Quick Setup - Connect RSA Authentication Manager to the Cloud Authentication Service with an Embedded Identity Router

This guide helps you quickly set up your production deployment for the Cloud Authentication Service with an embedded identity router in Authentication Manager 8.5 or later.

An Identity Router is software that enforces authentication and access for users of protected resources. By downloading and configuring the embedded identity router to the Authentication Manager primary and each replica instance, you can save the time and cost of deploying separate identity routers in your network.

The embedded identity router supports authentications to third-party SSO solutions that use the Cloud Authentication Service as the identity provider (IdP) for managing authentication, as described in Relying Parties. It also supports My Page authentications and authentications sent direct to the Cloud Authentication Service via the SecurID Authentication API. The latter includes RSA products RSA Authentication Agent for Microsoft® AD FS and RSA MFA Agents that use the API, as well as custom implementations that use the API. The embedded identity router does not support authentication to applications through RADIUS in the Cloud Authentication Service, nor IDR-Based single sign-on (SSO) Web Applications using the SecurID Application Portal. To use IDR-based RADIUS or IDR-based SSO, you must deploy at least one identity router on another platform.

The embedded identity router does not support transferring ownership of SecurID 700 hardware tokens from Authentication Manager to the Cloud Authentication Service. To transfer ownership and administration of assigned and unassigned SecurID 700 hardware token, you must have an existing direct connection between Authentication Manager and the Cloud Authentication Service. For instructions, see Connect RSA Authentication Manager to the Cloud Authentication Service.

Perform these steps:

Note: To view this page as a PDF, click Actions > View as PDF.

Step 1: Plan

Review the Planning Guide for a conceptual overview of the Cloud Authentication Service.

What You Need to Have

Item Description
Authentication Manager 8.5 or later. Authentication Manager must be deployed in your environment.
A Cloud Authentication Service account with sign-in credentials for the Cloud Administration Console.

If you do not already have an account, call 1 800 995-5095 and choose Option 1 to speak to your RSA Sales Representative.

An external identity source (Active Directory or LDAP server) supported by your current version of Authentication Manager. Create a group of a limited number of users (for example, SecurID Test Group) to synchronize and test with.
SSL/TLS certificate from your LDAP directory server Used for an encrypted connection (LDAPS) to your directory server. Download the SSL/TLS certificate from your directory server. If your directory server does not have a certificate, install one. See Cloud Authentication Service Certificates.
A mobile device or Windows PC See RSA Authenticate Device Requirements.

What You Need to Know

RSA uses a hybrid architecture that consists of two components:

  • The Cloud Authentication Service provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.

  • An identity router that does the following:

    • Connects the Cloud Authentication Service to your identity sources.

    • Sends authentication requests to the Cloud Authentication Service for validation.

    • Enforces access policies to determine which applications users can access, when additional authentication is needed, and which authentication methods are required.

You are deploying an embedded identity router, which is easier to set up than a standalone identity router.

Add your values to the following worksheet. You will use this information later.

Item Your Values
Cloud Administration Console and Cloud Authentication Service

  • US region:<authentication_service_domain>, *.auth.securid.com, *.access.securid.com (52.188.41.46, 52.160.192.135)

  • ANZ region:<authentication_service_domain>, *.auth-anz.securid.com, *.access-anz.securid.com (20.37.53.30, 20.39.99.202)

  • EMEA region: <authentication_service_domain>, *.auth-eu.securid.com, *.access-eu.securid.com (51.105.164.237, 52.155.160.141)

  • Federal region: <authentication_service_domain>, *.auth.securidgov.com, *.access.securidgov.com (20.140.188.86, 52.244.104.80)

  • India region: <authentication_service_domain>, *.auth-in.securid.com, *.access-in.securid.com (20.198.118.36, 104.211.224.21)

Your authentication service domain appears in the Cloud Administration Console on the Platform >Identity Router > Registration page when you add an identity router.

To check the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console.

To test access to the IP addresses, see Test Access to Cloud Authentication Service.
Telemetry telemetry.access.securid.com
Embedded identity router

  • US region: sidaccessovap2useast.blob.core.windows.net, sidaccessovap2uswest.blob.core.windows.net

  • ANZ region: sidaccessovap4auc.blob.core.windows.net, sidaccessovap4auc2.blob.core.windows.net

  • EMEA region: sidaccessovap3eun.blob.core.windows.net, sidaccessovap3euwest.blob.core.windows.net

  • Federal region: sidaccessovap5govva.blob.core.usgovcloudapi.net

LDAP directory server

  • IP address
  • FQDN
  • Base DN of users (the root where users will be synchronized from, for example, DC=company, DC=com)
  • Administrator account credentials that RSA can use to connect to the directory server

Connectivity Requirements

Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. Update your connectivity settings before continuing with the next step.

Source Destination Protocol and Port Purpose
0.0.0.0/0 Both Cloud Authentication Service environments TCP 443 External user access to Cloud Authentication Service

The embedded identity router supports the use of one network interface.


<Your identity router management interface IP address>

Cloud Administration Console and both Cloud Authentication Service environments

Note: If your company uses URL filtering, be sure that *.access URL ( *.access.securid.com, *.access-anz.securid.com, *.access-eu.securid.com, *.access.securidgov.com, or *.access-in.securid.com), *.auth URL (*.auth.securid.com, *.auth-anz.securid.com, *.auth-eu.securid.com, *.auth.securidgov.com, or *.auth-in.securid.com), and the Cloud Authentication Service IP addresses for your region are whitelisted. Also, confirm that you can access both environments.

TCP 443 Identity router registration
All Authentication Manager primary and replica instances

The two embedded identity router URLs for your region that are listed in the previous table.

TCP 443 Embedded identity router deployment
<Your identity router management interface IP address>

<Your LDAP directory server IP address>

 TCP 636 LDAP directory user authentication and authorization
<Your identity router portal interface IP address or identity router management interface IP address> <Your DNS server IP address> UDP 53 DNS
<Your identity router portal interface IP address or identity router management interface IP address> <Your NTP server IP address> UDP 123 Network time server synchronization
RSA Authentication Manager internal firewall Authentication Manager TCP 9786 Identity router configuration and to communicate with Authentication Manager

Step 2: Set Up the Cloud Connection

If your current Authentication Manager deployment is not connected to the Cloud Authentication Service or if you connected before upgrading to version 8.5, you must configure the connection.

Before you begin

Know which access policy will be applied to all users who access these resources, or configure a new access policy. An access policy determines which users can access your protected resources and which authentication methods they are required to use. You can use a preconfigured policy or create your own. For more information, see Access Policies.

Procedure

Procedure

  1. In the Cloud Administration Console, generate the Registration Code and Registration URL as described in Connect Authentication Manager to the Cloud Authentication Service. This code is valid for 24 hours. You can either copy the code to a text file and save it for later or leave the window open to copy it when you configure the connection from the wizard-based interface in the Security Console.

  2. In the Security Console, click Setup > System Settings.

  3. Click Cloud Authentication Service Configuration.

  4. If Authentication Manager is behind an external firewall that restricts outbound traffic, you must configure a proxy server.

  5. Connect Authentication Manager to the Cloud Authentication Service:

    1. Under Register Authentication Manager with the Cloud Authentication Service, copy and paste the Registration Code and the Registration URL.
    2. Click Connect to the Cloud Authentication Service.

    A message indicates that the connection is established. The Cloud Authentication Service details are automatically updated and saved.

  6. Under Cloud Authentication Service Configuration, click Enable Cloud Authentication.

  7. Optionally, select the Send Multifactor Authentication Requests to the Cloud check box.

    When selected, Authentication Manager acts as a secure proxy server that sends authentication requests to the Cloud Authentication Service. This feature supports all authentication methods supported by REST protocol authentication agents, whether verified by Authentication Manager or the Cloud Authentication Service.

  8. Click Save.

Step 3: Deploy the Embedded Identity Router

You can download and configure the embedded identity router on the primary instance and at least one replica instance. Deploying more than one identity router provides redundancy in a promotion for maintenance or disaster recovery situation. The embedded identity router is not included in Authentication Manager backup files.

Procedure

  1. In the Cloud Administration Console add an identity router record. Either record the Registration Code and the Authentication Service Domain or plan to copy this information later.

  2. In the Security Console, click Setup > System Settings.

  3. Click Cloud Authentication Service Identity Router.

  4. Click Download & Install Identity Router.

    Progress messages display. The process takes a couple of minutes, depending upon your network speed.

    You can click Back to navigate away from the page without stopping the process.

    After installation is complete, you must register the identity router with the Cloud Authentication Service.

  5. Click Configure Identity Router to open the Identity Router Setup Console.

  6. The first time you log on, use these credentials:

    Username: idradmin

    Password: s1mp13

    You are prompted to change the password.

    Record this password, so that you can access it when you need it.

  7. Sign in with the new password.

  8. Find the Registration Code and Authentication Service Domain fields you copied in Step 1 and paste them into the Identity router Setup Console.

  9. Click Submit. The identity router is registered with the Cloud Authentication Service.

After you finish

(Optional) Deploy the embedded identity router on at least one replica instance.

Step 4: Connect the LDAP Directory to the Cloud Authentication Service

Perform these steps to connect to an LDAP directory quickly using only required settings. If you want to use advanced options, see Add an Identity Source.

securid_watchthevideographic.png

Procedure

  1. In the Cloud Administration Console, click Users > Identity Sources.

  2. Click Add an Identity Source > Select next to the directory to add.

  3. Enter the identity source name and root (the base DN for users from the planning worksheet).

  4. In the SSL/TLS Certificates section:

    1. Select Use SSL/TLS encryption to connect to the directory servers.

    2. Click Add and select the SSL/TLS certificate.

  5. In the Directory Servers section, add each directory server in the identity source, and test the connection.

  6. Click Next Step.

  7. On the User Attributes page, click Refresh Attributes, and verify that a valid list of attributes appears.

  8. Select the checkbox Synchronize the selected policy attributes with the Cloud Authentication Service.

  9. In the Policies column, select sAMAccountName, virtualGroups, and memberOf or other attributes that you might use to identify users.

    securid_attributes2.png

  10. Click Next Step.

  11. In the User Search Filter field, specify your test group using a filter. The following is an Active Directory example:

    (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=<yourgroup_distinguishedName>))

    Where <yourgroup_distinguishedName> is the name of your test administrator group.

    For example, (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=CN=SecurIDAccessUsers,OU=Groups,DC=Corp,DC=local))

  12. Click Save and Finish.

  13. Click Publish Changes.

Synchronize the LDAP Directory

Synchronize data between the Cloud Authentication Service and your LDAP directory to ensure that the Cloud Authentication Service reflects any updates made to the LDAP directory.

During synchronization, users are added and attribute values that you selected in the previous step are copied to the Cloud Authentication Service. User passwords are not synchronized.

Procedure

  1. In the Cloud Administration Console, click Users > Identity Sources.

  2. Next to your identity source, select Synchronization from the drop-down menu.

  3. In the Identity Source Details section, click Synchronize Now.

    Depending on the number of users you are synching, this process can take a number of minutes.

Step 5: Enable My Page

RSA My Page is a web portal that helps provide a secure way for users to complete authenticator registration. Perform these steps to enable My Page for your company. If you want to configure advanced settings for My Page, see Manage My Page.

securid_watchthevideographic.png

Procedure

  1. In the Cloud Administration Console, click Access > My Page.

  2. In the Self Service tab, enable Self-Service.

  3. Write down your My Page URL.

  4. In the Access Policy for Additional Authentication drop-down list, select the No Additional Authentication policy that you created earlier.

  5. In the Single Sign-On (SSO) tab, enable SSO Portal Settings.

  6. In the Primary Authentication Method drop-down list, select the authentication method to use.

  7. In the Access Policy for Additional Authentication drop-down list, select the No Additional Authentication policy that you created earlier.

  8. Click Save.

Step 6: Protect a Resource

Configure an application to be protected by RSA. The application must be a third-party SSO solution that uses the Cloud Authentication Service as the identity provider (IdP) for managing authentication, as described in Relying Parties. In the configuration wizard, select the preconfigured access policy All Users Low Assurance Level. If you prefer to create a policy, see Add, Clone, or Delete an Access Policy.

For instructions for all supported applications, see RSA Ready.

Step 7: Test

Register a Device with the RSA Authenticator App

Perform these steps to quickly register a device. For additional information, see Registering Devices with the RSA Authenticate App.

securid_watchthevideographic.png

Procedure

  1. On one device (for example, your computer), do the following:

    1. Go to RSA My Page.

    2. Enter your User ID and Password.

    3. Click Submit.

    4. Complete any additional authentication that you are prompted for.

    5. Click Register an authenticator.

    6. Click RSA Authenticator App.

  2. On another device ( iOS, Android, or Windows 10 ), install the Authenticator App:

  3. On your computer, on the Registration page, click Next.

  4. On your mobile device, do the following:

    1. Open the Authenticator app.

    2. Accept the license agreement.

    3. Tap Allow to allow the Authenticator app to send notifications.

    4. Allow or deny Google Analytics data collection. You can select either option to use the Authenticator app.

    5. Tap Get Started.

    6. Allow the app to access your camera.

    7. Scan the QR code that displays on My Page.

    8. Tap OK after setup is complete.

    9. The app home screen appears, and the app is ready for use.

  5. On your computer, on the Registration page, click Test Now. If you do not want to test, you can click Done.

  6. RSA sends a notification to your registered device.

  7. On your mobile device, tap the notification and approve it.
    The My Page home screen displays. You have successfully registered and tested your device.

Step 8: Sign Into the Protected Resource

Procedure

  1. Start the sign-in process to the protected resource.

    RSA sends a notification to your phone.

  2. Tap Approve on your mobile device.

  3. Select Remember this browser, and click Continue.

    You are signed into the resource.

Step 9: Optional Next Steps

Task Instructions

Invite existing users to complete the authentication registration process using My Page to help you test the new deployment.

  1. Prepare users with the resources provided by Educating Your Users.

  2. Decide if you want to customize the email template that will be used to invite users. See Customize the Cloud Authentication Service Invitation.

  3. Invite users to install and register the Authenticator app and access agent-protected resources. See Send an SecurID Authenticate Invitation to Users.
View the status of the identity routers, test the identity router, and perform related tasks. Manage Identity Routers in the Cloud Administration Console
Troubleshoot identity router issues.

Download Troubleshooting Files

Enable Emergency Debug Logging

Generate and Download the Identity Router Log Bundle