Article Number
000036556
Applies To
RSA Product Set: SecurID Access
Issue
When the RSA Cloud Authentication Service is enabled for an application, it is important to make sure that end users cannot bypass the Service and access the application directly with weaker, or perhaps no authentication.
Task
Check your application's documentation and/or the application's
Integration Guide on RSA Link to see if it has a configuration option that will enforce access using only a single authentication source. Applications that support
RADIUS or
Relying Party or
SAML single sign-on will typically prevent authentication by any other means, once those options are enabled. However, when
HTTP Federation or
Trusted Headers are used, there will probably not be a built-in means within an application that prevents bypass of the RSA Cloud Authentication Service.
Resolution
An internal application or website protected by
HTTP Federation or
Trusted Headers can be limited to only accepting incoming connections from the RSA Identity Routers' proxy IP address, thereby denying access from any other source. This can be achieved with a firewall.