The identity router API is a REST-based web services interface that allows designated components in your deployment to query and manage runtime information, such as user profiles. Access to the API is disabled by default. You can enable access to the API to support certain features in your deployment, such as SecurID Authenticate OTP integration between Authentication Manager 8.4 Patch 3 and earlier and the Cloud Authentication Service. Only a Super Admin can enable identity router API access.

You must enable access to the identity router API if you want Authentication Manager to support SecurID Authenticate OTP integration between Authentication Manager and the Cloud Authentication Service. Other components may also require this access.

You need to generate an Access ID and Access Key, which are credentials associated with a Super Admin account. Authentication Manager or other designated components in your deployment that need to access the identity router API can then use that Access ID and Access Key.

The identity router API is a REST-based web services interface. Authentication Manager 8.4 Patch 3 and earlier uses this API to send the Authenticate OTP to the identity router and to receive the authentication results from the Cloud Authentication Service. You use the Cloud Administration Console to do the following:

• Enable API access for Authentication Manager.

• Generate an Access ID and Access Key, which Authentication Manager uses to access the identity router.

Before you begin

• Obtain the IP address (or address range) and network mask for the part of your network that requires access to the identity router API.

• Obtain the IP address (or address range) and network mask for the part of your network where Authentication Manager is deployed.

• Add a Super Admin account to the Cloud Administration Console using credentials that do not belong to a specific individual. This account is used exclusively to manage identity router API access. For example, you can create a new email address specifically for this account, or use an address that is jointly monitored by all Super Admins in your deployment. Super Admins can modify the identity router API access configuration through this account.

Procedure

1. In the Cloud Administration Console, click My Account > Administrators.

2. Click Edit next to the Super Admin account that you want to grant API access.

3. In the Enable Identity Router API field, select the checkbox to enable access to the identity router API. This step generates values in the Access ID and Access Key fields. Copy these values to a secure location where you can access them when you configure the components of your deployment that use the identity router API.

   Note: The Access ID and Access Key are sensitive data. Store these values securely, and share them only with other Super Admins.

4. Select the Enable Identity Router API checkbox to enable access to the identity router API.
   This step generates an Access ID and Access Key. Copy these values to a secure location. The Authentication Manager administrator needs this information to configure Authentication Manager to accept Authenticate Tokencodes.

   Note: The Access ID and Access Key are sensitive data. Store these values securely, and share them only with other Super Admins.

5. The embedded identity router in Authentication Manager requires the Gateway IP address for the identity router with the network mask 255.255.255.255. You can view the Gateway IP address on the Network Diagnostics page. For instructions, see View Network Diagnostics on an Identity Router.

   If more than one Authentication Manager instance can access the embedded identity router REST API, add each Authentication Manager IP address. You view this information by logging on to the Operations Console for each Authentication Manager instance and clicking Administration > Network > Appliance Network Settings.

6. If you want to add another network, click Add, then repeat step 4.

7. Click Save.

8. Click Publish Changes.