How to provide On-Demand Pin for a selective 10- 50 users, as we can see the Enable users give all the users in Alphabetical order and there is no criteria to search for particular few users to provide ODA.
How to provide On-Demand Pin for a selective 10- 50 users, as we can see the Enable users give all the users in Alphabetical order and there is no criteria to search for particular few users to provide ODA.
AMBA is included with AM 8.2 and later, but it does require an enterprise license. Full documentation of AMBA functions and features, command line syntax, and sample AMBA scripts is available here (part of the standard RSA documentation set for Authentication Manager): RSA Authentication Manager 8.4 Bulk Administration Utility (AMBA) Guide
Are you using Security Domains to scope administrative data?
You could move the users to a sub-Security Domain and use the Security Domain filter to just select the users that are trying On-Demand. AM allows the administrator to create a Security Domain hierarchy.
There are currently four user attributes that can be used to filter search results. I would be interested to hear which other attributes would be useful.
Of course, I would also recommend you take a look at the RSA SecurID Access Cloud Authentication Service. This provides a policy-driven, multi-factor, cloud-based authentication service (including SMS OTP) and integrates with your on-premises RSA SecurID Authentication Manager.
Hi Piers,
Can you help me in solving a error message issue which appears while replacing a soft token on the existing hard token in RSA Self Service Portal when clicked replace token button.
Error message as "Error message From Server Details-> Original token already have an replacement soft token"
We tried in different browser and cleared cookies worked for few users but i hope that's not the solution, few users still remain the same error message.
Can you please advise in solving the permanent issue.
I came across a thread from April (https://community.rsa.com/message/932057) where another customer reported a similar error of original token XXXXXXXXXX already has a replacement token.
The TSE's response was that the customer needs to open a case with RSA Customer Support, and "specifically ask for the remedy in AM-29999. It will be some SQL deletes, but we need to mine your database for the possibility of more offending tokens you have not run into yet."
Regards,
Erica
Hi Erica,
Thanks for your prompt reply.
We have also checked if there's any token replacement request already in place while replacing a soft token but none were in RSA Console.
Temporarily we had to reset the user profile and tried with a replacement so it worked, but that was not advisable just for assigning a token reset won't work for other user facing same issue.
Raja,
Do you know if you use AMIS or AM Prime with Authentication Manager?
If a token had been assigned a replacement token, you should be able to see that replacement token in the Security Console, but as Erica pointed out, there was another forum question on (and a related Support case) about this particular problem, and we had to look in the internal postgres database to see the 'partially' assigned replacement token serial number. This should not have happened, the suspicion is some integrity check was lacking through either a custom admin API application or in an older version of AMIS, the Authentication Manager Integration Service that RSA Professional Services wrote to extend the capabilities of Authentication Manager.
You can use Authentication Manager Bulk Admin EODA on command line, and input a .csv file with userid's and pins:
Enable OnDemand Authentication
This command enables an OnDemand Authenticator for a principal. A PIN may be
assigned or system generated. Some field names are duplicates of field names used for
token management but may have slightly different usage. Consult this guide and the
RSA Authentication Manager Help for the correct definition of ODA command fields.
Results are written to the AMBA results file. Use the CRFN command to change the
results file path and name.
Optional Fields IdentitySource, SecurityDomain, InstanceName, PinMode*,
ExpiryDate, DeliveryMethod, DestinationAddress*,
TemplateFile, OutputOption
* These fields are ignored when PINIndicator is set to GENERATE_PIN.