Cloud Authentication Service Overview

The Cloud Authentication Service is an access and authentication platform with a hybrid cloud architecture. The Cloud Authentication Service enables your company to control how users access resources with centralized access and authentication policies and can accelerate user productivity with single sign-on (SSO).

The Cloud Authentication Service helps protect SaaS and on-premises web applications, third-party SSO solutions, and on-premises resources that support RADIUS. The Cloud Authentication Service includes transparent and interactive authentication methods for multifactor identity assurance. These methods include biometric methods such as fingerprint verification, hardware devices such as SecurID Token and FIDO authenticators, and context-based authentication using factors such as the user's location and network. Confidence in a user's identity can also be established through risk analytics, based on user characteristics such as past behavior, authenticators previously used for authentication, and other factors.

The following graphic illustrates how the Cloud Authentication Service works.


Note: The identity router can be deployed on-premises, in the Amazon Web Services cloud, or on your Authentication Manager server.


The Cloud Authentication Service provides the following key benefits:

  • Integration with RSA Authentication Manager 8.x to extend your RSA deployment by making additional authentication methods available to protect Authentication Manager resources.

  • Convenient multifactor authentication (MFA) that leverages capabilities built into devices through the RSA Authenticator app.

  • Centralized access control policies that consistently enforce different security requirements for applications based on assurance levels.

  • Support of relying parties, RADIUS-capable devices, SAML and non-SAML applications, OpenID Connect (OIDC) applications, and SaaS and on-premises web applications for MFA.

  • SSO with out-of-the-box connectivity to popular applications.

  • Single point of access to protected applications with the application portal.

  • LDAP directory server user passwords stay on-premises and are not synchronized to the Cloud Authentication Service.

  • RSA Authentication API, a REST-based programming interface that allows you to develop clients that process multifactor, multistep authentications through Authentication Manager and the Cloud Authentication Service. The interface definition can be integrated with any programming language. For instructions, see the RSA Authentication API Developer's Guide.

  • RSA Cloud Administration REST APIs, web service interfaces you can use to create clients that perform administrative operations. These operations include importing audit log events into your security information and event management (SIEM) solution, retrieving event logs from the Cloud Administration Service, and performing certain Help Desk functions. For instructions, see Using the Cloud Administration APIs.

Cloud Authentication Service Components

A Cloud Authentication Service deployment consists of four main components: the Cloud Authentication Service (which is both the name of the managed server and the name for the set of components), the Identity Router®, the Cloud Administration Console, and the RSA Authenticator app installed on user devices.


Note: The identity router can be deployed on-premises, in the Amazon Web Services cloud, or on your Authentication Manager server.

Cloud Authentication Service

The Cloud Authentication Service performs run-time authentication for the protected resources. The Cloud Authentication Service also allows RSA to modify and improve authentication capabilities.

The Cloud Authentication Service runs on Microsoft Azure, a cloud computing platform that is hosted through a global network of Microsoft data centers. RSA uses a multi-tenant database in an environment that shares infrastructure while segregating customer data to ensure privacy. Service levels and operational procedures are standardized for all customers due to the shared nature of the platform.

Identity Router®

The identity router is a virtual appliance that communicates with the following components.

Component Purpose
Cloud Authentication Service

The Cloud Authentication Service enforces access policies, which determine which applications users can access, when additional authentication is needed, and which authentication methods are required. For example, a policy might allow only your sales team to access an application with sensitive customer information. Access policies are based on session information, such as IP addresses (for example, within a corporate network or not).

Identity sources

Identity routers connect to identity sources in real-time and synchronize a limited subset of user data to the Cloud Authentication Service. A minimum amount of user data is required to register authenticators. LDAP directory server user passwords are never synchronized and remain secure on your directory server.

Authentication Manager

RSA Authentication Manager enables users to authenticate with SecurID tokens or the RSA Authenticator app from all access points controlled by Authentication Manager. For integration instructions, see Select an Integration Path for RSA Authentication Manager with the Cloud Authentication Service.

The identity router can be installed on the following platforms:

  • On VMware or Hyper-V virtual appliances on-premises within your network.

  • Amazon Web Services cloud (in a subnet)

  • Authentication Manager 8.5 or later

All platforms support RADIUS and single sign-on (SSO) in the Cloud Authentication Service, except for Authentication Manager 8.5 and later. For details about supported platforms and services, see Identity Router.

Cloud Administration Console

The Cloud Authentication Service component contains a hosted, multi-tenant Cloud Administration Console that Super Admins use to perform setup and daily management tasks. Super Admins and Help Desk administrators both use the console to troubleshoot user issues. This is a partial list of tasks that can be performed using the console:

  • Configure your company domain and certificates, if necessary.
  • Add and manage identity routers.
  • Add identity sources so the identity router can verify user attributes to allow or deny access to resources.
  • Add resources, such as relying parties, RADIUS clients, and applications.
  • Configure assurance levels that can be used by protected resources.
  • Configure access policies to determine user access to protected resources.
  • Configure the SecurID Application Portal.
  • Troubleshoot user issues with the Event Monitor.
  • Unlock tokencodes for users.
  • Manage user authenticators and known browsers.

The RSA Authenticator App

RSA My Page helps provide a secure way for users to complete registration with the RSA Authenticator app, using MFA and QR or numeric registration codes. My Page guides users through registration, including downloading the app from the Apple App Store, Google Play, or Microsoft Store. The administrator provides users with the My Page URL. After successful registration, users can complete authentication for applications that require it.