurID supports FIDO-certified third-party authenticators that are managed in the Cloud Authentication Service. An Authentication Manager administrator can delete these tokens. For information on this authenticator, see FIDO.

  • Emergency Tokencode for Cloud Authentication Service users. An Authentication Manager administrator can disable Emergency Tokencode for an individual user. For information on this form of authentication, see Emergency Tokencode.

  • Authenticators that are registered for SecurID Authenticate users. For more information, see Authenticator Registration.

Although some authenticators, like registered FIDO, are only managed in the Cloud Authentication Service, you can choose whether to manage SecurID 700 hardware tokens in your Authentication Manager deployment or in the Cloud Authentication Service.

Automatic Synchronization of SecurID 700 Tokens Between Authentication Manager and the Cloud Authentication Service

Authentication Manager runs a batch job called "Cloud Sync Job" to synchronize cloud-managed token records between Authentication Manager and the Cloud Authentication Service. This batch job runs after Authentication Manager is connected to the Cloud Authentication Service and every 24 hours at a random time between 1:00 AM and 5:00 AM local time.

The "Cloud Sync Job" performs two operations to synchronize token records:

  1. SecurID 700 record are synchronized from the Cloud Authentication Service to Authentication Manager, and Authentication Manager automatically reconciles any conflicts. A cleanup job removes any token records that were already deleted in the Cloud Authentication Service.

  2. SecurID 700 record are synchronized from Authentication Manager to the Cloud Authentication Service. An "AM to Cloud Token Record Synchronizer" audit entry is logged in the Authentication Manager System Activity Monitor with a Success or Failure status.

Token records are not synchronized from Authentication Manager to the Cloud Authentication Service if the synchronization from the Cloud Authentication Service to Authentication Manager does not start, for example, if a connection failure prevents the Cloud Authentication Service from synchronizing token records to Authentication Manager.

If the same token is accidentally assigned to different users in the Cloud Authentication Service and Authentication Manager, and if the Cloud Authentication Service user is not visible in Authentication Manager, then the token is unassigned from the Authentication Manager user. A cloud managed token is not created, and the sync marker is not updated.

Note: An existing direct connection between Authentication Manager and the Cloud Authentication Service is required for automatic synchronization of token records between Authentication Manager and the Cloud Authentication Service.