This guide helps you quickly set up your production deployment for the Cloud Authentication Service and add authentication for a SAML 2.0 application, third-party SSO solution, or Microsoft Azure Active Directory. Use this guide with the Planning Guide. If you have completed a deployment with another Quick Setup Guide and want to set up the deployment described in this guide, skip the steps that you have already completed.
Step 2: Deploy the Identity Router
Step 3: Connect LDAP Directory
Note: If you are deploying an identity router that is embedded in RSA Authentication Manager 8.5 or later, see Configure an Embedded Identity Router for instructions.
There are a few things you need to plan to deploy your system.
Item | Description |
---|---|
Sign-in credentials to the Cloud Administration Console |
Sign-in credentials are emailed to you after you request an environment from RSA Sales or your partner or complete the trial form. Be sure that the email address that you provide to RSA is for a real user in your LDAP directory and not, for example, a group alias or general account. For browser requirements, see Supported Browsers for the Cloud Administration Console. |
Virtual appliance infrastructure Required only for identity router deployment on-premises in a VMware or Hyper-V environment |
Hardware requirements for image file:
For additional guidance, see Network Interface Requirements and Recommendations. Software requirements:
|
Amazon Web Services (AWS) account Required only for identity router deployment in an Amazon Web Services cloud environment Note: To deploy an identity router in the Amazon cloud, you must be familiar with the following concepts as they relate to AWS: |
Amazon Virtual Server Instance hardware requirements:
AWS cloud environment requirements:
|
Microsoft Active Directory 2008 or 2012 or LDAPv3 directory server |
Create a group of a limited number of users (for example, RSA SecurID Access Test Group) to synch and test with. |
SSL/TLS certificate from your LDAP directory server |
Used for an encrypted connection (LDAPS) to your directory server. Download the SSL/TLS certificate from your directory server. If your directory server does not have a certificate, install one. |
A mobile device or Windows PC |
|
RSA SecurID Access uses a hybrid architecture that consists of two components:
The Cloud Authentication Service is a cloud service that provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.
The identity router is a virtual appliance that securely connects your on-premises resources, such as Active Directory, to the Cloud Authentication Service. You can deploy the identity router in your on-premises VMware or Hyper-V environment, or in the Amazon Web Services (AWS) cloud.
Note: After an identity router is registered in a deployment, it cannot be reused in another deployment. For example, suppose you registered an identity router with Company A for a trial deployment, and you want to use the same identity router with Company A in a production deployment. You must add a new identity router (virtual machine) to the production deployment.
Relying party deployments support both standalone and embedded identity routers. For details on planning network interfaces, see Identity Router Network Interfaces and Default Ports.
In all deployments with AWS, the identity router has one network interface to which you assign public and private IP addresses and connect other network resources from the internet or your private network.
Add your values to the following worksheet. You will use this information in the next section and during setup.
Item |
Your Values |
---|---|
Cloud Administration Console and Cloud Authentication Service |
Your authentication service domain appears in the Cloud Administration Console on the Platform > Identity Router > Registration page when you add an identity router. For instructions on checking the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console. To test access to the IP addresses, see Test Access to Cloud Authentication Service. |
LDAP directory server
|
|
DNS servers IP addresses |
|
NTP server IP address | |
Required only for VMware and Hyper-V identity router deployments: | |
Identity router management interface (private, required for all deployments)
|
|
Identity router portal interface (public, required for SSO Agent deployments with on-premises identity router)
|
|
Required only for Amazon Web Services identity router deployments: | |
Identity router
Note: For identity routers in AWS, netmask and gateway information is obtained automatically during instance launch, according to the VPC subnet settings. |
|
AWS environment configuration details
|
Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. If you deploy the identity router in the Amazon cloud, the route tables, security groups, and network ACLs in your AWS environment must also allow these connections. Update your connectivity settings before continuing with the next step.
Source |
Destination | Protocol and Port | Purpose |
---|---|---|---|
0.0.0.0/0
|
Both Cloud Authentication Service environments |
TCP 443 |
External user access to Cloud Authentication Service |
< Your administrators>
|
For on-premises identity routers:
For identity routers in the Amazon cloud: |
On-premises (two network interfaces): TCP 443 One network interface or Amazon: TCP 9786 |
Identity Router Setup Console |
For on-premises identity routers (one network interface): <Your identity router management interface IP address> For on-premises identity routers (two network interfaces): <Your identity router portal interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> |
Cloud Administration Console and both Cloud Authentication Service environments Note: If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and the Cloud Authentication Service IP addresses for your region are whitelisted. Also, confirm that you can access both environments. For instructions, see Test Access to Cloud Authentication Service. |
TCP 443 | Identity router registration |
For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> |
<Your LDAP directory server IP address> |
TCP 636 |
LDAP directory user authentication and authorization |
For on-premises identity routers: <Your identity router portal interface IP address or identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> |
<Your DNS server IP address>
|
UDP 53 | DNS |
For on-premises identity routers: <Your identity router portal interface IP address or identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> |
<Your NTP server IP address> | UDP 123 | Network time server synchronization |
<Your administrator computer>
|
For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> |
TCP 22 |
(Optional) SSH for troubleshooting |
Perform these steps to set up an identity router quickly using only required settings. If you want to use advanced configuration options, see Deploying an Identity Router - Advanced Setup.
Procedure
On the Identity Routers page, click Add an Identity Router, and follow the instructions.
Under Registration Details, copy the Registration Code and Authentication Service Domain to a location where you can access them later on.
You can install the virtual appliance image using a VMware administration client such as vSphere, by either connecting to the VMware vCenter Server, or connecting directly to the VMware ESXi host.
Or you can use Hyper-V Manager or Amazon Web Services EC2 to create a virtual machine for the identity router.
Procedure
Do one of the following:
To use VMware, sign into the VMware client, do the following:
Follow the VMware client documentation to install the virtual appliance from the image. When prompted, enter the following data:
If you are deploying the identity router with a single network interface, then delete the second network interface.
Power on the virtual machine.
To use Hyper-V Manager, sign into Hyper-V Manager, and do the following:
Follow the wizard. In each dialog box, provide the following information.
Dialog Box | Required Information |
---|---|
Specify Name and Location | Name of the identity router virtual machine. |
Specify Generation | Select Generation 1. |
Assign Memory | Startup memory = 8192 MB (recommended). |
Configure Networking | Select the network for the management network adaptor. |
Connect Virtual Hard Disk | Select Use an existing virtual hard disk and browse to the location where the identity router VHD image is available. |
Completing the New Virtual Machine Wizard | Review and click Finish. |
To configure the second network, select the new virtual machine, right-click, and select Settings .
On the Add Hardware page, select Network Adapter and click Add.
Select the network for your portal interface, then click Apply and OK.
Select the new virtual machine from the list of virtual machines. Right-click and select Start.
With the virtual machine selected, right-click again and select Connect.
Setting | Description |
---|---|
AMI template | The AMI template image provided by RSA. |
Instance type | Determines presets for the virtual instance. The identity router requires a t2.large instance or greater. |
Virtual Private Cloud (VPC) | The section of your Amazon environment where you will deploy the identity router. |
Subnet | A subnetwork within your VPC where you will deploy the identity router. The subnet can be either public or private, depending on how resources and users will connect to the identity router. |
Auto-assign Public IP | Determines whether Amazon issues dynamic public IP addresses for the identity router, or the IP address is determined by the subnet settings. If your organization manages its own DNS service, RSA recommends allocating a persistent Elastic IP address through Amazon Web Services, and assigning it to the identity router instance after you complete the launch process. |
Storage | Virtual storage space. The identity router requires 54 GB General Purpose SSD (GP2) storage. |
Tags | Optional labels that describe this identity router. RSA recommends adding a tag specifying the Fully Qualified Domain Name, which acts as a unique identifier to differentiate this identity router from others in your deployment. |
Security groups | Firewall rules that control traffic to and from the identity router. Add security groups that allow necessary traffic from other network resources according to your deployment model. |
You use the Identity Router VM Console to configure IP addresses and static routes for on-premises identity routers deployed in your VMware or Hyper-V environment.
Note: This procedure is not required for identity routers in the Amazon Web Services cloud.
Procedure
Username: idradmin
Password: s1mp13
You are prompted to change these credentials the first time you sign in.
Refer to the planning worksheet for the values to complete the Management sections.
Use the Up and Down arrows to navigate the main menu. Press Enter to select a menu option or configure its settings. Use Tab and Shift + Tab to navigate between settings and back to the main menu. When the cursor is in the settings panel, press F10 to save or Esc to revert. Press F10 after you complete each section to save your values.
Write down the URL that appears.
Procedure
Sign into the Identity Router Setup Console:
Username: idradmin
Password: s1mp13
You are prompted to change these credentials the first time you sign in.
Note: These DNS server settings do not apply for identity routers in the Amazon cloud. Edit the DHCP option set in your Amazon Web Services environment if you need to add DNS servers for an Amazon cloud-based identity router.
If you enabled two network interfaces in the Identity Router VM Console, update the IDR Portal Interface Information section with appropriate details.
Click Update IDR Setup Configuration.
Click Connect Administration Console.
In the Registration Code field, enter the Registration Code displayed when you added the identity router in the Cloud Administration Console.
In the Authentication Service Domain field, enter the Authentication Service Domain displayed when you added the identity router in the Cloud Administration Console.
A confirmation message appears when the identity router is connected to the Cloud Administration Console. Also, note that the Identity Router Setup Console contains other pages that provide network diagnostics and detailed logs for the identity router.
Sign into the Cloud Administration Console to check the status of the identity router (Platform > Identity Routers).
When the identity router is connected to the Cloud Administration Console, the status reads Active. This process usually takes up to five minutes.
In the Cloud Administration Console, click Publish Changes to apply the configuration settings for the new identity router.
Perform these steps to connect to an LDAP directory quickly using only required settings. If you want to use advanced options, see Add an Identity Source.
Procedure
Select Use selected policy attributes with the Cloud Authentication Service.
In the Policies column, select sAMAccountName, virtualGroups, and memberOf or other attributes that you might use to identify users.
In the User Search Filter field, specify your test group using a filter. The following is an Active Directory example:
(&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=<yourgroup_distinguishedName>))
Where <yourgroup_distinguishedName> is the name of your test administrator group.
For example, (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=CN=SecurIDAccessUsers,OU=Groups,DC=Corp,DC=local))
Synchronize data between the Cloud Authentication Service and your LDAP directory to ensure that the Cloud Authentication Service reflects any updates made to the LDAP directory.
During synchronization, users are added and attribute values that you selected in the previous step are copied to the Cloud Authentication Service. User passwords are not synchronized.
Procedure
In the Identity Source Details section, click Synchronize Now.
Depending on the number of users you are synching, this process can take a number of minutes.
Create an access policy that you will assign to RSA SecurID Access My Page (a web portal used for authenticator registration) when you configure it. For simplicity, this access policy will not require additional authentication of users. You can change this policy in the future.
Perform these steps to add a policy using only required settings. If you want to set up a more complex policy, see Add an Access Policy.
Procedure
On the Rule Sets page, do the following:
Click Save and Finish.
RSA SecurID Access My Page is a web portal that helps provide a secure way for users to complete authenticator registration. Perform these steps to enable My Page for your company. If you want to configure advanced settings for My Page, see Manage My Page.
Procedure
Enable My Page.
In the Primary Authentication Method drop-down list, select the authentication method to use.
In the Access Policy for Additional Authentication drop-down list, select the No Additional Authentication policy that you created earlier.
Configure a SAML 2.0 application or third-party SSO solution to be protected by RSA SecurID Access. In the configuration wizard, select the preconfigured policy All Users Low Assurance Level as the access policy.
For example, you can protect Workday, ServiceNow, and Microsoft Office 365. For instructions, see the following:
For instructions for all supported applications, see the RSA SecurID Access category on RSA Ready.
Perform these steps to quickly register a device. For additional information, see Registering Devices with RSA SecurID Authenticate App.
Procedure
On one device (for example, your computer), do the following:
Enter your email address.
Enter your RSA SecurID passcode or password, depending on what you configured.
Complete any additional authentication that you are prompted for.
Click RSA SecurID Authenticate app >Get Started.
On another device ( iOS, Android, or Windows 10 ), download the RSA SecurID Authenticate app:
On your computer, on the Registration page, click Next.
On your mobile device, do the following:
Open the RSA SecurID Authenticate app.
Tap Allow to allow the Authenticate app to send notifications.
Allow or deny Google Analytics data collection. You can select either option to use the Authenticate app.
Accept the license agreement.
Tap Scan QR Code.
Allow the app to access your camera.
Scan the QR code that displays in My Page.
Tap OK after setup is complete.
Swipe through the tutorial.
The app home screen appears, and the app is ready for use.
On your computer, on the Registration page, click Test Now.
RSA SecurID Access sends a notification to your registered device.
On your mobile device, tap the notification and approve it.
The My Page home screen displays. You have successfully registered and tested your device.
Procedure
Start the sign-in process to the protected resource.
RSA SecurID Access sends a notification to your phone.
Tap Approve on your mobile device.
Select Remember this browser, and click Continue.
You are signed into the resource.
Quick Setup Guide RP HTML