Manage the SecurID Authentication API Keys

The SecurID Authentication API is a REST-based programming interface that allows you to develop clients that process multifactor, multistep authentications through RSA Authentication Manager and the Cloud Authentication Service. The interface definition can be integrated with any programming language.

Clients built using the Authentication API require a key to pass authentication requests to the Cloud Authentication Service. Every Initialize call from the client must contain this key to securely identify the authentication request. For more information about the Authentication API, see the SecurID Authentication API Developer's Guide.

You must be a Super Admin for the Cloud Administration Console to perform these tasks:

Integration with Authentication Manager

If Authentication Manager is configured to use the Cloud Authentication Service for authenticating users to agent-protected resources, an API key for that purpose is automatically added to the Cloud Authentication Service and appears in the console. That key counts against the maximum number of keys allowed.

If you delete the SecurID Authentication Manager API Key, Authentication Manager will be disconnected from the Cloud Authentication Service. If you want to reconnect, perform the registration process again in the Authentication Manager Security Console. For instructions, see Connect SecurID Authentication Manager to the Cloud Authentication Service.

Security Best Practices for Authentication API Keys

Follow these best practice recommendations to ensure that your API keys remain secure.

  • Delete the old API keys and generate new ones every 90 days.

    Note: Do not delete keys that were automatically generated to connect Authentication Manager to the Cloud Authentication Service. If these keys are accidentally deleted, you must re-establish the connection with Authentication Manager.

  • Do not embed API keys in the source code.

  • Do not store API keys in files inside source code repository.

  • Delete the keys from the Cloud Authentication Service if they are no longer being used.

  • Make sure the keys are encrypted at rest on the client file system.

Copy the SecurID Authentication API REST URL

The SecurID Authentication API uses the Authentication Service Domain in the REST endpoint URLs for the Cloud Authentication Service, as described in SecurID Authentication API Developer's Guide. You can copy this URL from the Cloud Administration Console.

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Authentication API Keys tab.

  2. Under SecurID Authentication API REST URL, click Copy URL.

  3. Paste the URL in a secure place and deliver it to your web client developers.

Add a SecurID Authentication API Key

You can add up to 10 keys for authentication clients to use.

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Authentication API Keys tab.

  2. Click ADD. The new key is displayed.

  3. (Optional) Enter a description that identifies how the key will be used.

  4. Add as many keys as necessary (up to 10), then click Save Settings.

  5. To immediately activate these updates, click Publish Changes.

After you finish

Use a secure method to deliver the keys to your authentication client developers.

Delete a SecurID Authentication API Key

If a key becomes compromised and is no longer secure, you can delete it and add a new one. After you delete a key, the client program using that key will no longer be able to authenticate to the Cloud Authentication Service.

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Authentication API Keys tab.

  2. Click the minus sign (-) next to the key you want to delete.

  3. Click Save Settings.

  4. To immediately activate these updates, click Publish Changes. If you do not publish now, the deleted key can continue to be used in authentication requests until the changes are published.