Enable SecurID Token Users to Access Resources Protected by the Cloud Authentication Service

Perform this configuration so that users with SecurID tokens that are assigned in Authentication Manager can access SaaS and on-premises web applications and RADIUS clients protected by the Cloud Authentication Service. The identity router for the Cloud Authentication Service acts as an agent to Authentication Manager.

For more information, see:

Authentication Process Overview

The following illustration shows the process flow for a SecurID user accessing a resource protected by the Cloud Authentication Service. Authentication Manager validates the SecurID tokencode and returns information to the identity router before the user is granted access.

securid_ngx_g_am_cloud_sidtoken_authflow.png

Required Components

Component Details
Cloud Authentication Service

Use the Cloud Administration Console to download the identity router software.

You must deploy at least one identity router and configure the required components for a minimal deployment. See "Cloud Authentication Service Planning and Configuration" on RSA Link at https://community.rsa.com/docs/DOC-75821.

Authentication Manager Authentication Manager 8.0 or higher with at least one primary instance.

Required Tasks

The configuration consists of the following tasks.

Person Responsible Task
Super Admin for the Cloud Authentication Service

1. Confirm that your network allows outbound TCP traffic from the identity router to the Authentication Manager server on port 5500.

Network administrator

2. For each identity router with two network interfaces, add an A record to the internal domain name server (DNS) that maps the identity router’s portal hostname to its portal interface IP address.

For each identity router with one network interface, add an A record to the internal DNS that maps the identity router’s portal hostname to its management interface IP address.

Super Admin for Authentication Manager 3. For Authentication Manager versions earlier than 8.2 SP1, use the Operations Console to add the hostname and IP address for the identity router to the Authentication Manager server hosts file. For identity routers in the Amazon cloud, add the private IP address. For on-premises identity routers, add the hostname and IP address of both the proxy and management interfaces. To view and modify the hosts file, sign into the Operations Console and click Administration > Network > Hosts File.
Super Admin for the Cloud Authentication Service

4. Configure a Static Route to Authentication Manager

Super Admin for Authentication Manager

5. Generate the Authentication Manager Configuration File

6. Add the identity router to Authentication Manager as an agent. For instructions, see the following topics on RSA Link:

Note: Perform step 6 once for all identity routers in your deployment. Do not add an agent for each identity router.

Super Admin for the Cloud Authentication Service

7. Connect Your Cloud Authentication Service Deployment to Authentication Manager

Configure a Static Route to Authentication Manager

For on-premises identity routers deployed in your VMware or Hyper-V environment, the Super Admin for the Cloud Authentication Service must configure static routes to restrict communication between a specific Authentication Manager server or network of servers and one identity router.

You must configure a static route when you initially configure the Cloud Authentication Service to communicate with Authentication Manager, as well as each time an Authentication Manager instance is added or removed from the deployment.

You can configure either of the following:

  • If Authentication Manager servers are on different networks, configure a static route for each identity router in your deployment to each Authentication Manager server.
  • If all Authentication Manager servers are on the same network, configure one static route for each identity router in your deployment going to that network to restrict the connections for the entire Authentication Manager deployment.

Note: This method for static route configuration is not available for identity routers deployed in the Amazon cloud. Instead, you must configure route tables in your Amazon Web Services environment to enable each identity router in your VPC to reach Authentication Manager. Refer to your Amazon Web Services documentation for instructions.

The following graphic shows how the example IP addresses from the procedure are used to configure a static route from an identity router to the Authentication Manager appliance(s).

securid_ngx_g_static_route_idr_to_am.png

Procedure

  1. In the Cloud Administration Console, click Platform > Identity Routers.
  2. Next to the identity router name, select Edit.
  3. Click Next Step to access the Settings page.
  4. In the Static Routes section, do the following.
    • To restrict an individual Authentication Manager server to the identity router management interface, enter these settings:
      • IP Address:<Authentication Manager Server IP Address>

        For example, 192.168.20.7

      • Network Mask: 255.255.255.255
      • Gateway:<Default Gateway for Identity Router Management Interface>

        For example: 10.10.10.1

        Device: Private

    • To restrict a network containing all Authentication Manager servers, use these settings:
      • IP Address:<Authentication Manager Server Network>

        For example, 192.168.20.0

      • Network Mask:<Network Mask for Authentication Manager Server Network>

        For example, 255.255.255.128

      • Gateway:<Default Gateway for Identity Router Management Interface>

        For example: 10.10.10.1

        Device: Private

  5. Click Add.
  6. Click Next Step.
  7. Click Save and Finish.
  8. Repeat step 2 through step 6 for each identity router in your deployment.
  9. Click Publish Changes.

After you finish

A Super Admin for Authentication Manager must generate the Authentication Manager configuration file.

Generate the Authentication Manager Configuration File

You need the Authentication Manager configuration file to configure communication between your Cloud Authentication Service deployment and Authentication Manager. The Super Admin for Authentication Manager must generate the AM_Config.zip file, which contains the configuration file, sdconf.rec. The sdconf.rec file contains a snapshot of the server topology as it was when the file was generated.

Procedure

  1. In the Security Console, click Access > Authentication Agents > Generate Configuration File
  2. From the Maximum Retries drop-down menu, select the number of times you want the identity router to attempt to establish communication with Authentication Manager before returning the message “Cannot initialize agent - server communications."
  3. From the Maximum Time Between Each Retry drop-down menu, select the number of seconds that you want to set between attempts by the identity router to establish communications with Authentication Manager.
  4. Click Generate Config File.
  5. Click Download Now, and save AM_Config.zip to your local machine.

After you finish

The Super Admin for the Cloud Authentication Service must unzip the AM_Config.zip file and upload the sdconf.rec file to the identity router. See the next task, Connect Your Cloud Authentication Service Deployment to SecurID Authentication Manager.

Connect Your Cloud Authentication Service Deployment to Authentication Manager

To use SecurID as an authentication method, the Super Admin for the Cloud Authentication Service must connect the Cloud Authentication Service deployment to the Authentication Manager server. These configuration settings allow all identity routers to communicate with Authentication Manager.

Procedure

  1. In the Cloud Administration Console, click Platform > Authentication Manager.
  2. Click Configure Connection.
  3. In the Authentication Agent Name field, enter the exact name provided by your Authentication Manager administrator.
  4. To upload the sdconf.rec file, click Choose File and select the file.
  5. Click Save.
  6. Click Publish Changes to apply the settings to all identity routers in the deployment. You must publish before you test the connection, but remember that publishing applies these settings and all pending changes to all identity routers.
  7. Click Test Connection. A graphic shows the connection status for each configured identity router. If any components are not connected, investigate the cause.

After you finish

The Super Admin for the Cloud Authentication Service must make sure assurance levels and access policies are configured to require SecurID Token where appropriate. For more information, see Access Policies.