SecurID^® Discussions

MichaelTougas · ‎2019-01-22

I have setup aliased accounts for our admins that have both a user account and an administrator account so that they only require one hardware token. I noticed that the Offline days never refresh for the aliased account. Is there a way to make this refresh or will that aliased account be forced to be 'online only' once the days expire?

While watching the authentication monitor I can see that when logging on as the aliased account (the admin) it is authenticated with the account with the token assigned (the user). A few seconds later a second request is made for Offline Authentication Data, this request is made using the aliased account name and fails. The error log shows that it is an "INVALID_PROOF"

JayGuillette · ‎2019-01-22

This won't work.

The alias is not a real UserID, it's an alias for the real UserID, therefore the Offline Policy only applies to the real UserID, therefore the real UserID is the only UserId that exists in AM and the only UserID that can have offline days.

So if you really need someone to have offline days, they need their own token.

The alias use case only covers sharing a token between two UserIDs (that are the same person), and does not allow two sets of essentially the same offline day files.

View solution in original post

_EricaChalfin · ‎2019-01-22

Michael Tougas‌,

What version of the RSA Authentication Agent you are using?

Please also review 000032860 - Offline days not refreshing on RSA Authentication Agent 7.2.1 [101] for Windows with Authentication Manager … and review the messages in the referenced logs.

If you are not on the latest agent build, please get the latest version from the RSA Authentication Agent 7.4.2 Downloads for Microsoft Windows page and install it as a test.

Regards,

Erica

JayGuillette · ‎2019-01-22

This won't work.

The alias is not a real UserID, it's an alias for the real UserID, therefore the Offline Policy only applies to the real UserID, therefore the real UserID is the only UserId that exists in AM and the only UserID that can have offline days.

So if you really need someone to have offline days, they need their own token.

The alias use case only covers sharing a token between two UserIDs (that are the same person), and does not allow two sets of essentially the same offline day files.

MichaelTougas · ‎2019-01-22

Is there another way for a single user to utilize 1 token for two accounts (user and admin) that allows the correct functionality of offline days?

JayGuillette · ‎2019-01-22

Maybe with MFA Cloud based tokens, but you'll need to request Cloud access and deploy an Identity Router, IDR, and configure all all your access policies. But not with a single 2FA token from Authentication Manager, they are not designed to be shared, they are designed to be securely separate.

JayGuillette · ‎2019-01-22

And you'll need to wait for the new Cloud based Windows agent

MichaelTougas · ‎2019-01-22

Cloud based tokens are not possible in our environment. Thank you for the help.

JayGuillette · ‎2019-01-22

Sorry. You could try an RFE, request for Enhancement to Authentication Manager, either by opening a Support case or logging an idea at

RSA Ideas for RSA SecurID Access

or voting for the existing idea "allowing multiple IS (Identity Source) users to have a single token assigned" as that sounds close to what you are looking for

allowing multiple IS (Identity Source) users to have a single token assigned

SecurID^® Discussions

Offline Data for Aliased User

Agents

SecurID® Discussions

Offline Data for Aliased User

Agents

SecurID^® Discussions