Enable SecurID Authenticate App Users to Access Resources Protected by SecurID Authentication Manager

Users can access traditional on-premises resources protected by Authentication Manager, such as VPNs and wireless access points, by authenticating with OTPs generated by the SecurID Authenticate app. You need to connect Authentication Manager to the Cloud Authentication Service so Authentication Manager can forward the OTPs to the Cloud Authentication Service for validation.

Note: These instructions apply only to Authentication Manager 8.4 Patch 3 and earlier. If you have Authentication Manager 8.4 Patch 4 or later, see Connect SecurID Authentication Manager to the Cloud Authentication Service to learn the quickest way to connect to the Cloud.

To configure the integration, perform these steps:

After you configure and test a minimal deployment with one identity router that receives authentication requests from agents, see Configure High Availability to learn how you can improve performance.

Step 1: Prepare for the Integration

  • Confirm the following components are installed:
  • Understand how the authentication process works in an integrated deployment. See Authentication Process Flow for a graphic description.

  • Confirm that users who will use the SecurID Authenticate app are in an identity source connected to the Cloud Authentication Service. For details on Authentication Manager identity source requirements, see Authentication Manager Version Support.

Step 2: Configure the Cloud Authentication Service

The Super Admin for the Cloud Authentication Service performs these steps:

  1. Upload your own identity router SSL certificate to the Cloud Authentication Service. For instructions, see Configure Company Information and Certificates.

  2. Enable Access to the Identity Router API .

  3. Collect Deployment Information and Provide it to the Authentication Manager Administrator.

Enable Access to the Identity Router API

The identity router API is a REST-based web services interface. Authentication Manager 8.4 Patch 3 and earlier uses this API to send the Authenticate OTP to the identity router and to receive the authentication results from the Cloud Authentication Service. You use the Cloud Administration Console to do the following:

  • Enable API access for Authentication Manager.

  • Generate an Access ID and Access Key, which Authentication Manager uses to access the identity router.

Before you begin

  • Obtain the IP address (or address range) and network mask for the part of your network where Authentication Manager is deployed.

  • Add a Super Admin account to the Cloud Administration Console using credentials that do not belong to a specific individual. This account is used exclusively to manage identity router API access. For example, you can create a new email address specifically for this account, or use an address that is jointly monitored by all Super Admins in your deployment. Super Admins can modify the identity router API access configuration through this account.

Procedure

  1. In the Cloud Administration Console, click My Account > Administrators.

  2. Click Edit next to the Super Admin account that you want to grant API access.

  3. Select the Enable Identity Router API checkbox to enable access to the identity router API.
    This step generates an Access ID and Access Key. Copy these values to a secure location. The Authentication Manager administrator needs this information to configure Authentication Manager to accept Authenticate Tokencodes.

    Note: The Access ID and Access Key are sensitive data. Store these values securely, and share them only with other Super Admins.

  4. The embedded identity router in Authentication Manager requires the Gateway IP address for the identity router with the network mask 255.255.255.255. You can view the Gateway IP address on the Network Diagnostics page. For instructions, see View Network Diagnostics on an Identity Router.

    If more than one Authentication Manager instance can access the embedded identity router REST API, add each Authentication Manager IP address. You view this information by logging on to the Operations Console for each Authentication Manager instance and clicking Administration > Network > Appliance Network Settings.

  5. If you want to add another network, click Add, then repeat step 4.

  6. Click Save.

  7. Click Publish Changes.

Collect Deployment Information and Provide it to the Authentication Manager Administrator

The Super Admin for the Cloud Authentication Service must collect the following information and provide it to the Super Admin or Trust Administrator for Authentication Manager:

  • Identity router API Access ID and Access Key.

  • IPv4 address for each identity router to which Authentication Manager will connect. For identity routers in the Amazon cloud, use the private IP address. For on-premises identity routers, use the management interface IP address.

  • Identity router API port: 443 for on-premises identity routers with two network interfaces or 9786 for identity routers in the Amazon cloud, on-premise identity routers with one network interface, and embedded identity routers.

  • URL prefix for the identity router API service: https://<identityrouterIP>:<port>/api/v1
    where <identityrouterIP> is the IP address of the identity router and <port> is the port number. For identity routers in the Amazon cloud, use the private IP address and port 9786. For on-premise identity routers with two network interfaces, use the management interface IP address and port 443. For on-premise identity routers with one network interface, use the IP address and port 9786. For embedded identity routers, use the Authentication Manager IP address and port 9786.

  • Identity router root certificate from the certificate chain. This certificate was configured on the My Account > Company Settings page in the Cloud Administration Console. Confirm if you have a local copy of the certificate, or open the Identity Router Setup Console and export it from the browser. If you need to export it, see 000036639 - How to export Authentication Manager, Identity Router, or Cloud Authentication Service Root Certificate and follow instructions for the identity router root certificate.

Step 3: Configure Authentication Manager

The Super Admin for Authentication Manager performs the appropriate task, depending on your deployment.

If you have... Perform this task

RSA Authentication Manager 8.2 SP1 or 8.3 and your Authentication Manager users and Cloud users are in the same identity sources

or

RSA Authentication Manager 8.4

Configure SecurID Authentication Manager to Accept Authenticate Tokencodes

Authentication Manager 8.2 SP1 or 8.3 and your Authentication Manager users and Cloud users are in different identity sources

or

Authentication Manager 8.2

Add a Cloud Authentication Service Deployment to SecurID Authentication Manager as a Trusted Realm

Note: Users with both SecurID tokens and Authenticate OTPs can access all protected resources with the same username or e-mail address.

Configure SecurID Authentication Manager to Accept Authenticate Tokencodes

This task connects Authentication Manager to identity routers in your deployment, allowing the Cloud Authentication Service to verify Authenticate Tokencodes when users access agent-protected resources.

After a user successfully authenticates to access an agent-protected resource using the Authenticate app, the user's Authentication Manager record counts the Authenticate app as an active token. The Authenticate app counts against the default limit of three active tokens per user, and it counts as an active token for licensing purposes.

Before you begin

  • Obtain the required identity router information from the Cloud Authentication Service Super Admin. Store the identity router root certificate in a location that is accessible to the Operations Console on the primary instance.
  • Authentication Manager Operations Console Administrator credentials are required.

Procedure

  1. If your deployment has more than one identity router, add the identity router management IP addresses and hostname to the hosts file on each Authentication Manager appliance in your Authentication Manager deployment.

    Note: Do not edit the hosts file outside of the Operations Console, or the file may become unreadable.

    1. In the Operations Console, click Administration > Network > Hosts File.
    2. Enter the IPv4 addresses and the hostname of the identity routers. Click Add New, and enter:

      • IPv4 address for an identity router. For example, 192.168.255.255.

      • Hostname for the identity routers. You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses.For example, you can map multiple identity router IP addresses to the logical hostname identityrouter.rsa-securid.com. Authentication Manager uses round robin load balancing to send authentication requests to each consecutive IP address in the list. Failover is provided, because Authentication Manager can use the next IP address if an identity router does not respond. The logical hostname is used as the Access URL in the Operations Console and the hostname to the identity router IP mappings is configured in the Operations Console at Administration > Network > Hosts File.

        Each hostname and FQDN cannot exceed 255 characters. The hostname and FQDN combined cannot exceed 1024 characters. Example hostname: identityrouter.rsa-securid.com.

        To associate different IP addresses with the same hostname, you must add a row for each IP address. For example, you can create multiple rows with different identity router IP addresses for the same SecurID hostname.

      • Comments, if any.

        Note: Do not repeat an IP address or hostname that is in the Read-only Content section of the hosts file.

    3. Click Save.
  2. In the Operations Console on the primary instance, click Deployment Configuration > SecurID Authenticate App.
  3. Select the Authenticate App checkbox.
  4. In the Access URL field, enter the URL that Authentication Manager uses to communicate with the identity routers. The URL consists of a single IP address or a logical hostname, which is defined by an Authentication Manager administrator or a Cloud Authentication Service Super Admin, an API port that is provided by a Cloud Super Admin, and the prefix /api/v1. For example, https://identityrouter.rsa-access.com/api/v1. For identity routers in the Amazon cloud, use the private IP address and port 9786. For on-premise identity routers with two network interfaces, use the management interface IP address and port 443. For on-premise identity routers with one network interface, use the IP address and port 9786. For embedded identity routers, use the Authentication Manager IP address and port 9786.
  5. In the Access ID and Access Key fields, enter the values you received from the Cloud Authentication Service administrator.
  6. In the Identity Router Root Certificate field, click Browse and select the certificate (in DER or PEM format) to use for the connection.
  7. Click Test Connection. If the test fails, try editing the fields or selecting a new certificate.
  8. Click Save.
  9. If you have Authentication Manager 8.4, open the Security Console and confirm that you can find users who are in identity sources connected to the Cloud Authentication Service. If you cannot find those users, you must add the SecurID deployment as a trusted realm.
  10. If you have RSA Authentication Manager 8.2 SP1 or 8.3, confirm if any users are not assigned an active SecurID token. For example, this group includes users who rely solely upon on-demand authentication or risk-based authentication. You must manually enable these users to use the SecurID Authenticate app to access SecurID-protected resources. See Enable the SecurID Authenticate App for Specific Users.

After you finish

Add a Cloud Authentication Service Deployment to SecurID Authentication Manager as a Trusted Realm

Perform this task in any of the following cases:

  • You have Authentication Manager 8.2 SP1 or later and your Cloud users are not in an identity source configured for Authentication Manager or in the internal database.
  • You have Authentication Manager 8.2.
  • You configured Authentication Manager 8.4 to accept Authenticate OTPs, but when you use the Security Console to search for users who are in identity sources that are not directly connected to Authentication Manager, the users cannot be found.

An Authentication Manager deployment can support only one SecurID deployment as a trusted realm. However, you can use the Operations Console to add IP addresses for multiple identity routers in this trusted realm. Doing this allows Authentication Manager to use round robin load balancing, high availability, and failover for authentication requests. The trusted realm relationship exists if at least one identity router is available.

Before you begin

Obtain the required identity router information from the Cloud Authentication Service Super Admin. You can use the same hostname that is used for the identity router management interfaces, or you can define a logical hostname that only Authentication Manager uses.

For example, you can map multiple identity router IP addresses to the logical hostname identityrouter.rsa-securid.com. Authentication Manager uses round robin load balancing to send authentication requests to each consecutive IP address in the list. Failover is provided, because Authentication Manager can use the next IP address if an identity router does not respond.

Note: If you map multiple identity router IP addresses, you must maintain the .hosts file when identity routers are added or removed from the deployment.

Procedure

  1. Add the identity router IP addresses and hostname to the hosts file on each Authentication Manager appliance in your Authentication Manager deployment.

    Note: Do not edit the hosts file outside of the Operations Console, or the file may become unreadable.

    1. In the Operations Console, click Administration > Network > Hosts File.
    2. Click Add New, and enter:

      • Identity router IPv4 address. For example, 192.168.255.255.
      • Identity router hostnames. Each hostname and FQDN cannot exceed 255 characters. The hostname and FQDN combined cannot exceed 1024 characters. For example, identityrouter.rsa-securid.com.

        To associate different IP addresses with the same hostname, you must add a row for each IP address. For example, you can create multiple rows with different identity router IP addresses for the same hostname.

      • Comments, if any. Do not use double quotation marks, hash characters, or non-printing characters.

    3. Click Save.
  2. Enable Secure Shell (SSH):
    1. In the Operations Console, click Administration > Operating System Access.

    2. Select each NIC on which you want to enable SSH.

    3. Click Save.

      Note: (Optional) While logged on to the appliance operating system, you can manually save a copy of the hosts file for each appliance. The hosts file is not included in an Authentication Manager backup file.

  3. Log on to the appliance with the User ID rsaadmin and the operating system password that you defined during Quick Setup:
    • On a hardware appliance, log on using an SSH client.
    • On a virtual appliance, log on using an SSH client, the VMware vSphere client, the Hyper-V System Center Virtual Machine Manager Console, or the Hyper-V Manager.
  4. Change directories to /opt/rsa/am/utils. Type:

    cd /opt/rsa/am/utils/

    and press ENTER.

  5. Type:

    ./rsautil manage-securid-access-trusts -a create

    and press ENTER.

    Note: You can enter the options directly on the command line. For additional options, see Options for manage-securid-access-trusts.

  6. Respond to the prompts.
    1. When prompted, enter each value and press ENTER:

      • Authentication Manager Super Admin or Trust Administrator username.
      • Authentication Manager Super Admin or Trust Administrator password.
      • The full REST API URL Prefix for the Cloud Authentication Service deployment. The URL is the hostname that you defined or an IP address, the API port that was provided by the Cloud Authentication Service Super Admin, and the prefix /api/v1. For example, https://identityrouter.rsa-securid.com:443/api/v1.
      • Access ID and Access Key provided by the Cloud Authentication Service Super Admin.
    2. Examine and verify the identity router root certificate. This certificate is required so that Authentication Manager can trust the Cloud Authentication Service deployment.

      Note: It is critical that Authentication Manager only sends authentication requests to a legitimate identity router running the IDR SSO Agent.

    3. When prompted, add the identity router root certificate to the Authentication Manager trust store. Enter y, and press ENTER.
    4. Enter credentials for the Authentication Manager instance and other information required to create the trust.
    5. Enter a name for the trusted realm. You can use the hostname for the identity routers, for example, identityrouter.rsa-securid.com. Press ENTER.
    6. (Optional) Enter any notes and press ENTER.
  7. When prompted to enable a trusted realm, enter y, and press ENTER.
  8. When prompted to enable the trusted realm for authentication, enter y, and press ENTER.

    Authentication Manager tests the connection to the trusted realm. After 30 seconds, a message indicates whether the test succeeded. If the test fails, view the imsTrace.log file in the /opt/rsa/am/server/logs directory.

    Note: Replica instances require additional time to accept the root certificate obtained from the identity router. Wait at least ten minutes before testing the trusted realm or authenticating with Authenticate OTPs on a replica instance.

After you finish

Step 4: Roll Out the SecurID Authenticate App to Users

After you finish setting up your SecurID deployment, the Super Admin for the Cloud Authentication Service needs to roll out SecurID to your users. The rollout involves communicating information about the user experience, for example, the application portal for an SSO Agent deployment, the SecurID Authenticate app, and optionally SecurID My Page, emergency access, and system requirements. for instructions, see SecurID Rollout to Users on RSA Link at https://community.rsa.com/docs/DOC-54129.

Authentication Process Flow

The following illustration shows the process flow for an SecurID Authenticate app user accessing a resource protected by an RSA Authentication Agent. The Cloud Authentication Service validates the Authenticate OTP and returns information to Authentication Manager before the user gains access.

securid_cloud_amintegration.png

Authentication Manager Version Support

Authentication Manager 8.4

In Authentication Manager 8.4, new users are automatically assigned the SecurID Authenticate app as an active token in Authentication Manager after they register their mobile devices for the Cloud Authentication Service and successfully use an Authenticate OTP to access a SecurID-protected resource. You do not need to perform any manual steps to add these users to Authentication Manager. This process applies to all users, even if they did not previously have an active token in Authentication Manager. The Authenticate app counts against the default limit of three active tokens per user.

Users with active Authenticate app tokens in Authentication Manager can also obtain emergency access tokencodes to access resources protected by Authentication Manager agents. For example, users who want to access an agent-protected resource using the Authenticate app and lose their mobile devices can request emergency access tokencodes by logging on to the Self-Service Console or by contacting an Authentication Manager Help Desk administrator.

Note: Emergency access tokencodes cannot be used to access applications that are protected only by the Cloud Authentication Service, without Authentication Manager agents.

Authentication Manager 8.2 SP1 or 8.3

Authentication Manager 8.2 SP1 or later supports the following:

  • Users can use the Authenticate app to access agents and use the same identity source sign-in credentials for Authentication Manager and the Cloud Authentication Service.

  • Users can use single sign-on (SSO) to access web applications protected by the Cloud Authentication Service

Authentication Manager 8.2

Authentication Manager 8.2 supports the following:

  • Authentication Manager 8.2 users who are in an SecurID trusted realm can authenticate to the Cloud Authentication Service. Offline authentication is not supported because offline authentication data cannot be generated.

  • Users who are using both SecurID and Authenticate OTP must be configured with different database attributes for each form of authentication. For example, you can use the SAMAccountName attribute for SecurID authentication and an e-mail attribute for the Authenticate OTP. In this case, users can use both SecurID and Authenticate OTP if they remember to use the correct username or e-mail address required to access each protected resource.

Configure High Availability

After you configure and test a minimal deployment with one identity router that receives authentication requests from agents, consider how you want to configure high availability. High availability increases the likelihood that an identity router will be available to process authentication requests when one or more identity routers in the same cluster are down. It also improves performance by ensuring that requests are distributed evenly among identity routers. Choose one of the following configuration methods:

Configure High Availability Using Host Lookup (No Load Balancer)

High availability with host lookup is configured after you follow the steps provided in Step 3: Configure Authentication Manager. You register all identity router addresses in a cluster to a single hostname in the network host file and add this hostname to the Access URL field of the SecurID Authenticate app configuration in Authentication Manager. When Authentication Manager attempts to connect to this URL, it looks up the hostname, resolves all IP addresses bound to this host, and uses round-robin to select an address to connect to an identity router.

This method is less expensive to implement than load balancing, but is also less efficient and may result in the identity router trying to contact an identity router that is offline.

To test availability, stop an identity router while allowing users to authenticate to the cluster. View the audit logs to see which identity routers are handling authentication.

Configure High Availability Using a Load Balancer

You can configure a load balancer to accept authentication requests and redirect them to the IP address of an active identity router based on the selected load balance logic. The network interface for the load balancer must be on the same network as the identity router interface. For on-premises identity routers, configure the load balancer to connect to the management interface.

Load balancers provide you with more control than host lookup. Local and global load balancers can take into account the geographic location and activity status of the identity routers when they redirect requests.

For more information about load balancing in Cloud Authentication Service deployments, see Load Balancer Requirements.

Before you begin

This procedure involves Super Admins for the Cloud Administration Console and the Authentication Manager Operations Console.

Procedure

  1. See Step 3: Configure Authentication Manager and perform the appropriate steps for your deployment.

    Note: When you Configure SecurID Authentication Manager to Accept Authenticate Tokencodes, specify the hostname and load balancer port instead of the logical hostname in the Access URL field. Also, if the load balancer hostname is not registered in the DNS server, add only the load balancer hostname and IP address to the Authentication Manager network hosts file. Do not associate the identity router IP addresses to this hostname.

  2. Open the load balancer configuration file. Add the management IP addresses of the identity routers to which Authentication Manager will connect. Choose the logic you want the load balancer to use for selecting identity routers.

After you finish

To test the availability of your identity routers, stop an identity router while allowing users to authenticate to the cluster. View the audit logs to see which identity routers are handling authentication.