SecurID^® Integrations

Report Inappropriate Content

Certified: 4th February 2019

Solution Summary

Integration Types

Authentication Agent integrations use an embedded RSA agent to provide RSA SecurID and Authenticate Tokencode authentication methods within the partner’s application. Authentication agents are simple to configure and support the highest rate of authentications.

Supported Features

This section shows all of the supported features by integration type and by RSA SecurID Access component. Use this information to determine which integration type and which RSA SecurID Access component your deployment will use. The next section contains the steps to integrate RSA SecurID Access with Vmware vSphere/vCentre for each integration type.

Vmware vSphere / vCentre Integration with RSA Cloud Authentication Service

Authentication Methods	Authentication API	RADIUS	Relying Party	SSO Agent
RSA SecurID	-	-	-	-
LDAP Password	-	-	-	-
Authenticate Approve	-	-	-	-
Authenticate Tokencode	-	-	-	-
Device Biometrics	-	-	-	-
SMS Tokencode	-	-	-	-
Voice Tokencode	-	-	-	-
FIDO Token	n/a	n/a	-	-
Identity Assurance	-	-	-	-

Vmware vSphere/vCentre Integration with RSA Authentication Manager

Authentication Methods	Authentication API	RADIUS	Authentication Agent
RSA SecurID	-	-	✔
On-Demand Authentication	-	-	✔
Risk-Based Authentication	n/a	-	-

✔	Supported
-	Not supported
n/t	Not yet tested or documented, but may be possible.

Configuration Summary

The following links provide instructions on how to integrate Vmware vSphere/vCentre with RSA SecurID Access.

This document is not intended to suggest optimum installations or configurations. It assumes the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All RSA SecurID Access and Vmware vSphere/vCentre components must be installed and working prior to the integration.

Integration Configuration

Authentication Agent

Certification Details

Date of testing: 4th February 2019

RSA Authentication Manager 8.4, Virtual Appliance

Vmware vSphere / vCenter 6.7

Known Issues

Load Balancing

VMware KB article regarding SecurID AuthAPI Load Balancing: https://kb.vmware.com/kb/66729 as a workaround to address the following RSA JAVA AuthAPI issue;

AAJAVA-311 — Fixed a load balancing issue. In certain circumstances, if the first RSA Authentication Manager server in the round-robin load balancing sequence was unreachable, the connection would fail, instead of failing over to the next server configured in sdconf.rec.

Challenge-Response

Currently VMware vSphere 6 u2 does not support any challenge-response features. As a result, RSA is unable to certify vSphere as RSA Ready.

The limitation of not implementing challenge-response will impact the user under the following conditions; RSA AM administrator forces the change of a user or system generated pin or in the event that the RSA Authentication Manager requires the user to enter the next tokencode.

The SecurID challenge response is essential to the functionality and usability of the integration. Without supporting challenge-response, users are unaware that SecurID is requesting the authorization of a new system-generated pin, to create a new user pin or use the next tokencode. The result is that the users will have to contact their customer support group to determine the cause of the vSphere login “Invalid Credentials” message.

SecurID® Integrations

Vmware vSphere / vCenter 6.7 - SecurID Access Implementation Guide