Connect the Identity Router to the Cloud Administration Console

securid_watchthevideographic.png

Connect the identity router to the Cloud Administration Console to enable administrators to publish configuration changes to the identity router.

Note: This procedure applies to identity routers deployed on the VMware, Hyper-V, or Amazon Web Services cloud platforms. If you are deploying an identity router that is embedded in Authentication Manager, see Quick Setup - Connect SecurID Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router.

Before you begin

  • You must be a Super Admin in the Cloud Administration Console.
  • Complete the "Plan" section in your Quick Setup Guide.
  • Obtain the Registration Code and Authentication Service Domain displayed when you added the identity router in the Cloud Administration Console.

Procedure

  1. Open a web browser and do one of the following:

    • For identity routers with in the Amazon cloud, go to https://<identityrouterIP>:9786/setup.jsp, where <identityrouterIP> is the private IP address of the identity router.

    • For VMware and Hyper-V identity routers, go to one of the following:

      • https://<identityrouterIP>/setup.jsp (for two network interfaces)
      • https://<identityrouterIP>:9786/setup.jsp (for one network interface)

      where <identityrouterIP> is the IP address of the identity router management interface.

      See your Quick Setup Guide for the identity router IP address.

  2. Sign into the Identity Router Setup Console. If this is your first time signing into the setup console for this identity router, see Change the Identity Router Administrator Password Using the Identity Router Setup Console.

  3. Click Connect Administration Console.

  4. In the Registration Code field, enter the Registration Code displayed when you added the identity router in the Cloud Administration Console.

  5. In the Authentication Service Domain field, enter the Authentication Service Domain displayed when you added the identity router in the Cloud Administration Console.

  6. (Optional) If you want to configure a proxy server to handle traffic between the identity router and the Cloud Authentication Service, enter the proxy server details.

    The proxy server can be unauthenticated, transparent, or authenticated. If you specify an authenticated proxy, it must be configured for only basic authentication.

    In RADIUS and relying party deployments, the proxy server handles traffic for authentication and product maintenance (such as cluster updates). In an IDR SSO Agent deployment, the proxy server handles traffic for product maintenance.

    • Enter the Proxy Host, formatted as an IP address or hostname.

    • Enter the Proxy Port number for the proxy.

    • If the proxy requires authentication, enter the Proxy Username.

    • If the proxy requires authentication, enter the Proxy Password.

  7. Click Submit.

    Follow the instructions presented. If an error occurs that you are unable to resolve, contact Customer Support. A confirmation message appears when the identity router is connected to the Cloud Administration Console.

    If an SSL proxy is in the network path between the identity router and the Cloud Authentication Service and the identity router does not recognize the SSL proxy certificate, you are prompted to accept or reject the certificate. Rejection causes the connection to fail. If failure occurs, you might have to remove or update the SSL proxy that is presenting the untrusted certificate. If the certificate has expired, the connection fails and a message indicates the certificate is invalid.

    The message "Certificate trust overrides are configured for this identity router" indicates that a non-SecurID (SSL proxy) certificate is configured for the identity router. Be aware that the owner of the configured certificate can read the encrypted traffic between the identity router and the Cloud Authentication Service.

  8. Sign into the Cloud Administration Console to check the status of the identity router (Platform > Identity Routers).
    When the identity router is connected to the Cloud Administration Console, the status reads Starting until the identity router is Active.

    Note: If the status does not change to Active after 10 minutes, see Troubleshooting Identity Router Issues.

  9. In the Cloud Administration Console, click Publish Changes to apply the configuration settings for the new identity router. After the publish operation has completed, the identity router is fully deployed.

  10. If you accepted an SSL proxy for the identity router in Step 7, make sure you inform your IT department so they can add the Cloud Authentication Service to their whitelist. After IT informs you that step is completed, SecurID recommends that you remove the SSL proxy certificates from your deployment. Do the following:

    1. Return to the Cloud Connection Trust field in the Identity Router Setup Console.

    2. Confirm whether the identity router and Cloud Authentication Service will remain connected after you remove the certificates. Click Test Without Override Certificates. A message indicates if the connection is successful.

    3. If the tests pass, click Remove Certificates to remove the certificates from your deployment. If any tests fail, see your IT department and confirm that the necessary URLs are whitelisted.

  11. In the Cloud Administration Console, click Publish Changes to apply the configuration settings for the new identity router.

After you finish

If you added this identity router to an existing cluster, you need to back up the cluster. See Back Up Now for a Single Cluster.