Transfer SecurID 700 Hardware Token Ownership to the Cloud Authentication Service

You can transfer ownership and administration of assigned and unassigned SecurID 700 hardware tokens from RSA Authentication Manager to the Cloud Authentication Service. You select which token records are transferred, and you initiate the transfer. After the token records are transferred to the cloud, Authentication Manager no longer manages the tokens and can not take back ownership.

Note: A connection through an embedded or external identity router does not support this integration. For instructions, see Connect RSA Authentication Manager to the Cloud Authentication Service.

For more information, see the following:

Token Eligibility for Transfer

The following SecurID 700 hardware tokens are eligible for transfer:

  • Assigned hardware tokens that are enabled.

  • Unassigned hardware tokens that are enabled or disabled.

    By default, unassigned hardware tokens are disabled in Authentication Manager.

Ineligible tokens are logged as "ignored" by Authentication Manager or "failed" by the Cloud Authentication Service. The following table lists the tokens that cannot be transferred.

Not Transferred by Authentication Manager (Ignored) Not Accepted by the Cloud Authentication Service (Failed)
Not a SecurID 700 hardware token. X
Lost token. X

Assigned token that is disabled.

X
Token that is being replaced or a replacement token. X
Expired token. X
Token that does not require a PIN. X
User record is pending deletion in the Cloud Authentication Service. X
Token is assigned to a user who has different e-mail addresses in Authentication Manager and the Cloud Authentication Service. X
Token assigned to a user who is in the Authentication Manager internal database and not present in the Cloud Authentication Service. X
Token assigned to a user who is disabled in the identity source and does not exist in the Cloud Authentication Service. X

What to Expect

When you transfer tokens, expect the following:

  • After the ownership is transferred all the policies and configurations from Cloud Authentication Service will be applied for cloud authentication. The Cloud authentication service will be performing the token code validation.

  • For transferred SecurID 700 tokens when the Cloud Authentication Service is slow or unreachable, you can leverage the high availability failover in Authentication Manager.

  • PINs for transferred tokens follow the PIN policies for the Cloud Authentication Service. Existing PINs for transferred tokens can be used to authenticate.

  • Alphanumeric PINs are cases sensitive in the Cloud Authentication Service. Authentication Manager PINs are not case sensitive, for example, AXD72rc and axd72rc are considered the same PIN. The Cloud Authentication Service only accepts the case used when the PIN was created, for example, AXD72rc.

  • Authentication Manager supports token attribute definitions that store information not contained in the standard set of token attributes. The Cloud Authentication Service does not support these optional attributes. Token attribute are removed when tokens are transferred to the Cloud Authentication Service.

  • Any changes to tokens that occur during the ownership transfer are not retained, except for security domain updates. For example, do not update the PIN or create an emergency access tokencode for a token that is being transferred.

  • For transferred tokens or Cloud-owned tokens, offline authentication is supported by MFA agents only in cloud direct or proxy mode.

Transfer Tokens to Cloud Authentication Service

Before you begin

You must have an existing connection between Authentication Manager and the Cloud Authentication Service.

Procedure

  1. In the Security Console, click Authentication > SecurID Tokens > Manage Existing.

  2. Click the Assigned and Unassigned tabs to alternately view assigned and unassigned tokens respectively.

  3. Use the search fields to find the token that you want to transfer.

  4. Do the following:

    To transfer multiple tokens:

    1. Select the checkboxes next to the tokens that you want to transfer.

    2. From the Action menu, select Transfer Ownership to Cloud.

    To transfer one token:

    1. Click the token.

    2. From the context menu, select Transfer Ownership to Cloud.

  5. Click OK to transfer the tokens.

    You can view or cancel the batch job that transfers the tokens. See View Transfer Tokens to Cloud Jobs.

    After the transfer is complete, you can view the details by running the Administrator Activity report and selecting the activity key "Transfer Token Ownership To Cloud."

View Transfer Tokens to Cloud Jobs

Transfer tokens to cloud jobs are created when an administrator transfers the ownership and administration of SecurID 700 hardware tokens from RSA Authentication Manager to the Cloud Authentication Service.

These jobs are manually scheduled tasks that run on demand for RSA Authentication Manager. You can view jobs that are in progress and that have been completed.

Procedure

To view details of a job in progress, do the following:

  1. In the Security Console, click Authentication > SecurID Tokens > Transfer Tokens to Cloud Job..

  2. Click the In Progress tab.

To view details of a completed job, do the following:

  1. Click Authentication > SecurID Tokens > Transfer Tokens to Cloud Job.

  2. Click the Completed tab.

  3. Click the job that you want to view.

  4. From the context menu, click View Job Summary.

    The View job summary page contains information about the number of tokens successfully transferred, ignored, and failed. The token transfer job ignores tokens that are disabled tokens, replacement tokens, and tokens that are being replaced. Communications issues might cause a token to fail to transfer. Check your log files for more details.

Cancel a Transfer Tokens to Cloud Job

You can cancel a transfer tokens to cloud job with the status In Queue or In Progress.

When you cancel a job that is in progress, the Cloud Authentication Service manages tokens that were already transferred.The transferred tokens exist in both the Cloud Authentication Service and Authentication Manager until the next time that token records are synchronized.

Before you begin

You must be a Super Admin.

Procedure

  1. In the Security Console, click Authentication > SecurID Tokens > Transfer Tokens to Cloud Job.

  2. Click the batch job that you want to cancel, and select Cancel Job.

  3. Click OK to verify that you want to cancel the job.