Implementing Risk-Based AuthenticationImplementing Risk-Based Authentication

Complete the following tasks to implement risk-based authentication (RBA).

Before you begin

Choose a backup authentication method so that users can continue to access network resources if Authentication Manager is unavailable or user authentication is unsuccessful. See Backup Authentication Method for Risk-Based Authentication.

Procedure

1. Update the Domain Name System (DNS) with entries for Authentication Manager. For instructions, see Planning for Domain Name System Updates.

2. Specify the RBA policy for your deployment integration. For instructions, see Add a Risk-Based Authentication Policy.

3. Ensure high availability for RBA. See Backup Authentication Method for Risk-Based Authentication.

4. Obtain the RSA Authentication Agent software or third party product. See RSA Authentication Agents.

5. Deploy the RSA Authentication Agent software or third party product. See Deploying an Authentication Agent that Uses the UDP Protocol.

6. Install the RBA Integration Script Template.

7. Generate an Integration Script for a Web-Based Application.

8. Use the implementation guide that you downloaded when you obtained the agent to configure your agent to pass authentication requests to and from Authentication Manager.

9. Test the RBA integration. See Testing Your Risk-Based Authentication Integration.

Implementing Risk-Based AuthenticationImplementing Risk-Based Authentication

Complete the following tasks to implement risk-based authentication (RBA).

Before you begin

Choose a backup authentication method so that users can continue to access network resources if Authentication Manager is unavailable or user authentication is unsuccessful. See Backup Authentication Method for Risk-Based Authentication.

Procedure

1. Update the Domain Name System (DNS) with entries for Authentication Manager. For instructions, see Planning for Domain Name System Updates.

2. Specify the RBA policy for your deployment integration. For instructions, see Add a Risk-Based Authentication Policy.

3. Ensure high availability for RBA. See Backup Authentication Method for Risk-Based Authentication.

4. Obtain the RSA Authentication Agent software or third party product. See RSA Authentication Agents.

5. Deploy the RSA Authentication Agent software or third party product. See Deploying an Authentication Agent that Uses the UDP Protocol.

6. Install the RBA Integration Script Template.

7. Generate an Integration Script for a Web-Based Application.

8. Use the implementation guide that you downloaded when you obtained the agent to configure your agent to pass authentication requests to and from Authentication Manager.

9. Test the RBA integration. See Testing Your Risk-Based Authentication Integration.

Backup Authentication Method for Risk-Based AuthenticationBackup Authentication Method for Risk-Based Authentication

RSA recommends that you set up a replicated deployment of Authentication Manager. A replica instance ensures high availability for risk-based authentication (RBA). If you do not use a replica instance, configure your web-based application to use a backup authentication method. A backup authentication method allows users to continue accessing network resources if Authentication Manager becomes unavailable or user authentication is unsuccessful.

When RBA is configured for your web-based application, Authentication Manager authenticates the user using the directory server and internal database in your environment. To ensure an effective backup method, plan to revert authentication configuration of the web-based application so that it authenticates users directly using the directory server.

The backup method that you use depends on your web-based application and the other products in your environment that are involved in user authentication workflow. Consider the following methods:

• Use the original logon page for your web-based application.

  Redirect users to the original logon page, or replace the modified logon page with the original version.

• Using your web-based application, create a backup method that is specific to the user population that uses RBA.

  Change the authentication workflow only for the user population, group, or domain that uses RBA.

• Using your web-based application, create a backup method that is specific to the network resource that you are protecting with RBA.

  Change the profile or policy for the network resource that you are protecting with RBA.

For more information, see your agent documentation.

Install the RBA Integration Script TemplateInstall the RBA Integration Script Template

If the RBA integration script template that you downloaded from https://www.rsa.com/en-us/products-services/identity-access-management/securid/authentication-agents is newer than the integration script template that is installed in Authentication Manager, use the newer one. You must perform this procedure to find the version number in your deployment. The version number is located in the integration script template header, for example, <Version>1.0</Version>.

Before you begin

If you want to use SSH, enable SSH connectivity on the Authentication Manager appliance. For instructions, see Enable Secure Shell on the Appliance.

Procedure

1. Using an SSH client or an SCP client, log on to the appliance using the operating system account User ID rsaadmin and password.

2. Copy the downloaded integration script template to the /opt/rsa/am/utils/rba-agents directory on the appliance.

   Wait a few minutes for Authentication Manager to refresh the list of integration script templates.

3. Verify that the version number in the header of the generated integration script (.js file) is the same as the version number in the header of the downloaded integration script template (.xml file). For example, look for <Version>1.0</Version> near the top of the generated .js file or the .xml template.

4. Repeat step 1 through step 3 for each agent.

After you finish

Generate an Integration Script for a Web-Based Application