Protect the Cloud Administration Console with Additional (Step-Up) Authentication

All administrators sign into the Cloud Administration Console using their passwords configured in My Account > Profile, but you can protect the console with additional (step-up) authentication such a tokencode or push notification (Approve). After you enable additional authentication, the console is automatically configured as a SAML service provider, while the Cloud Authentication Service acts as the SAML identity provider.

Note: If no Super Admins in your company can provide the required authentication credentials to access the console, RSA Customer Support can temporarily disable the additional authentication requirement, allowing administrators to gain access using only their passwords. RSA sends all Super Admins an email notification after additional authentication has been disabled.

Before you begin

  • You must be a Super Admin for the Cloud Administration Console.
  • Confirm that each administrator who uses the Cloud Administration Console has two accounts: a user account in an identity source that is synchronized with the Cloud Authentication Service, and an administrator account in the Cloud Administration Console. Both accounts must use the same email address. To add an administrator to the console, see Add, Edit, or Delete an Administrator in the Cloud Administration Console.


  1. Verify that the identity source containing the administrator accounts is synchronized, ensuring that the administrators' identity information is available to the Cloud Authentication Service. You can click Users > Management to see if specific administrators have been synchronized.

    Note: After identity source synchronization, administrators continue to sign in to the Cloud Administration Console using the passwords configured in My Account > Profile. Identity source passwords are never used to access the console.

  2. Add an access policy to configure the console authentication requirements. For instructions, see Add, Clone, or Delete an Access Policy. The policy must meet these criteria:

    • Include the identity source containing the administrators' accounts.
    • Allow you to access the console.
    • Not include FIDO in the selected assurance level or higher levels. FIDO is not supported for protecting the console.
  3. Make sure all administrators are enrolled to use the authenticators they need to access the console. For example, each person might need a SecurID Token or the SecurID app on a registered device. These authenticators must be specified in the access policy.

  4. Enable additional authentication for the console and select an access policy.
    1. In the Cloud Administration Console, click My Account > Company Settings and select the Sessions & Authentication tab.
    2. In the Additional Authentication field, click Enable.
    3. In the Access Policy for Additional Authentication field, select a policy to enforce authentication requirements for the console.
    4. Click Save Settings.
    5. Click Publish Changes to activate the settings. Additional authentication is required immediately after you publish.