Configure Company Information and CertificatesConfigure Company Information and Certificates
Configure settings that affect your entire deployment. These settings include:
-
Configure Secure Sockets Layer (SSL) private keys and certificates to protect the SecurID Application Portal.
-
Define a Protected Domain Name for SSO Agent deployments.
- Disable or enable the following settings:
Data collection for identity confidence and location.
Disable the Remember This Browser prompt during authentication
Agent inventory data collection
Mobile Lock for threat detection on mobile devices
Note: The Company Information page displays the Customer Site ID, which is required when you register with RSA Customer Support.
Certificate RequirementsCertificate Requirements
Certificates are required in either of the following situations:
-
The IDR SSO Agent is enabled on the identity router.
-
The Cloud Authentication Service is integrated with Authentication Manager 8.4 Patch 3 or earlier.
Before you begin
- You must be a Super Admin for the Cloud Authentication Service.
-
Complete the "Plan" section in your Quick Setup Guide. Plan the protected domain name carefully. Once added, it is difficult to change. See Protected Domain Name for details and examples. This name is not required for deployments that do not use the IDR SSO Agent.
-
Obtain the private key, public certificate, and certificate chain required to configure SSL protection for the SecurID Application Portal, or for the RSA Authentication Manager integration that allows users to access SecurID-protected resources using Authenticate OTPs. In Authentication Manager, this certificate chain (root certificate plus optional Certificate Authority certificates) is identified in the Operations Console as the identity router root certificate. For more information, see Cloud Authentication Service Certificates.
Procedure
-
In the Cloud Administration Console, click My Account > Company Settings and select the Company Information tab.
-
In the Protected Domain Name field, enter the Protected Domain Name value from your Quick Setup Guide. This is a unique domain name for your deployment, such as sso.example.com. Deployments that use the IDR SSO Agent must have a protected domain name in order to publish changes to the identity router.
Note: Protected Domain Name value is required only for IDR proxied applications (HTTP Federation Proxy, Trusted Header, and NTLM).
-
Upload the following files:
-
The Private Key that matches the public certificate. Ensure that the private key is not password protected.
-
The Public Certificate that was issued from the certificate authority (CA) for your domain.
-
The Certificate Chain that was provided by the CA, which is valid for your public certificate.
Note: Keys and certificates are required only for IDR proxied applications (HTTP Federation Proxy, Trusted Header, and NTLM).
-
-
In the Organization ID field, enter the Organization ID that users provide when registering the SecurID app/SecurID Authenticator app on their devices. The first time you sign in to the Cloud Administration Console and access your account information, this field is preconfigured. Edit this field to your company specifications.
Do not exceed 255 characters. Use only alphanumeric characters with no spaces. This value must be unique across all SecurID customers.Note: If you change the Organization ID, you must instruct users to provide the new value when registering the SecurID app/SecurID Authenticator app. Authenticators that are already registered are not affected.
-
When used in access policies, the Identity Confidence attribute allows RSA to establish high or low confidence in a user's identity based on data it has collected about the user over a period of time. SecurID recommends that you leave data collection enabled. However, if required by your company, you can disable Identity Confidence Collection to prevent the Cloud Authentication Service from collecting this data from users during authentication. Do not use the Identity Confidence attribute in access policies when this field is disabled. For more information, see Identity Confidence .
Note: The identity confidence attribute requires location data collection to be enabled to provide the most accurate results.
-
By default, RSA collects location data from users using HTML5 geolocation. This data is used by the Trusted Location, Identity Confidence, and Country attributes to evaluate users' authentication requirements when they try to access protected resources. RSA recommends that you leave data collection enabled. However, if required by your company, you can disable Location Collection during authentication.
Note: When disabled, do not use the Trusted Location in access policies and be aware that the location calculations for the Country and Identity Confidence attributes are less accurate.
-
By default, the Cloud Authentication Service prompts users to click Remember This Browser during authentication. Disabling the prompt has the following impact:
-
Users are never prompted to click Remember This Browser during authentication.
-
The Cloud Authentication Service ignores the Known Browser attribute in access policies and always assumes the browser is unknown, even if it was previously "known."
Note: If you disable this prompt, you should also remove the Known Browser attribute from access policies.
-
- RSA Mobile Lock detects critical threats to a mobile device and restricts the user’s ability to authenticate until the threat issue is resolved. You can enable the Mobile Lock setting if you have requested this enhanced mobile protection. By default, this setting is disabled. For more information, see RSA Mobile Lock.
-
The Unified Directory is a new user identity store for the RSA Cloud Authentication Service that will enable full Cloud-only deployments in the future. RSA Unified Directory has the ability to create and store local users and their passwords using the open standard System for Cross-domain Identity Management (SCIM) API. Administrators can add and manage local users from the Cloud Administration Console. In the Cloud Administration Console, administrators can upload a CSV file to import new users. Users can manage themselves using the My Page self-service portal. Local user passwords are completely validated within the Cloud Authentication Service and are optional. For details on user provisioning using SCIM API, see User Provisioning Using SCIM API.
- Click Save Settings.