This guide helps you quickly set up your production deployment for the Cloud Authentication Service with an embedded identity router in RSA Authentication Manager 8.5 Patch 1 or later.
An identity router is software that enforces authentication and access for users of protected resources. By downloading and configuring the embedded identity router to the Authentication Manager primary and each replica instance, you can save the time and cost of deploying separate identity routers in your network.
The embedded identity router supports authentication only to third-party SSO solutions that use the Cloud Authentication Service as the identity provider (IdP) for managing authentication, as described in Relying Parties. It does not support authentication to applications through RADIUS in the Cloud Authentication Service, or single sign-on (SSO) using the RSA SecurID Access Application Portal. To use these features, you must deploy your identity router on another platform.
Perform these steps:
Step 4: Connect the LDAP Directory to the Cloud Authentication Service
Note: To view this page as a PDF, click Actions > View as PDF.
You need to plan a few things:
Review the Planning Guide for a conceptual overview of the Cloud Authentication Service.
|RSA Authentication Manager 8.5 Patch 1 or later.||Authentication Manager must be deployed in your environment.|
|A Cloud Authentication Service account with sign-in credentials for the Cloud Administration Console.||
If you do not already have an account, call 1 800 995-5095 and choose Option 1 to speak to your SecurID Sales Representative.
|Microsoft Active Directory 2008 or 2012 or LDAPv3 directory server||Create a group of a limited number of users (for example, RSA SecurID Access Test Group) to synchronize and test with.|
|SSL/TLS certificate from your LDAP directory server||Used for an encrypted connection (LDAPS) to your directory server. Download the SSL/TLS certificate from your directory server. If your directory server does not have a certificate, install one. See Cloud Authentication Service Certificates.|
|A mobile device or Windows PC||See RSA SecurID Authenticate Device Requirements.|
RSA SecurID Access uses a hybrid architecture that consists of two components:
The Cloud Authentication Service is a cloud service that provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.
Connects the Cloud Authentication Service to your identity sources.
Sends authentication requests to the Cloud Authentication Service for validation.
Enforces access policies to determine which applications users can access, when additional authentication is needed, and which authentication methods are required.
You are deploying an embedded identity router, which is easier to set up than a standalone identity router.
Add your values to the following worksheet. You will use this information later.
|Cloud Administration Console and Cloud Authentication Service||
Your authentication service domain appears in the Cloud Administration Console on the Platform >Identity Router > Registration page when you add an identity router.
To check the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console.
To test access to the IP addresses, see Test Access to Cloud Authentication Service.
Embedded Identity Router
LDAP directory server
Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. Update your connectivity settings before continuing with the next step.
|Source||Destination||Protocol and Port||Purpose|
|0.0.0.0/0||Both Cloud Authentication Service environments||TCP 443||External user access to Cloud Authentication Service|
The embedded identity router supports the use of one network interface.
Cloud Administration Console and both Cloud Authentication Service environments
Note: If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and the Cloud Authentication Service IP addresses for your region are whitelisted. Also, confirm that you can access both environments.
|TCP 443||Identity router registration|
|All Authentication Manager primary and replica instances||The two embedded identity router URLs for your region that are listed in the previous table.||TCP 443||Embedded identity router deployment|
|<Your identity router management interface IP address>||<Your LDAP directory server IP address>||TCP 636||LDAP directory user authentication and authorization|
|<Your identity router portal interface IP address or identity router management interface IP address>||<Your DNS server IP address>||UDP 53||DNS|
|<Your identity router portal interface IP address or identity router management interface IP address>||<Your NTP server IP address>||UDP 123||Network time server synchronization|
|RSA Authentication Manager internal firewall||Authentication Manager||TCP 9786||Identity router configuration and to communicate with Authentication Manager|
If your RSA Authentication Manager deployment is not connected to the Cloud Authentication Service or if you connected before upgrading to version 8.5, you must configure the connection.
Before you begin
Know which access policy will be applied to all users who access these resources, or configure a new access policy. An access policy determines which users can access your protected resources and which authentication methods they are required to use. You can use a preconfigured policy or create your own. For more information, see Access Policies.
Obtain a Registration Code and Registration URL from the Cloud Authentication Service. In the Cloud Administration Console, click Platform > Authentication Manager, select an access policy, generate the Registration Code and Registration URL, and save this information in a text file.
In the Security Console, click Setup > System Settings.
Click Cloud Authentication Service Configuration.
If RSA Authentication Manager is behind an external firewall that restricts outbound traffic, you must configure a proxy server.
A message indicates that the connection is established. The Cloud Authentication Service details are automatically updated and saved.
Under Cloud Authentication Service Configuration, click Enable Cloud Authentication.
When selected, Authentication Manager acts as a secure proxy server that sends authentication requests to the Cloud Authentication Service. This feature supports all authentication methods supported by REST protocol authentication agents, whether verified by Authentication Manager or the Cloud Authentication Service.
You can download and configure the embedded identity router on the primary instance and at least one replica instance. Deploying more than one identity router provides redundancy in a promotion for maintenance or disaster recovery situation. The embedded identity router is not included in Authentication Manager backup files.
In the Cloud Administration Console and add an identity router record. Either record the Registration Code and the Authentication Service Domain or plan to copy this information later.
In the Security Console, click Setup > System Settings.
Click Cloud Authentication Service Identity Router.
Click Download & Install Identity Router.
Progress messages display. The process takes a couple of minutes, depending upon your network speed.
You can click Back to navigate away from the page without stopping the process.
After installation is complete, you must register the identity router with the Cloud Authentication Service.
Click Configure Identity Router to open the Identity Router Setup Console.
The first time you log on, use these credentials:
You are prompted to change the password.
Record this password, so that you can access it when you need it.
Sign in with the new password.
Find the Registration Code and Authentication Service Domain fields you copied in Step 1 and paste them into the Identity router Setup Console.
Click Submit. The identity router is registered with the Cloud Authentication Service.
After you finish
(Optional) Deploy the embedded identity router on at least one replica instance.
Perform these steps to connect to an LDAP directory quickly using only required settings. If you want to use advanced options, see Add an Identity Source.
In the Cloud Administration Console, click Users > Identity Sources.
Click Add an Identity Source > Select next to the directory to add.
Enter the identity source name and root (the base DN for users from the planning worksheet).
Select Use SSL/TLS encryption to connect to the directory servers.
Click Add and select the SSL/TLS certificate.
In the Directory Servers section, add each directory server in the identity source, and test the connection.
Click Next Step.
On the User Attributes page, click Refresh Attributes, and verify that a valid list of attributes appears.
Select the checkbox Synchronize the selected policy attributes with the Cloud Authentication Service.
In the Policies column, select sAMAccountName, virtualGroups, and memberOf or other attributes that you might use to identify users.
In the User Search Filter field, specify your test group using a filter. The following is an Active Directory example:
Where <yourgroup_distinguishedName> is the name of your test administrator group.
For example, (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=CN=SecurIDAccessUsers,OU=Groups,DC=Corp,DC=local))
Click Save and Finish.
Click Publish Changes.
Synchronize data between the Cloud Authentication Service and your LDAP directory to ensure that the Cloud Authentication Service reflects any updates made to the LDAP directory.
During synchronization, users are added and attribute values that you selected in the previous step are copied to the Cloud Authentication Service. User passwords are not synchronized.
In the Cloud Administration Console, click Users > Identity Sources.
Next to your identity source, select Synchronization from the drop-down menu.
In the Identity Source Details section, click Synchronize Now.
Depending on the number of users you are synching, this process can take a number of minutes.
RSA SecurID Access My Page is a web portal that helps provide a secure way for users to complete authenticator registration. Perform these steps to enable My Page for your company. If you want to configure advanced settings for My Page, see Manage My Page.
Enable My Page.
In the Primary Authentication Method drop-down list, select the authentication method to use.
In the Access Policy for Additional Authentication drop-down list, select the No Additional Authentication policy that you created earlier.
Configure an application to be protected by RSA SecurID Access. The application must be a third-party SSO solution that uses the Cloud Authentication Service as the identity provider (IdP) for managing authentication, as described in Relying Parties. In the configuration wizard, select the preconfigured access policy All Users Low Assurance Level. If you prefer to create a policy, see Add, Clone, or Delete an Access Policy.
For instructions for all supported applications, see the RSA SecurID Access category on RSA Ready.
Perform these steps to quickly register a device. For additional information, see Registering Devices with RSA SecurID Authenticate App.
On one device (for example, your computer), do the following:
Enter your email address.
Enter your RSA SecurID passcode or password, depending on what you configured.
Complete any additional authentication that you are prompted for.
Click RSA SecurID Authenticate app >Get Started.
On another device ( iOS, Android, or Windows 10 ), download the RSA SecurID Authenticate app:
iOS: Apple App Store
Android: Google Play
Windows 10: Microsoft Store
On your computer, on the Registration page, click Next.
On your mobile device, do the following:
Open the RSA SecurID Authenticate app.
Tap Allow to allow the Authenticate app to send notifications.
Allow or deny Google Analytics data collection. You can select either option to use the Authenticate app.
Accept the license agreement.
Tap Scan QR Code.
Allow the app to access your camera.
Scan the QR code that displays in My Page.
Tap OK after setup is complete.
Swipe through the tutorial.
The app home screen appears, and the app is ready for use.
On your computer, on the Registration page, click Test Now.
RSA SecurID Access sends a notification to your registered device.
On your mobile device, tap the notification and approve it.
The My Page home screen displays. You have successfully registered and tested your device.
Start the sign-in process to the protected resource.
RSA SecurID Access sends a notification to your phone.
Tap Approve on your mobile device.
Select Remember this browser, and click Continue.
You are signed into the resource.
|Invite existing RSA SecurID users to download the Authenticate app, register an authenticator, and help you to test the deployment.||
|View the status of the identity routers, test the identity router, and perform related tasks.||Manage Identity Routers in the Cloud Administration Console|
|Troubleshoot identiy router issues.||
Download Troubleshooting Files
Enable Emergency Debug Logging
Quick Setup - Connect RSA Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router