AnsweredAssumed Answered

Offline Data for Aliased User

Question asked by Michael Tougas on Jan 22, 2019
Latest reply on Jan 22, 2019 by Jay Guillette

Like • Show 0 Likes0
Comment • 7

I have setup aliased accounts for our admins that have both a user account and an administrator account so that they only require one hardware token. I noticed that the Offline days never refresh for the aliased account. Is there a way to make this refresh or will that aliased account be forced to be 'online only' once the days expire?

While watching the authentication monitor I can see that when logging on as the aliased account (the admin) it is authenticated with the account with the token assigned (the user). A few seconds later a second request is made for Offline Authentication Data, this request is made using the aliased account name and fails. The error log shows that it is an "INVALID_PROOF"

Jay Guillette

Jan 22, 2019 4:47 PM

Correct Answer

This won't work.

The alias is not a real UserID, it's an alias for the real UserID, therefore the Offline Policy only applies to the real UserID, therefore the real UserID is the only UserId that exists in AM and the only UserID that can have offline days.

So if you really need someone to have offline days, they need their own token.

The alias use case only covers sharing a token between two UserIDs (that are the same person), and does not allow two sets of essentially the same offline day files.

See the reply in context

No one else had this question

Outcomes

Erica Chalfin

Jan 22, 2019 3:15 PM

Michael Tougas,

What version of the RSA Authentication Agent you are using?

Please also review 000032860 - Offline days not refreshing on RSA Authentication Agent 7.3.3 [99] for Windows with RSA Authentication Manager 8.x and review the messages in the referenced logs.

If you are not on the latest agent build, please get the latest version from the RSA Authentication Agent 7.4.2 Downloads for Microsoft Windows page and install it as a test.

Regards,

Erica

Actions

Jay Guillette

Jan 22, 2019 4:47 PM

This won't work.

So if you really need someone to have offline days, they need their own token.

The alias use case only covers sharing a token between two UserIDs (that are the same person), and does not allow two sets of essentially the same offline day files.

1 person found this helpful

Actions

Michael Tougas @ Jay Guillette on Jan 22, 2019 4:53 PM

Is there another way for a single user to utilize 1 token for two accounts (user and admin) that allows the correct functionality of offline days?

Actions

Jay Guillette

@ Michael Tougas on Jan 22, 2019 4:59 PM

Maybe with MFA Cloud based tokens, but you'll need to request Cloud access and deploy an Identity Router, IDR, and configure all all your access policies. But not with a single 2FA token from Authentication Manager, they are not designed to be shared, they are designed to be securely separate.

Actions

Jay Guillette

@ Jay Guillette on Jan 22, 2019 5:01 PM

And you'll need to wait for the new Cloud based Windows agent

Actions

Michael Tougas @ Jay Guillette on Jan 22, 2019 5:06 PM

Cloud based tokens are not possible in our environment. Thank you for the help.

Actions

Jay Guillette

Jan 22, 2019 5:31 PM

Sorry. You could try an RFE, request for Enhancement to Authentication Manager, either by opening a Support case or logging an idea at

RSA Ideas for RSA SecurID Access

or voting for the existing idea "allowing multiple IS (Identity Source) users to have a single token assigned" as that sounds close to what you are looking for

allowing multiple IS (Identity Source) users to have a single token assigned

Actions

7 Replies

Erica Chalfin Jan 22, 2019 3:15 PM
Mark Correct
Correct Answer
Michael Tougas,

What version of the RSA Authentication Agent you are using?

Please also review 000032860 - Offline days not refreshing on RSA Authentication Agent 7.3.3 [99] for Windows with RSA Authentication Manager 8.x and review the messages in the referenced logs.

If you are not on the latest agent build, please get the latest version from the RSA Authentication Agent 7.4.2 Downloads for Microsoft Windows page and install it as a test.

Regards,
Erica
Like • Show 0 Likes0
Actions
Jay Guillette Jan 22, 2019 4:47 PM
Unmark Correct
Correct Answer
This won't work.
The alias is not a real UserID, it's an alias for the real UserID, therefore the Offline Policy only applies to the real UserID, therefore the real UserID is the only UserId that exists in AM and the only UserID that can have offline days.
So if you really need someone to have offline days, they need their own token.
The alias use case only covers sharing a token between two UserIDs (that are the same person), and does not allow two sets of essentially the same offline day files.
1 person found this helpful
Like • Show 1 Like1
Actions
- Michael Tougas @ Jay Guillette on Jan 22, 2019 4:53 PM
  Mark Correct
  Correct Answer
  Is there another way for a single user to utilize 1 token for two accounts (user and admin) that allows the correct functionality of offline days?
  Like • Show 0 Likes0
  Actions
  - Jay Guillette @ Michael Tougas on Jan 22, 2019 4:59 PM
    Mark Correct
    Correct Answer
    Maybe with MFA Cloud based tokens, but you'll need to request Cloud access and deploy an Identity Router, IDR, and configure all all your access policies. But not with a single 2FA token from Authentication Manager, they are not designed to be shared, they are designed to be securely separate.
    Like • Show 0 Likes0
    Actions
    - Jay Guillette @ Jay Guillette on Jan 22, 2019 5:01 PM
      Mark Correct
      Correct Answer
      And you'll need to wait for the new Cloud based Windows agent
      Like • Show 0 Likes0
      Actions
    - Michael Tougas @ Jay Guillette on Jan 22, 2019 5:06 PM
      Mark Correct
      Correct Answer
      Cloud based tokens are not possible in our environment. Thank you for the help.
      Like • Show 0 Likes0
      Actions
Jay Guillette Jan 22, 2019 5:31 PM
Mark Correct
Correct Answer
Sorry. You could try an RFE, request for Enhancement to Authentication Manager, either by opening a Support case or logging an idea at
RSA Ideas for RSA SecurID Access
or voting for the existing idea "allowing multiple IS (Identity Source) users to have a single token assigned" as that sounds close to what you are looking for
allowing multiple IS (Identity Source) users to have a single token assigned
Like • Show 0 Likes0
Actions

Offline Data for Aliased User

Outcomes

Related Content

Recommended Content