Cloud Authentication Service Quick Setup Guide for My Page SSO

This guide helps you quickly set up your production deployment for the Cloud Authentication Service and add authentication and single sign-on (SSO) for applications using My Page SSO.

Use this guide with the Planning Guide. If you have completed a deployment with another Quick Setup Guide and want to set up the deployment described in this guide, skip the steps you have already completed.

Note: This guide does not apply to deployments that plan to use the identity router embedded in Authentication Manager. The embedded identity router does not support SSO.

Step 1: Plan

Step 2: Configure Company Information and Certificates

Step 3: Deploy the Identity Router

Step 4: Enable IDR SSO Agent on the Cluster

Step 5: Connect LDAP Directory

Step 6: Add an Access Policy

Step 7: Enable My Page

Step 8: Protect a Resource

Step 9: Test

Step 1: Plan

There are a few things you need to plan to deploy your system.

What You Need to Know

RSA uses a hybrid architecture that consists of two components:

  • The Cloud Authentication Service is a cloud service that provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.

  • The identity router is an on-premises virtual appliance that securely connects your on-premises resources, such as Active Directory, to the Cloud Authentication Service. This VM has two network interfaces. Place one interface in a public-facing network and the other in a private network where it can reach your Active Directory.

  • The identity router is a virtual appliance that securely connects your on-premises resources, such as Active Directory, to the Cloud Authentication Service. You can deploy the identity router in your on-premises VMware or Hyper-V environment, or in the Amazon Web Services (AWS) cloud.

Note: After an identity router is registered in a deployment, it cannot be reused in another deployment. For example, suppose you registered an identity router with Company A for a trial deployment, and you want to use the same identity router with Company A in a production deployment. You must add a new identity router (virtual machine) to the production deployment.

Additional information is available in the Planning Guide.

Planning Network Interfaces for the Identity Router

Relying party deployments support both standalone and embedded identity routers. For details on planning network interfaces, see Identity Router Network Interfaces and Default Ports.

RADIUS services are available in standalone identity routers that are deployed with one or two network interfaces. If the identity router is deployed with two network interfaces, the RADIUS service listens on the management interface. For details on planning network interfaces, see Identity Router Network Interfaces and Default Ports.

SSO Agent deployments require a standalone identity router. The identity router can be deployed with with one or two network interfaces. If the identity router is deployed with two network interfaces, the SSO agent will be available from the portal interface. For details on planning network interfaces, see Identity Router Network Interfaces and Default Ports.

In all deployments with AWS, the identity router has one network interface to which you assign public and private IP addresses and connect other network resources from the internet or your private network.

Planning Worksheet

Add your values to the following worksheet. You will use this information in the next section and during setup.

Item

 Your Values

Cloud Administration Console and

Cloud Authentication Service

  • US region:<authentication_service_domain>, *.access.securid.com, (52.188.41.46, 52.160.192.135).

  • ANZ region:<authentication_service_domain>, *.access-anz.securid.com (20.37.53.30, 20.39.99.202)

  • EMEA region: <authentication_service_domain>, *.access-eu.securid.com (51.105.164.237, 52.155.160.141)

  • Federal region: <authentication_service_domain>, *.access.securidgov.com (20.140.188.86, 52.244.104.80)

  • India region: <authentication_service_domain>, *.access-in.securid.com (20.198.118.36, 104.211.224.21)

Your authentication service domain appears in the Cloud Administration Console on the Platform > Identity Router > Registration page when you add an identity router.

For instructions on checking the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console.

To test access to the IP addresses, see Test Access to Cloud Authentication Service.

SSO Agent only:

Protected domain name

This is a unique subdomain prepended to your registered domain name and is used by all traffic managed by the identity router, for example, sso.example.com. For more information, see Protected Domain Name.

SSO Agent only:

Load balancer

  • DNS name (virtual IP)
  • Public IP address
  • Private IP address

Active Directory server

LDAP directory server

  • IP address
  • FQDN
  • Base DN of users (the root where users will be synchronized from, for example, DC=company, DC=com)
  • Administrator account credentials that RSA can use to connect to the directory server

DNS server IP address

DNS servers IP addresses

See Identity Router DNS Requirements.
NTP server IP address
Backups server IP address
Internal user subnet IP address

RADIUS only:

RADIUS client IP address
Required only for VMware and Hyper-V identity router deployments:

Identity router management interface (private, required for all deployments)

  • IP address
  • Netmask
  • Gateway
  • Short hostname
  • FQDN

Identity router portal interface (public, required for IDR SSO Agent deployments with on-premises identity router)

  • IP address
  • Netmask
  • Gateway
  • Short hostname
  • FQDN

Required only for Amazon Web Services identity router deployments:

Identity router

  • Private IP Address
    (Used for communication with internal resources in the same VPC, another VPC, or your on-premises network.)
  • Public Elastic IP Address
    (Used for communication with public resources over the internet if the identity router is in a public subnet. Not required if a NAT/load balancer with a public IP address manages traffic to the identity router.)
  • Short hostname
  • FQDN

Note: For identity routers in AWS, netmask and gateway information is obtained automatically during instance launch, according to the VPC subnet settings.

AWS environment configuration details

  • VPC
  • Private subnet
  • Public subnet
  • DHCP options set
  • Route tables
  • Security groups
  • Network ACLs

Connectivity Requirements

Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules. Update your firewall rules before continuing with the next step.

Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. If you deploy the identity router in the Amazon cloud, the route tables, security groups, and network ACLs in your AWS environment must also allow these connections. Update your connectivity settings before continuing with the next step.

Source

 Destination Protocol and Port Purpose

0.0.0.0/0

Cloud Authentication Service

Both Cloud Authentication Service environments

Both Cloud Authentication Service environments and <Your load balancer public IP address>

TCP 443

TCP 80, 443

External user access to Cloud Authentication Service

External user access to Cloud Authentication Service, application portal, and applications

SSO Agent only:

<Your internal (corp network) end users>

Both Cloud Authentication Service environments and

<Your load balancer private IP address>

TCP 80, 443

Internal user access to Cloud Authentication Service, application portal, and applications

< Your administrators>

For on-premises identity routers:


<Your identity router management interface IP address>

For identity routers in the Amazon cloud:
<Your identity router private IP address>

On-premises (two network interfaces):

TCP 443

One network interface or Amazon:

TCP 9786

 Identity Router Setup Console

For on-premises identity routers (one network interface):

<Your identity router management interface IP address>

For on-premises identity routers (two network interfaces):

<Your identity router portal interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

Cloud Administration Console and Cloud Authentication Service

Cloud Administration Console and both Cloud Authentication Service environments

Note: If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and the Cloud Authentication Service IP addresses for your region are whitelisted.

Note: If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and the Cloud Authentication Service IP addresses for your region are whitelisted. Also, confirm that you can access both environments. For instructions, see Test Access to Cloud Authentication Service.

 TCP 443 Identity router registration

For on-premises identity routers (one network interface):

<Your identity router management interface IP address>

For on-premises identity routers (two network interfaces):

<Your identity router portal interface IP address>

For identity routers in the Amazon cloud:

<Your identity router public IP address>

 <Your protected resource> TCP 443 or custom port Application integration

SSO Agent only:

<Your load balancer private IP address>

<Your identity router portal interface IP address>

TCP 80, 443 Load balancer traffic to pool members

SSO Agent only:

<Your load balancer private IP address>

<Your identity router management interface IP address> TCP 443 Load balancer health check of pool members

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

<Your Active Directory server IP address>

<Your LDAP directory server IP address>

TCP 389

TCP 636

 LDAP directory user authentication and authorization

For on-premises identity routers:

<Your identity router portal interface IP address or identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

<Your DNS server IP address>

UDP 53 DNS

RADIUS only:

<Your RADIUS client IP address>

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

 UDP 1812 RADIUS

RADIUS only:

<Your RADIUS client IP address>

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

 UDP 1812

(Optional) RADIUS

For on-premises identity routers:

<Your identity router portal interface IP address or identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

 <Your NTP server IP address> UDP 123 Network time server synchronization
<Your administrator computer>

For on-premises identity routers:

<Your identity router management interface IP address>

For identity routers in the Amazon cloud:

<Your identity router private IP address>

 TCP 22

(Optional) SSH for troubleshooting

See Access SSH for Identity Router Troubleshooting.

Step 2: Configure Company Information and Certificates

This step is mandatory if you are deploying HTTP Federation Proxy, Trusted Header, or NTLM applications.

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Company Information tab.

  2. Enter the Protected Domain Name.

    securid_watchthevideographic.png

  3. Upload the following files:

    • The Private Key that matches the public certificate. Ensure that the private key is not password protected.
    • The Public Certificate that was issued from the certificate authority (CA) for your domain. Use a wildcard certificate.
    • The Certificate Chain that was provided by the CA, which is valid for your public certificate.

    securid_watchthevideographic.png

  4. Click Save Settings.

Step 3: Deploy the Identity Router

Perform these steps to set up an identity router quickly using only required settings. If you want to use advanced configuration options, see Deploying an Identity Router - Advanced Setup.

securid_watchthevideographic.png

Add an Identity Router

Procedure

  1. Sign into the Cloud Administration Console using the URL and credentials that RSA emailed to you.
  2. Click Platform > Identity Routers.

  3. On the Identity Routers page, click Add an Identity Router, and follow the instructions.

    Under Registration Details, copy the Registration Code and Authentication Service Domain to a location where you can access them later on.

    securid_registration_code3.png

  4. Click Close.

Install or Create the Identity Router Virtual Appliance or Machine

You can install the virtual appliance image using a VMware administration client such as vSphere, by either connecting to the VMware vCenter Server, or connecting directly to the VMware ESXi host.

Or you can use Hyper-V Manager or Amazon Web Services EC2 to create a virtual machine for the identity router.

Procedure

  1. In the Cloud Administration Console, click Platform > Identity Routers.

  2. Click Download Identity Router Image>Download OVA (for VMware), and save the image to a location accessible by VMware.

  3. Click Download Identity Router Image and do one of the following:
    • For VMware, click Download OVA Image for VMware, and save the image to a location accessible by VMware.
    • For Hyper-V, click Download VHD Image for Hyper-V, and save the image to a location accessible by Hyper-V.
    • For Amazon Web Services:
      1. Click Access AMI Image for Amazon.
      2. Enter your AWS Account ID.
      3. Click Update AMI Access.
      4. Note the values in the Identity Router AMI Name and AWS Regions with AMI Access fields. You can search the AWS private images catalog using these values to quickly locate the AMI.

    Note: If you do not see the options to download an identity router image, be aware that RSA is working behind-the-scenes to make these images available to you. RSA will send you an email when these images are available for download.

  4. To install the identity router virtual appliance, sign into the VMware client and do the following:

      1. Follow the VMware client documentation to install the virtual appliance from the image. When prompted, enter the following data:

        • Name to use for the virtual appliance
        • VMware host or cluster for the virtual appliance
        • Resource pool for the virtual appliance
        • Storage location or data store to use for the virtual appliance
        • Format for storing virtual disks
        • Networks to be used for the virtual appliance

      2. Power on the virtual machine.

  5. Do one of the following:

    • To use VMware, sign into the VMware client, do the following:

      1. Follow the VMware client documentation to install the virtual appliance from the image. When prompted, enter the following data:

        • Name to use for the virtual appliance
        • VMware host or cluster for the virtual appliance
        • Resource pool for the virtual appliance
        • Storage location or data store to use for the virtual appliance
        • Format for storing virtual disks
        • Networks to be used for the virtual appliance

      2. If you are deploying the identity router with a single network interface, then delete the second network interface.

      3. Power on the virtual machine.

    • To use Hyper-V Manager, sign into Hyper-V Manager, and do the following:

      1. Click Hyper-V Host > New > Virtual Machine.

      2. Follow the wizard. In each dialog box, provide the following information.

        Dialog Box Required Information
        Specify Name and Location Name of the identity router virtual machine.
        Specify Generation Select Generation 1.
        Assign Memory Startup memory = 8192 MB (recommended).
        Configure Networking Select the network for the management network adaptor.
        Connect Virtual Hard Disk Select Use an existing virtual hard disk and browse to the location where the identity router VHD image is available.
        Completing the New Virtual Machine Wizard Review and click Finish.
      3. Perform these steps only for deployments with two network interfaces:

        • To configure the second network, select the new virtual machine, right-click, and select Settings .

        • On the Add Hardware page, select Network Adapter and click Add.

        • Select the network for your portal interface, then click Apply and OK.

      4. Select the new virtual machine from the list of virtual machines. Right-click and select Start.

      5. With the virtual machine selected, right-click again and select Connect.

    • To use Amazon Web Services, sign into Amazon EC2 and follow the documentation provided by Amazon to do the following:
      1. Make sure your AWS environment includes a VPC which meets the following requirements:
        • Private and public subnets are configured according to your deployment requirements.
        • Route tables, security groups, and network ACLs are configured to allow necessary traffic to and from the other network resources in your deployment, such as users and identity sources.
        • All DNS servers required for your deployment are specified in the DHCP options set.
      2. Launch the virtual instance using the AMI.
        When prompted, specify the following:
        3. SettingDescription
        AMI templateThe AMI template image provided by RSA.
        Instance typeDetermines presets for the virtual instance. The identity router requires a t2.large instance or greater.
        Virtual Private Cloud (VPC)The section of your Amazon environment where you will deploy the identity router.
        SubnetA subnetwork within your VPC where you will deploy the identity router. The subnet can be either public or private, depending on how resources and users will connect to the identity router.
        Auto-assign Public IPDetermines whether Amazon issues dynamic public IP addresses for the identity router, or the IP address is determined by the subnet settings. If your organization manages its own DNS service, RSA recommends allocating a persistent Elastic IP address through Amazon Web Services, and assigning it to the identity router instance after you complete the launch process.
        StorageVirtual storage space. The identity router requires 54 GB General Purpose SSD (GP2) storage.
        TagsOptional labels that describe this identity router. RSA recommends adding a tag specifying the Fully Qualified Domain Name, which acts as a unique identifier to differentiate this identity router from others in your deployment.
        Security groupsFirewall rules that control traffic to and from the identity router. Add security groups that allow necessary traffic from other network resources according to your deployment model.
      3. Review the configuration and launch the instance.
      4. If prompted to select a key pair, select Proceed without a keypair.
      5. Use the Get instance screenshot feature to monitor instance deployment status. When deployment is complete, refresh the screenshot and write down the URL displayed for the Identity Router Setup Console.

Configure Initial Network Settings Using the Identity Router VM Console

You use the Identity Router VM Console to configure IP addresses and static routes for on-premises identity routers deployed in your VMware or Hyper-V environment.

Note: This procedure is not required for identity routers in the Amazon Web Services cloud.

Procedure

  1. Connect to the identity router using your VMware management client.
  2. Connect to the identity router using your VMware or Hyper-V management client.
  3. Sign into the Identity Router VM Console:

    Username: idradmin

    Password: s1mp13

    You are prompted to change these credentials the first time you sign in.

  4. Refer to the planning worksheet for the values to complete the Management sections.

    Use the Up and Down arrows to navigate the main menu. Press Enter to select a menu option or configure its settings. Use Tab and Shift + Tab to navigate between settings and back to the main menu. When the cursor is in the settings panel, press F10 to save or Esc to revert. Press F10 after you complete each section to save your values.

  5. Select Commit in the left-hand frame to save the network configuration settings.

  6. Write down the URL that appears.

    securid_ngx_g_quick_start_commit_idr_settings.jpg

Connect Identity Router to Cloud Administration Console

Procedure

  1. Open a web browser and go to the URL that you wrote down in the previous section.

  2. Sign into the Identity Router Setup Console:

    Username: idradmin

    Password: s1mp13

    You are prompted to change these credentials the first time you sign in.

  3. Add any DNS servers that you did not add in the Identity Router VM Console.

    Note: These DNS server settings do not apply for identity routers in the Amazon cloud. Edit the DHCP option set in your Amazon Web Services environment if you need to add DNS servers for an Amazon cloud-based identity router.

  4. If you enabled two network interfaces in the Identity Router VM Console, update the IDR Portal Interface Information section with appropriate details.

  5. Click Update IDR Setup Configuration.

  6. Click Connect Administration Console.

  7. In the Registration Code field, enter the Registration Code displayed when you added the identity router in the Cloud Administration Console.

  8. In the Authentication Service Domain field, enter the Authentication Service Domain displayed when you added the identity router in the Cloud Administration Console.

  9. Click Submit.

    A confirmation message appears when the identity router is connected to the Cloud Administration Console. Also, note that the Identity Router Setup Console contains other pages that provide network diagnostics and detailed logs for the identity router.

  10. Sign into the Cloud Administration Console to check the status of the identity router (Platform > Identity Routers).

    When the identity router is connected to the Cloud Administration Console, the status reads Active. This process usually takes up to five minutes.

  11. In the Cloud Administration Console, click Publish Changes to apply the configuration settings for the new identity router.

Step 4: Enable IDR SSO Agent on the Cluster

This step is mandatory if you are deploying HTTP Federation Proxy, Trusted Header, or NTLM applications.

securid_watchthevideographic.png

Procedure

  1. In the Cloud Administration Console, click Platform > Clusters.
  2. Select Edit from the drop-down menu next to the cluster.

  3. Select the Enable the SSO service on all identity routers in the cluster check box.

  4. (Optional) Select Enable the Web Portal on all identity routers in the cluster to make the IDR web portal available.

    Note: This check box is available only if Identity Router based portal is enabled.

  5. Enable high availability.

  6. Enter the load balancer DNS name from the planning checklist.

  7. Click Save and Finish.

  8. Click Publish Changes.

Step 5: Connect LDAP Directory

Add a Connection to LDAP Directory

Perform these steps to connect to an LDAP directory quickly using only required settings. If you want to use advanced options, see Add an Identity Source.

securid_watchthevideographic.png

Procedure

  1. In the Cloud Administration Console, click Users > Identity Sources.
  2. Click Add an Identity Source > Select next to Active Directory.
  3. Click Add an Identity Source > Select next to the directory to add.
  4. Enter the identity source name and root (the base DN for users from the planning worksheet).
  5. In the SSL/TLS Certificate section, unselect Use SSL/TLS encryption to connect to the directory servers.

  6. In the SSL/TLS Certificates section:
    1. Select Use SSL/TLS encryption to connect to the directory servers.
    2. Click Add and select the SSL/TLS certificate.
  7. In the Directory Servers section, add each directory server in the identity source, and test the connection.
  8. Click Next Step.
  9. On the User Attributes page, click Refresh Attributes, and verify that a valid list of attributes appears.

  10. Select Use selected policy attributes with the Cloud Authentication Service.

    securid_ngx_g_use_selected_attributes.png

  11. In the Policies column, select sAMAccountName, virtualGroups, and memberOf or other attributes that you might use to identify users.

    securid_attributes2.png

  12. Click Next Step.

  13. In the User Search Filter field, specify your test group using a filter. The following is an Active Directory example:

    (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=<yourgroup_distinguishedName>))

    Where <yourgroup_distinguishedName> is the name of your test administrator group.

    For example, (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=CN=SecurIDAccessUsers,OU=Groups,DC=Corp,DC=local))

  14. Click Save and Finish.
  15. Click Publish Changes.

Synchronize LDAP Directory for the Cloud Authentication Service

Synchronize data between the Cloud Authentication Service and your LDAP directory to ensure that the Cloud Authentication Service reflects any updates made to the LDAP directory.

During synchronization, users are added and attribute values that you selected in the previous step are copied to the Cloud Authentication Service. User passwords are not synchronized.

Procedure

  1. In the Cloud Administration Console, click Users > Identity Sources.
  2. Next to your identity source, select Synchronization from the drop-down menu.

  3. In the Identity Source Details section, click Synchronize Now.

    Depending on the number of users you are synching, this process can take a number of minutes.

Step 6: Add an Access Policy

Create an access policy that you will assign to RSA My Page (a web portal used for authenticator registration) when you configure it. For simplicity, this access policy will not require additional authentication of users. You can change this policy in the future.

Perform these steps to add a policy using only required settings. If you want to set up a more complex policy, see Add an Access Policy.

Procedure

  1. Sign in to the Cloud Administration Console.
  2. Click Access > Policies.
  3. Click Add a Policy.
  4. Enter the name (for example, No Additional Authentication), and select the identity source.

  5. On the Rule Sets page, do the following:

    1. In Apply to, select All Users.
    2. In the Access, specify Allowed.
    3. In Additional Authentication, select Not Required.

    securid_ngx_g_no_additional_auth.png

  6. Click Save and Finish.

  7. Click Publish Changes.

Step 7: Enable My Page

RSA My Page is a web portal that helps provide a secure way for users to complete authenticator registration. Perform these steps to enable My Page for your company. If you want to configure advanced settings for My Page, see Manage My Page.

securid_watchthevideographic.png

Procedure

  1. In the Cloud Administration Console, click Access > My Page.

  2. In the Self Service tab, enable Self-Service.

  3. Write down your My Page URL.

  4. In the Access Policy for Additional Authentication drop-down list, select the No Additional Authentication policy that you created earlier.

  5. In the Single Sign-On (SSO) tab, enable SSO Portal Settings.

  6. In the Primary Authentication Method drop-down list, select the authentication method to use.

  7. In the Access Policy for Additional Authentication drop-down list, select the No Additional Authentication policy that you created earlier.

  8. Click Save.

Step 8: Protect a Resource

The Application Catalog in the Cloud Administration Console provides connection templates for popular web applications such as Cisco WebEx, Salesforce, and Microsoft Outlook Web Access. These applications require minimal configuration to enable them for single sign-on (SSO) through the application portal. In the configuration wizard, select the preconfigured policy All Users Low Assurance Level as the access policy.

For the list of technology partners and configuration details, see RSA integrations.

You can also configure a custom application connection using one of the following connector templates: SAML Direct, HTTP Federation Proxy, or Trusted Headers.

Step 9: Test

Register a Device with the RSA Authenticate App

Perform these steps to quickly register a device. For additional information, see Registering Devices with RSA Authenticate App.

securid_watchthevideographic.png

Procedure

  1. On one device (for example, your computer), do the following:

    1. Go to RSA My Page.

    2. Enter your User ID and Password.

    3. Click Submit.

    4. Complete any additional authentication that you are prompted for.

    5. In the Authenticators tab, click Register an authenticator.

    6. Click RSA Authenticate App.

  2. On another device ( iOS, Android, or Windows 10 ), download the RSA Authenticate app:

  3. On your computer, on the Registration page, click Next.

  4. On your mobile device, do the following:

    1. Open the RSA Authenticate app.

    2. Tap Allow to allow the Authenticate app to send notifications.

    3. Allow or deny Google Analytics data collection. You can select either option to use the Authenticate app.

    4. Accept the license agreement.

    5. Tap Scan QR Code.

    6. Allow the app to access your camera.

    7. Scan the QR code that displays in My Page.

    8. Tap OK after setup is complete.

    9. Swipe through the tutorial.

    10. The app home screen appears, and the app is ready for use.

  5. On your computer, on the Registration page, click Test Now. If you do not want to test, you can click Done.

  6. RSA sends a notification to your registered device.

  7. On your mobile device, tap the notification and approve it.

  8. The My Page home screen displays. You have successfully registered and tested your device.

Sign Into the Protected Resource

Procedure

  1. Start the sign-in process to the protected resource.

    RSA sends a notification to your phone.

  2. Tap Approve on your mobile device.

  3. Select Remember this browser, and click Continue.

    You are signed into the resource.