SecurID^® Cloud Authentication Service Documentation

Users can access traditional on-premises resources protected by Authentication Manager, such as VPNs and wireless access points, by authenticating with tokencodes generated by the RSA SecurID Authenticate app.

Users can access traditional on-premises resources protected by RSA Authentication Manager, such as VPNs and wireless access points, by authenticating with tokencodes generated by the RSA SecurID Authenticate app. You need to connect Authentication Manager to the Cloud Authentication Service so Authentication Manager can forward the tokencodes to the Cloud Authentication Service for validation.

Note:  These instructions apply only to Authentication Manager 8.4 Patch 3 and earlier. If you have Authentication Manager 8.4 Patch 4 or later, see Connect RSA Authentication Manager to the Cloud Authentication Service to learn the quickest way to connect to the Cloud.

To configure the integration, perform these steps:

• Step 1: Prepare for the Integration

• Step 2: Configure the Cloud Authentication Service

• Step 3: Configure RSA Authentication Manager

• Step 4: Roll Out the RSA SecurID Authenticate App to Users

After you configure and test a minimal deployment with one identity router that receives authentication requests from agents, see Configure High Availability to learn how you can improve performance.

​Step 1: Prepare for the Integration

• Confirm the following components are installed:

  • At least one identity router and a Cloud Authentication Service deployment. If you need to start from scratch, see the Quick Start guides available on RSA Link at Cloud Authentication Service Planning and Configuration.

  • RSA Authentication Manager 8.2 Service Pack 1 or later with at least one primary instance. Version 8.2 is also supported. For details, see Authentication Manager Version Support.

• Understand how the authentication process works in an integrated deployment. See Authentication Process Flow for a graphic description.

• Confirm that users who will use the RSA SecurID Authenticate app are in an identity source connected to the Cloud Authentication Service. For details on Authentication Manager identity source requirements, see Authentication Manager Version Support.

​ Step 2: Configure the Cloud Authentication Service

The Super Admin for the Cloud Authentication Service performs these steps:

1. Upload your own identity router SSL certificate to the Cloud Authentication Service. For instructions, see Configure Company Information and Certificates.

2. Enable Access to the Identity Router API .

3. Collect Deployment Information and Provide it to the RSA Authentication Manager Administrator.

​Enable Access to the Identity Router API

The identity router API is a REST-based web services interface. RSA Authentication Manager 8.4 Patch 3 and earlier uses this API to send the Authenticate Tokencode to the identity router and to receive the authentication results from the Cloud Authentication Service. You use the Cloud Administration Console to do the following:

• Enable API access for Authentication Manager.

• Generate an Access ID and Access Key, which RSA Authentication Manager uses to access the identity router.

Before you begin 

• Obtain the IP address (or address range) and network mask for the part of your network where Authentication Manager is deployed.

• Add a Super Admin account to the Cloud Administration Console using credentials that do not belong to a specific individual. This account is used exclusively to manage identity router API access. For example, you can create a new email address specifically for this account, or use an address that is jointly monitored by all Super Admins in your deployment. Super Admins can modify the identity router API access configuration through this account.

Procedure 

1. In the Cloud Administration Console, click My Account > Administrators.

2. Click Edit next to the Super Admin account that you want to grant API access.

3. Select the Enable Identity Router API checkbox to enable access to the identity router API.
   This step generates an Access ID and Access Key. Copy these values to a secure location. The RSA Authentication Manager administrator needs this information to configure Authentication Manager to accept Authenticate Tokencodes.

   Note:  The Access ID and Access Key are sensitive data. Store these values securely, and share them only with other Super Admins.

4. In the IP Address and Netmask fields, specify the Authentication Manager server IP address or subnet that needs to access the API. A subnet can represent multiple Authentication Manager IP addresses.

   The embedded identity router in Authentication Manager requires the Gateway IP address for the identity router with the network mask 255.255.255.255. You can view the Gateway IP address on the Network Diagnostics page. For instructions, see View Network Diagnostics on an Identity Router.

   If more than one Authentication Manager instance can access the embedded identity router REST API, add each Authentication Manager IP address. You view this information by logging on to the Operations Console for each Authentication Manager instance and clicking Administration > Network > Appliance Network Settings.

5. If you want to add another network, click Add, then repeat step 4.

6. Click Save.

7. Click Publish Changes.

​Collect Deployment Information and Provide it to the RSA Authentication Manager Administrator

The Super Admin for the Cloud Authentication Service must collect the following information and provide it to the Super Admin or Trust Administrator for Authentication Manager:

• Identity router API Access ID and Access Key.

• IPv4 address for each identity router to which Authentication Manager will connect. For identity routers in the Amazon cloud, use the private IP address. For on-premises identity routers, use the management interface IP address.

• Identity router API port: 443 for on-premises identity routers or 9786 for identity routers in the Amazon cloud

• URL prefix for the identity router API service: https://<identityrouterIP>:<port>/api/v1
  where <identityrouterIP> is the IP address of the identity router and <port> is the port number. For identity routers in the Amazon cloud, use the private IP address and port 9786. For on-premises identity routers, use the management interface IP address and port 443.

• Identity router root certificate from the certificate chain. This certificate was configured on the My Account > Company Settings page in the Cloud Administration Console. Confirm if you have a local copy of the certificate, or open the Identity Router Setup Console and export it from the browser. If you need to export it, see 000036639 - How to export RSA SecurID Access Authentication Manager, Identity Router, or Cloud Authentication Service Root Certificate and follow instructions for the identity router root certificate.

​Step 3: Configure RSA Authentication Manager

The Super Admin for RSA Authentication Manager performs the appropriate task, depending on your deployment.

Note:  Users with both RSA SecurID tokens and Authenticate Tokencodes can access all protected resources with the same username or e-mail address.

​Configure RSA Authentication Manager to Accept Authenticate Tokencodes

This task connects Authentication Manager to identity routers in your deployment, allowing the Cloud Authentication Service to verify Authenticate Tokencodes when users access agent-protected resources.

After a user successfully authenticates to access an agent-protected resource using the Authenticate app, the user's Authentication Manager record counts the Authenticate app as an active token. The Authenticate app counts against the default limit of three active tokens per user, and it counts as an active token for licensing purposes.

Before you begin 

• Obtain the required identity router information from the Cloud Authentication Service Super Admin. Store the identity router root certificate in a location that is accessible to the Operations Console on the primary instance.
• Authentication Manager Operations Console Administrator credentials are required.

Procedure 

1. If your deployment has more than one identity router, add the identity router management IP addresses and hostname to the hosts file on each RSA Authentication Manager appliance in your Authentication Manager deployment.

   Note:  Do not edit the hosts file outside of the Operations Console, or the file may become unreadable.

   1. In the Operations Console, click Administration > Network > Hosts File.

   2. Enter the IPv4 addresses and the hostname of the identity routers. Click Add New, and enter:

      • IPv4 address for an identity router. For example, 192.168.255.255.

      • Hostname for the identity routers. You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses.For example, you can map multiple identity router IP addresses to the logical hostname identityrouter.rsa-securid.com. Authentication Manager uses round robin load balancing to send authentication requests to each consecutive IP address in the list. Failover is provided, because Authentication Manager can use the next IP address if an identity router does not respond. The logical hostname is used as the Access URL in the Operations Console and the hostname to the identity router IP mappings is configured in the Operations Console at Administration > Network > Hosts File.

        Each hostname and FQDN cannot exceed 255 characters. The hostname and FQDN combined cannot exceed 1024 characters. Example hostname: identityrouter.rsa-securid.com.

        To associate different IP addresses with the same hostname, you must add a row for each IP address. For example, you can create multiple rows with different identity router IP addresses for the same RSA SecurID Access hostname.

      • Comments, if any.

        Note:  Do not repeat an IP address or hostname that is in the Read-only Content section of the hosts file.

   3. Click Save.
2. In the Operations Console on the primary instance, click Deployment Configuration > RSA SecurID Authenticate App.
3. Select the Authenticate App checkbox.
4. In the Access URL field, enter the URL that Authentication Manager uses to communicate with the identity routers. The URL consists of a single IP address or a logical hostname, which is defined by an Authentication Manager administrator or a Cloud Authentication Service Super Admin, an API port that is provided by a Cloud Super Admin, and the prefix /api/v1. For example, https://identityrouter.rsa-access.com/api/v1. For identity routers in the Amazon cloud, use the private IP address and port 9786. For on-premises identity routers, the default port is 443.
5. In the Access ID and Access Key fields, enter the values you received from the Cloud Authentication Service administrator.
6. In the Identity Router Root Certificate field, click Browse and select the certificate (in DER or PEM format) to use for the connection.
7. Click Test Connection. If the test fails, try editing the fields or selecting a new certificate.
8. Click Save.
9. If you have RSA Authentication Manager 8.4, open the Security Console and confirm that you can find users who are in identity sources connected to the Cloud Authentication Service. If you cannot find those users, you must add the RSA SecurID Access deployment as a trusted realm.
10. If you have RSA Authentication Manager 8.2 SP1 or 8.3, confirm if any users are not assigned an active RSA SecurID token. For example, this group includes users who rely solely upon on-demand authentication or risk-based authentication. You must manually enable these users to use the RSA SecurID Authenticate app to access RSA SecurID-protected resources. See "Enable the RSA SecurID Authenticate App for Specific Users" on RSA Link at https://community.rsa.com/docs/DOC-76736.

After you finish 

• If you need to troubleshoot, see "RSA SecurID Authenticate Tokencode Integration Issues and Solutions" on RSA Link at https://community.rsa.com/docs/DOC-76955.
• To see RSA SecurID Authenticate configuration changes on a replica instance before replication occurs, log on to the Operations Console on the replica instance and flush the cache. For instructions, see Flush the Cache.

​Add an RSA SecurID Access Deployment to RSA Authentication Manager as a Trusted Realm

Perform this task in any of the following cases:

• You have RSA Authentication Manager 8.2 SP1 or later and your Cloud users are not in an identity source configured for RSA Authentication Manager or in the internal database.
• You have Authentication Manager 8.2.
• You configured Authentication Manager 8.4 to accept Authenticate Tokencodes, but when you use the Security Console to search for users who are in identity sources that are not directly connected to Authentication Manager, the users cannot be found.

An RSA Authentication Manager deployment can support only one RSA SecurID Access deployment as a trusted realm. However, you can use the Operations Console to add IP addresses for multiple identity routers in this trusted realm. Doing this allows Authentication Manager to use round robin load balancing, high availability, and failover for authentication requests. The trusted realm relationship exists if at least one identity router is available.

Before you begin 

Obtain the required identity router information from the Cloud Authentication Service Super Admin. You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses.

For example, you can map multiple identity router IP addresses to the logical hostname identityrouter.rsa-securid.com. Authentication Manager uses round robin load balancing to send authentication requests to each consecutive IP address in the list. Failover is provided, because Authentication Manager can use the next IP address if an identity router does not respond.

Note:  If you map multiple identity router IP addresses, you must maintain the .hosts file when identity routers are added or removed from the deployment.

Procedure

1. Add the identity router IP addresses and hostname to the hosts file on each RSA Authentication Manager appliance in your Authentication Manager deployment.

   Note:  Do not edit the hosts file outside of the Operations Console, or the file may become unreadable.

   1. In the Operations Console, click Administration > Network > Hosts File.

   2. Click Add New, and enter:

      • Identity router IPv4 address. For example, 192.168.255.255.

      • Identity router hostnames. Each hostname and FQDN cannot exceed 255 characters. The hostname and FQDN combined cannot exceed 1024 characters. For example, identityrouter.rsa-securid.com.

        To associate different IP addresses with the same hostname, you must add a row for each IP address. For example, you can create multiple rows with different identity router IP addresses for the same hostname.

      • Comments, if any. Do not use double quotation marks, hash characters, or non-printing characters.

   3. Click Save.
2. Enable Secure Shell (SSH):

   1. In the Operations Console, click Administration > Operating System Access.

   2. Select each NIC on which you want to enable SSH.

   3. Click Save.

      Note:  (Optional) While logged on to the appliance operating system, you can manually save a copy of the hosts file for each appliance. The hosts file is not included in an Authentication Manager backup file.

3. Log on to the appliance with the User ID rsaadmin and the operating system password that you defined during Quick Setup:
   • On a hardware appliance, log on using an SSH client.
   • On a virtual appliance, log on using an SSH client, the VMware vSphere client, the Hyper-V System Center Virtual Machine Manager Console, or the Hyper-V Manager.
4. Change directories to /opt/rsa/am/utils. Type:

   cd /opt/rsa/am/utils/

   and press ENTER.

5. Type:

   ./rsautil manage-securid-access-trusts -a create

   and press ENTER.

   Note:  You can enter the options directly on the command line. For additional options, see Options for manage-securid-access-trusts.

6. Respond to the prompts.

   1. When prompted, enter each value and press ENTER:

      • RSA Authentication Manager Super Admin or Trust Administrator username.
      • Authentication Manager Super Admin or Trust Administrator password.
      • The full REST API URL Prefix for the Cloud Authentication Service deployment. The URL is the hostname that you defined or an IP address, the API port that was provided by the Cloud Authentication Service Super Admin, and the prefix /api/v1. For example, https://identityrouter.rsa-securid.com:443/api/v1.
      • Access ID and Access Key provided by the Cloud Authentication Service Super Admin.
   2. Examine and verify the identity router root certificate. This certificate is required so that Authentication Manager can trust the Cloud Authentication Service deployment.

      Note:  It is critical that Authentication Manager only sends authentication requests to a legitimate identity router running the SSO Agent.

   3. When prompted, add the identity router root certificate to the RSA Authentication Manager trust store. Enter y, and press ENTER.
   4. Enter credentials for the Authentication Manager instance and other information required to create the trust.
   5. Enter a name for the trusted realm. You can use the hostname for the identity routers, for example, identityrouter.rsa-securid.com. Press ENTER.
   6. (Optional) Enter any notes and press ENTER.
7. When prompted to enable a trusted realm, enter y, and press ENTER.
8. When prompted to enable the trusted realm for authentication, enter y, and press ENTER.

   RSA Authentication Manager tests the connection to the trusted realm. After 30 seconds, a message indicates whether the test succeeded. If the test fails, view the imsTrace.log file in the /opt/rsa/am/server/logs directory.

   Note:  Replica instances require additional time to accept the root certificate obtained from the identity router. Wait at least ten minutes before testing the trusted realm or authenticating with Authenticate Tokencodes on a replica instance.

After you finish 

• For each authentication agent that is being used with this trusted realm, select Enable Trusted Realm Authentication when you add the authentication agent. For instructions, see "Add an Authentication Agent" on RSA Link at https://community.rsa.com/docs/DOC-77208.
• If you need to troubleshoot, see "RSA SecurID Authenticate Tokencode Integration Issues and Solutions" on RSA Link at https://community.rsa.com/docs/DOC-76955.

​Step 4: Roll Out the RSA SecurID Authenticate App to Users

After you finish setting up your RSA SecurID Access deployment, the Super Admin for the Cloud Authentication Service needs to roll out RSA SecurID Access to your users. The rollout involves communicating information about the user experience, for example, the application portal for an SSO Agent deployment, the RSA SecurID Authenticate app, and optionally RSA SecurID Access My Page, emergency access, and system requirements. for instructions, see RSA SecurID Access Rollout to Users on RSA Link at https://community.rsa.com/docs/DOC-54129.

​Authentication Process Flow

The following illustration shows the process flow for an RSA SecurID Authenticate app user accessing a resource protected by an RSA Authentication Agent. The Cloud Authentication Service validates the Authenticate Tokencode and returns information to Authentication Manager before the user gains access.

​Authentication Manager Version Support

• RSA Authentication Manager 8.4
• RSA Authentication Manager 8.2 SP1 or 8.3
• RSA Authentication Manager 8.2

​RSA Authentication Manager 8.4

In RSA Authentication Manager 8.4, new users are automatically assigned the RSA SecurID Authenticate app as an active token in Authentication Manager after they register their mobile devices for the Cloud Authentication Service and successfully use an Authenticate Tokencode to access an RSA-SecurID protected resource. You do not need to perform any manual steps to add these users to Authentication Manager. This process applies to all users, even if they did not previously have an active token in Authentication Manager. The Authenticate app counts against the default limit of three active tokens per user.

Users with active Authenticate app tokens in Authentication Manager can also obtain emergency access tokencodes to access resources protected by Authentication Manager agents. For example, users who want to access an agent-protected resource using the Authenticate app and lose their mobile devices can request emergency access tokencodes by logging on to the Self-Service Console or by contacting an Authentication Manager Help Desk administrator.

Note:  Emergency access tokencodes cannot be used to access applications that are protected only by the Cloud Authentication Service, without Authentication Manager agents.

​RSA Authentication Manager 8.2 SP1 or 8.3

RSA Authentication Manager 8.2 SP1 or later supports the following:

• Users can use the Authenticate app to access agents and use the same identity source sign-in credentials for Authentication Manager and the Cloud Authentication Service.

• Users can use single sign-on (SSO) to access web applications protected by the Cloud Authentication Service

​RSA Authentication Manager 8.2

RSA Authentication Manager 8.2 supports the following:

• Authentication Manager 8.2 users who are in an RSA SecurID Access trusted realm can authenticate to the Cloud Authentication Service. Offline authentication is not supported because offline authentication data cannot be generated.

• Users who are using both SecurID and Authenticate Tokencode must be configured with different database attributes for each form of authentication. For example, you can use the SAMAccountName attribute for SecurID authentication and an e-mail attribute for the Authenticate Tokencode. In this case, users can use both SecurID and Authenticate Tokencode if they remember to use the correct username or e-mail address required to access each protected resource.

​Configure High Availability

After you configure and test a minimal deployment with one identity router that receives authentication requests from agents, consider how you want to configure high availability. High availability increases the likelihood that an identity router will be available to process authentication requests when one or more identity routers in the same cluster are down. It also improves performance by ensuring that requests are distributed evenly among identity routers. Choose one of the following configuration methods:

• Configure High Availability Using Host Lookup (No Load Balancer)
• Configure High Availability Using a Load Balancer

​Configure High Availability Using Host Lookup (No Load Balancer)

High availability with host lookup is configured after you follow the steps provided in Step 3: Configure RSA Authentication Manager. You register all identity router addresses in a cluster to a single hostname in the network host file and add this hostname to the Access URL field of the RSA SecurID Authenticate app configuration in Authentication Manager. When Authentication Manager attempts to connect to this URL, it looks up the hostname, resolves all IP addresses bound to this host, and uses round-robin to select an address to connect to an identity router.

This method is less expensive to implement than load balancing, but is also less efficient and may result in the identity router trying to contact an identity router that is offline.

To test availability, stop an identity router while allowing users to authenticate to the cluster. View the audit logs to see which identity routers are handling authentication.

​Configure High Availability Using a Load Balancer

You can configure a load balancer to accept authentication requests and redirect them to the IP address of an active identity router based on the selected load balance logic. The network interface for the load balancer must be on the same network as the identity router interface. For on-premises identity routers, configure the load balancer to connect to the management interface.

Load balancers provide you with more control than host lookup. Local and global load balancers can take into account the geographic location and activity status of the identity routers when they redirect requests.

For more information about load balancing in Cloud Authentication Service deployments, see Load Balancer Requirements.

Before you begin 

This procedure involves Super Admins for the Cloud Administration Console and the Authentication Manager Operations Console.

Procedure 

1. See Step 3: Configure RSA Authentication Manager and perform the appropriate steps for your deployment.

   Note:  When you Configure RSA Authentication Manager to Accept Authenticate Tokencodes, specify the hostname and load balancer port instead of the logical hostname in the Access URL field. Also, if the load balancer hostname is not registered in the DNS server, add only the load balancer hostname and IP address to the Authentication Manager network hosts file. Do not associate the identity router IP addresses to this hostname.

2. Open the load balancer configuration file. Add the management IP addresses of the identity routers to which Authentication Manager will connect. Choose the logic you want the load balancer to use for selecting identity routers.

After you finish 

To test the availability of your identity routers, stop an identity router while allowing users to authenticate to the cluster. View the audit logs to see which identity routers are handling authentication.

Table of Contents > Enable RSA SecurID Authenticate App Users to Access Resources Protected by RSA Authentication Manager