Edit the Cloud Authentication Service Connection

After you connect RSA Authentication Manager to the Cloud Authentication Service, you can edit the connection.

For instructions on how to configure the initial connection, see the following:

Before you begin

  • You must be a Super Admin.

  • A new Registration Code and Registration URL is required if you need to re-register Authentication Manager with the Cloud Authentication Service. You must re-register for any of the following reasons:

    • You are configuring an embedded identity router.
    • You want to enable the high availability tokencode feature, and you are upgrading from an RSA Authentication Manager 8.4 deployment that is already connected to the Cloud Authentication Service.
    • The access policy that was used for the original connection has been replaced with a different access policy. The access policy is configured and selected in the Cloud Administration Console.
    • The access policy name that was used for the original connection has changed.
    • The RSA Authentication Manager API Key used for the original connection has been deleted from the Authentication API Keys page or the Administration API Key page in the Cloud Administration Console. This disconnects Authentication Manager from the Cloud Authentication Service.
    • You make changes to an HTTPS proxy server, and you need to connect to the Cloud Authentication Service again and accept a new certificate. You do not need to re-register if you configure or update the connection to a HTTP proxy server.

    If you need to obtain the Registration Code and Registration URL, see Connect Your Cloud Authentication Service Deployment to RSA Authentication Manager.

Procedure

  1. In the Security Console, click Setup > System Settings.

  2. Click Cloud Authentication Service Configuration.

  3. If Authentication Manager is behind an external firewall, you can configure a connection to a proxy server before connecting to the Cloud Authentication Service. For instructions, see Configure a Proxy Server.

  4. To connect Authentication Manager to the Cloud Authentication Service, do the following:

    1. Under Register Authentication Manager with the Cloud Authentication Service, copy and paste the Registration Code and the Registration URL from the Cloud Administration Console, or obtain this information from a Cloud Authentication Service Super Admin and manually enter it.

      For more information, see Connect Your Cloud Authentication Service Deployment to RSA Authentication Manager.

    2. Click Connect to the Cloud Authentication Service.

      A message indicates that the connection is established. The Cloud Authentication Service details are automatically updated and saved.

  5. To enable users to authenticate to the Cloud Authentication Service, under Cloud Authentication Service Configuration, click Enable Cloud Authentication.

  6. The Enable Authenticate Tokencode PIN Prompts checkbox is selected if you previously used the Security Console to connect RSA Authentication Manager to the Cloud Authentication Service before applying Patch 3. The Enable Authenticate Tokencode PIN Prompts checkbox is not selected if you apply Patch 3 before making the connection.

    Clear the Enable Authenticate Tokencode PIN Prompts checkbox to prevent Authenticate Tokencode users from being prompted for PINs on their first authentication to the Cloud Authentication Service. During subsequent authentications, Authenticate Tokencode users are only prompted for a PIN if their PIN has expired, or if an administrator has cleared their PIN or requires users to create another PIN. This option does not affect other types of authentication.

  7. You can use RSA Authentication Manager as a secure proxy server that sends authentication requests directly to the Cloud Authentication Service.

    To manually enable this feature, select the Send Multifactor Authentication Requests to the Cloud checkbox.

  8. Click Save.

After you finish

  • If required by your deployment, add the Multifactor Authentication REST URL and the Help Desk Administration REST URL to a whitelist of URLs that Authentication Manager is allowed to access.

    Other URLs are as follows.

    FeatureURLStatic or Dynamic
    Telemetrytelemetry.access.securid.comStatic
    Requesting a Cloud Authentication Service Account

    Based on your region:

    provisioning.access.securid.com

    provisioning.access-eu.securid.com

    provisioning.access-anz.securid.com

    Static
    Embedded identity router

    The connection information varies. You can use a wildcard:

    *.blob.core.windows.net

    Dynamic
  • For any administrator who needs to manage Cloud Authentication Service users in the Authentication Manager User Dashboard, you must have selected Manage Cloud Authentication Service Users on the General Permissions tab. For more information, see Edit Permissions for an Administrative Role.