AnsweredAssumed Answered

RSA SecurID Authentication - REST API

Question asked by Jimmy Tran on Jul 5, 2017
Latest reply on Jul 17, 2017 by Piers Bowness

Like • Show 0 Likes0
Comment • 3

Hi,

I'm looking to implement RSA authentication using the REST API. I was able to make the call against AM but it's returning back with -

"credentialValidationResults":[{"methodId":"SECURID","methodResponseCode":"FAIL","methodReasonCode":"VERIFY_ERROR","authnAttributes":[]}],"attemptResponseCode":"FAIL","attemptReasonCode":"VERIFY_ERROR","challengeMethods":{"challenges":[]}

I'm pretty certain I'm putting in the correct subjectId (username) and the generated token after I entered in my PIN. I looked through the PDF documentation but couldn't find anything related to this error.

Any idea?

Thanks

Jimmy Tran Jul 6, 2017 3:34 PM

Correct Answer

Thanks Ted. Unfortunately, I did not have access to those logs. I had to get my systems team involved in the troubleshooting process. We were able to resolve it with tech support help. The issue was related to the clientId field, it had to have FQDN.

See the reply in context

No one else had this question

Outcomes

Ted Barbour

Jul 6, 2017 3:14 PM

Hi Jimmy Tran - did you check for authentication activity messages at the Authentication Manager?

Also, for troubleshooting purposes you might enable the user you are testing with to use a simple fixed passcode. This would help ensure you are correctly providing a valid passcode.

1 person found this helpful

Actions

Jimmy Tran @ Ted Barbour on Jul 6, 2017 3:34 PM

1 person found this helpful

Actions

Piers Bowness

@ Jimmy Tran on Jul 17, 2017 6:44 PM

You are correct, the "clientId" must be a named agent in the database as outlined in the RSA SecurID Authentication API Developer's Guide.

Just to clarify, although the "clientId" has to contain an agent name, it is not required to contain the FQDN of the agent. The client calling the API may choose to provide a logical name like "VPN Cluster Node" instead and use that logical name on all appropriate client systems. Agents are no longer required to have an IP address and can be a "logical" agent for access control purposes.

Actions

3 Replies

Ted Barbour Jul 6, 2017 3:14 PM
Mark Correct
Correct Answer
Hi Jimmy Tran - did you check for authentication activity messages at the Authentication Manager?
Also, for troubleshooting purposes you might enable the user you are testing with to use a simple fixed passcode. This would help ensure you are correctly providing a valid passcode.
1 person found this helpful
Like • Show 1 Like1
Actions
- Jimmy Tran @ Ted Barbour on Jul 6, 2017 3:34 PM
  Unmark Correct
  Correct Answer
  Thanks Ted. Unfortunately, I did not have access to those logs. I had to get my systems team involved in the troubleshooting process. We were able to resolve it with tech support help. The issue was related to the clientId field, it had to have FQDN.
  1 person found this helpful
  Like • Show 1 Like1
  Actions
  - Piers Bowness @ Jimmy Tran on Jul 17, 2017 6:44 PM
    Mark Correct
    Correct Answer
    You are correct, the "clientId" must be a named agent in the database as outlined in the RSA SecurID Authentication API Developer's Guide.
    
    Just to clarify, although the "clientId" has to contain an agent name, it is not required to contain the FQDN of the agent. The client calling the API may choose to provide a logical name like "VPN Cluster Node" instead and use that logical name on all appropriate client systems. Agents are no longer required to have an IP address and can be a "logical" agent for access control purposes.
    Like • Show 0 Likes0
    Actions

RSA SecurID Authentication - REST API

Outcomes

Related Content

Recommended Content