Configure Identity Router Security Levels - RSA Community - 622926

Register Now

Options

Subscribe to RSS Feed

Bookmark

Subscribe

Printer Friendly Page

Report Inappropriate Content

Versions

Collections

All Downloads

Table of Contents

Release Notes
- Release Notes
Product Basics
- SecurID Overview
- ID Plus Licenses
  - SecurID Licenses
  - SecurID Access Editions
- Cloud Authentication Service Overview
- Protect Resources with the Cloud Authentication Service
- High-Level Authentication Flows for the Cloud Authentication Service
- Videos
Quick Setup
- Getting Started with Quick Setup for the Cloud Authentication Service
- Quick Setup - POC
- Quick Setup - SAML Applications and Third-Party SSO Solutions
- Quick Setup - My Page SSO
- Quick Setup - IDR-Based SSO
- Quick Setup - RADIUS Clients
- Quick Setup - Connect RSA Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router
Deployment Management
- Cloud Administration Console Dashboard
- Publishing Changes to the Identity Router and Cloud Authentication Service
- Supported Browsers for the Cloud Administration Console
Administrators
- Administrative Roles for the Cloud Administration Console
- Manage Administrators for the Cloud Administration Console
- Add, Edit, or Delete an Administrator for the Cloud Administration Console
- Change Your Account Name and Password in the Cloud Administration Console
- Reset Forgotten Password in the Cloud Administration Console
- Change the Identity Router Administrator Password Using the Identity Router Setup Console
Company Settings
- Configure Company Information and Certificates
- Protected Domain Name
- Customize and Configure Domain Name
- Configure Session and Authentication Method Settings
- Password Lockout Examples
- Protect the Cloud Administration Console with Additional (Step-Up) Authentication
Identity Routers
- Planning Your Identity Router Deployment
- Installing and Configuring Identity Routers
- Managing Identity Routers
Identity Sources
- Identity Sources for the Cloud Authentication Service
- LDAPv3 Server Requirements to Enable Expired Password Handling in the Application Portal
- LDAPv3 User Verification for the Cloud Authentication Service
- Add, Delete, and Test Connection for an Identity Source for the Cloud Authentication Service
- Directory Server Attributes Synchronized for Authentication
- Manually (Bulk) Synchronize an Identity Source for the Cloud Authentication Service
- Manage Identity Sources for the Cloud Authentication Service
- Unified Directory
  - Unified Directory Identity Sources
My Page Web Applications (New)
- Manage My Page
- Add a SAML Application
- Add an Application Using HTTP Federation Proxy
- Add an Application Using Trusted Headers
- Add a Bookmark Link in the Application Portal
User Application Portal
- User Application Portal
- Configure the Standard Web Application Portal
- Configure a Custom Portal Page for Web Applications
- Configure a Standard or Custom Application Portal Page
- Using Custom Settings in Your Cloud Authentication Service Deployment
- User Session and Single Sign-On
- Develop Custom Web Portals (PDF)
Access Policies
- Planning Access Policies
- Configuring Access Policies
Clusters, High Availability, and Backups
- Clusters
- Cluster Relationships
- Load Balancer Requirements
- Manage Clusters
- Enable RADIUS on Identity Routers in a Cluster
- Configure High Availability for Cloud Authentication Service Deployments
- Backing Up User Profiles for HTTP Federation Applications
- Manage Cluster Backups
Relying Parties
- Relying Parties
- SAML 2.0 Requirements for Service Providers
- Add a Relying Party
- Add a Service Provider
- Add an OIDC Relying Party
- OIDC Relying Party Endpoints
- Manage Relying Parties
- Example: SAML IdP for Cloud Authentication Service Assertion
- Add Epic Hyperdrive Relying Party
RADIUS
- RADIUS for the Cloud Authentication Service Overview
- Deploying RADIUS for the Cloud Authentication Service
- Add a RADIUS Client for the Cloud Authentication Service
- Configure a RADIUS Profile for the Cloud Authentication Service
- Attributes for RADIUS Clients and Profiles for the Cloud Authentication Service
- Customize the RSA SecurID Access Web Interface for a Cisco Adaptive Security Appliance
- Manage RADIUS for the Cloud Authentication Service
Certificates
- Cloud Authentication Service Certificates
- Generate and Download a Certificate Bundle for Service Providers and Identity Providers for the SSO Agent
- List of Trusted Certificate Authorities for HFED and Trusted Headers Applications
- Upload Certificates for Trusted Certificate Authorities
- Delete a Trusted Certificate Authority Certificate
- Certificates and Keys for Service Providers and Identity Providers for the IDR SSO Agent
- Trusted Certificate Authorities for HFED or Trusted Headers Applications
Integrated Windows Authentication
- Integrated Windows Authentication
- Deploying Integrated Windows Authentication
- Configure User Browsers for Integrated Windows Authentication
Identity Providers
- Adding Identity Providers
- Manage Identity Providers
- Restricting Access to Automated SSO Agent IdPs Using Authentication Source Access Rules
- Add Cloud Identity Provider
- Add a SAML Version 2 SSO Agent Identity Provider
- Authentication Sources
- Manage Authentication Sources
- Add an Authentication Source
- Add Authentication Source Access Rules
- Reorder Authentication Sources
- Delete an Authentication Source
IDR-Based Web Applications (Legacy)
- Cloud Authentication Service Quick Setup Guide for IDR-Based SSO
- Manage the Application Catalog (IDR)
- Manage My Applications (IDR)
- Add an Application to My Applications (IDR)
- Delete an Application From My Applications (IDR)
- Choosing a Connection Method to Add an IDR SSO Agent Application
- SAML Applications (IDR)
- Application Availability and Visibility (IDR)
- Add a SAML Application
- Configure Advanced Settings for a SAML Connection (IDR)
- Export SAML Metadata From an Application on the Identity Router (IDR)
- HTTP Federation Proxy Applications (IDR)
- Planning to Add an Application Using HTTP Federation Proxy (IDR)
- HTTP Federation Proxy Planning Worksheet (IDR)
- Add an Application Using HTTP Federation Proxy
- Trusted Headers (IDR)
- Add an Application Using Trusted Headers
- Add a Bookmark Link in the Application Portal
- Deep Linking (IDR)
Authentication Methods and Emergency Access
- Authentication Methods for Cloud Authentication Service Users
- Authentication Method Lockout
- Emergency Access for Cloud Authentication Service Users
Users and Authenticators
- Cloud Authentication Service User System Requirements
- Authenticator Registration
- SecurID Hardware Tokens
- Configure Email Notifications
- Manage My Page
- Getting Started with FIDO-Certified Security Keys with SecurID
- SecurID and Yubico
- Using RSA Security Key Utility
- Registering Devices with SecurID Authenticate App
- Manage Users for the Cloud Authentication Service
- Run User Reports
- Deploying the SecurID Authenticate App in EMM Environment
- Deploying the SecurID Authenticate for Windows 10 App Using DISM
- Deploying the SecurID Authenticator 6.0.1 for Windows Using DISM
- Deploying SecurID Authenticator 6.1.1 for Windows Using DISM
- Deploying SecurID Authenticator 6.1.2 for Windows Using DISM
- Deploying SecurID Authenticator 6.1.3 for Windows Using DISM
- SecurID App Permissions
End User Rollout
- Educating Your Users
- Cloud Authentication Service Rollout to Users
- Sample Rollout Email for SecurID Access Users
- Configure Browsers to Trust the Cloud Authentication Service
Authentication Manager Integration
- Select an Integration Path for SecurID Authentication Manager and the Cloud Authentication Service
- Quick Setup - Connect SecurID Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router
- Connect Your Cloud Authentication Service Deployment to Authentication Manager
- Enable High Availability Tokencode in the Cloud Authentication Service
- Test the SecurID Authentication Manager Connection
- Update the Connection between the Cloud Authentication Service and SecurID Authentication Manager
- Delete the Connection Between the Cloud Authentication Service and Authentication Manager
Cloud Administration APIs
- Using the Cloud Administration APIs
- Manage the Cloud Administration API Keys
- Determining Access Requirements for High-Risk Users in the Cloud Authentication Service
- Authentication for the Cloud Administration APIs
- Cloud Administration Event Log API
- Cloud Administration User Search API
- Cloud Administration Synchronize User API
- Cloud Administration User Details API
- Cloud Administration Delete User Device API
- Cloud Administration Authenticator Details API Version 1
- Cloud Administration Authenticator Details API Version 2
- Cloud Administration Mark User Deleted API
- Cloud Administration Delete User Now API
- Cloud Administration User Status API
- Cloud Administration Anomalous Users API
- Cloud Administration Unlock User Tokencodes API
- Cloud Administration Update SMS and Voice Phone API
- Cloud Administration Retrieve Authentication Audit Logs API
- Cloud Administration User Event Log API
- Cloud Administration Add/Remove High-Risk Users API
- Cloud Administration Retrieve High-Risk User List API Version 1
- Cloud Administration Retrieve High-Risk User List API Version 2
- Cloud Administration Health Check API
- Cloud Administration Retrieve Device Registration Code API
- Cloud Administration Enable Emergency Tokencode API
- Cloud Administration Disable Emergency Tokencode API
- Cloud Administration Retrieve License Usage API Version 1
- Cloud Administration Retrieve License Usage API Version 2
- Cloud Administration FIDO Authenticator API
- Cloud Administration Enable FIDO Authenticator API
- Cloud Administration Disable FIDO Authenticator API
- Cloud Administration Retrieve Hardware Token Serial Number API
- Cloud Administration Assign Hardware Token API
- Cloud Administration Unassign Hardware Token API
- Cloud Administration Enable Hardware Token API
- Cloud Administration Disable Hardware Token API
- Cloud Administration Delete Hardware Token API
- Cloud Administration Clear PIN for Hardware Token API
- Cloud Administration Update Hardware Token Name API
- Cloud Administration MFA Agent Lookup REST API
- Cloud Administration Enable SecurID DS100 OTP Credential API
- Cloud Administration Disable SecurID DS100 OTP Credential API
- Cloud Administration Delete SecurID DS100 OTP Credential API
- Cloud Administration Clear PIN SecurID DS100 OTP Credential API
- Cloud Administration Retrieve SecurID DS100 OTP Credential API
- Cloud Administration Generate and Download Report APIs
SecurID Authentication API
- Manage the SecurID Authentication API Keys
- SecurID Authentication API Developer's Guide (PDF)
- FIDO Authentication and Custom App Authentication
Logging
- Logging for the Cloud Authentication Service
- Event Message Components for the Cloud Authentication Service
- Monitor User Events in the Cloud Administration Console
- Monitor System Events in the Cloud Authentication Console
- User Event Monitor Messages for the Cloud Authentication Service
- System Event Monitor Messages for the Cloud Authentication Service
- Administration Log Messages for the Cloud Authentication Service
- Identity Router Logging
- Configure Audit Logging in the Cloud Administration Console
- Set the Identity Router Logging Level
- Contents of Identity Router Log Bundle
- View the Identity Router System Log
- Identity Router Audit Log Messages
- SecurID Authenticate App Logging
Troubleshooting
- Troubleshooting Cloud Authentication Service User Issues
- Troubleshooting Cloud Administration Console Issues
- Troubleshooting Identity Router Issues
- Troubleshooting Cloud Authentication Service Identity Source Synchronization
- Monitor Uptime Status for the Cloud Authentication Service
- Access SSH for Identity Router Troubleshooting
- Grant SecurID Customer Support Access to Your Account
- Test Access to Cloud Authentication Service
Product Documentation and Support
- Product Documentation
- Support and Service for SecurID
- RSA Ready Partner Program
Copyright
- Copyright
- Yubico Copyright

Security levels determine the cipher requirements that the identity router enforces when connecting to users and components in your SecurID deployment. On the Platform > Certificates and Encryption > Encryption Settings page of the Cloud Administration Console, you can view cipher requirements for incoming and outgoing connections, and modify the security level for incoming and outgoing connections.

The default security level is High. When you select a security level, the new setting applies to all identity routers.

The security level you select for incoming connections must support at least one cipher that is compatible with the load balancers and web browsers that connect to the identity router. The security level you select for outgoing connections must support at least one cipher that is compatible with web servers, which connect to the identity router. For example, if a web browser used by your organization does not support any of the ciphers from the Medium level, but supports one of the additional ciphers available at the Low level, you can set the security level to Low to ensure compatibility with that browser. SecurID recommends using the highest security level that supports the components you need to connect.

Before you begin

You must be a Super Admin in the Cloud Administration Console.
Determine the highest incoming security level that includes the ciphers necessary to communicate with all web browsers and load balancers in your deployment. For security level cipher requirements, see Security Levels and Identity Router Connection Ciphers .

Procedure

In the Cloud Administration Console click Platform > Certificates and Encryption > Encryption Settings.
From the Security Level drop-down menu in the Incoming Connections section, select the security level to use for connections between browsers or load balancers and the identity router.
From the Security Level drop-down menu in the Outgoing Connections section, select the security level to use for connections between the identity router and web servers for reverse proxy applications.
Click Save Settings.
(Optional) To apply the new settings immediately, click Publish Changes.