Connect Authentication Manager to the Cloud Authentication Service
You can easily deploy and manage multifactor authentication methods for your Authentication Manager users. These users will be able to access agent-protected resources using the SecurID App/SecurID Authenticator on their registered devices. You do not need to replace or update your existing agents or RSA Ready products.
You can use the Authentication Manager Security Console to seamlessly connect Authentication Manager to the Cloud Authentication Service, and to invite users to download the SecurID App/SecurID Authenticator and register their devices using the cloud-based RSA My Page. After users complete registration, use the Security Console User Dashboard to monitor users' authentication activity and perform other user management tasks, such as enabling and disabling users and deleting registered authenticators. To configure the connection, perform these steps:
Step 1: Prepare the Cloud Authentication Service Environment
Step 2: Set User Expectations for Device Registration and Authentication
Note: If you upgraded Authentication Manager to version 8.7 SP1 and your deployment was connected to the Cloud Authentication Service before you upgraded to version 8.5, you must re-connect in order to use some features, such as the embedded identity router and High Availability OTPs. To re-establish your connection, see Edit the Cloud Authentication Service Connection.
To learn about the authentication flow, see How Authentication Manager Works with the Cloud Authentication Service.
For additional information, see Manage Users in the Security Console.
Note: To view this page as a PDF, click Actions > View as PDF.
Step 1: Prepare the Cloud Authentication Service EnvironmentStep 1: Prepare the Cloud Authentication Service Environment
Before you connect Authentication Manager to the Cloud Authentication Service, complete the following steps to ensure that your Cloud Authentication Service deployment is ready.
Get Sign-In Credentials for the Cloud Administration Console
Configure an Access Policy to Protect Your Sensitive Resources
Enable My Page and Select an Access Policy to Protect My Page
Get Sign-In Credentials for the Cloud Administration ConsoleGet Sign-In Credentials for the Cloud Administration Console
Your organization must have a Cloud Authentication Service account. If you do not already have an account, contact your RSA Sales representative at 1 800 995-5095 and choose Option 1.
Deploy the Cloud Authentication ServiceDeploy the Cloud Authentication Service
You must deploy at least one identity router:
- If you are using Hyper-V, VMware, or Amazon Web Services to deploy identity routers in your on-premises network or in the Amazon Web Services cloud, see the following instructions:
- The appropriate Quick Setup Guide:
Quick Setup Guide for RADIUS Clients
Quick Setup Guide for SAML Applications and Third-Party SSO
Note: You do not need to enable RADIUS or single sign-on to connect Authentication Manager to the Cloud Authentication Service.
- If you are deploying an embedded identity router in Authentication Manager, you use a different procedure to connect to the Cloud Authentication Service and deploy the identity router. For instructions, see Configure an Embedded Identity Router.
After you deploy an identity router, the Cloud Authentication Service synchronizes users. Make sure your Authentication Manager users are synchronized from external identity sources that are also synchronized to the Cloud Authentication Service.
Note: New users created in the Authentication Manager internal database, who have never had an assigned hardware or software authenticator, are not supported for Approve, Device Biometrics, or Authenticate OTP authentication.
Configure an Access Policy to Protect Your Sensitive ResourcesConfigure an Access Policy to Protect Your Sensitive Resources
An access policy determines which users can access your agent-protected resources and which authentication methods they are required to use. This access policy controls access for all users who authenticate using the new connection. You can configure the policy to allow access to only selected users who meet certain criteria, or to allow all users. For example, you can restrict access only to users who use a certain network or who work in certain departments. For more information, see Access Policies and Add an Access Policy.
If you are using RSA Authentication Manager 8.5 or later with REST protocol authentication agents, such as RSA Authentication Agent 8.0 or later for PAM, MFA Agent 2.0 or later for Microsoft Windows, and RSA Authentication Agent 2.0 or later for Microsoft AD FS, you can configure Authentication Manager as a proxy server. Authentication Manager always validates SecurID OTPs and on-demand authentication, but sends other multifactor authentication requests directly to the Cloud Authentication Service. With this configuration, assurance levels must contain one of your licensed authentication methods. The assurance level must be specified in the access policy you plan to use.
If your authentication agents use the UDP protocol, or if you are using Authentication Manager 8.4 with Patch 4 or later, and not using RSA Authentication Manager 8.5 or later as a secure proxy server, confirm that your Cloud Authentication Service deployment meets these criteria:
At least one assurance level must contain Authenticate OTP, Approve authentication, or Device Biometrics. For information, see Assurance Levels.
If a user device does not support Device Biometrics, then the user is prompted for Approve authentication if it is allowed by the assurance level.
Authentication Manager does not support assurance levels that combine two forms of authentication. For example, the assurance level cannot require both SecurID OTP and Approve, but the assurance level can require only one of those options.
The assurance level must be specified in the access policy you plan to use.
For example, this sample policy allows access to all users who authenticate with Approve and Authenticate OTP, which are configured as low assurance level options, and also Device Biometrics, which is configured as a medium assurance level option.
Note: You can edit settings within the access policy at any time without reconfiguring the connection. However, if you decide to rename the policy or if you select a different policy at a later date, you must reconnect Authentication Manager to the Cloud Authentication Service.
Enable My Page and Select an Access Policy to Protect My PageEnable My Page and Select an Access Policy to Protect My Page
RSA My Page is a web portal that helps provide a secure way for users to complete device registration and delete their devices (if necessary). By default, My Page is disabled. You must enable it in Access > My Page before users can use My Page. You must also select the primary authentication method and access policy to use for additional authentication for signing into My Page. This policy must meet the following criteria:
Specify an identity source that is configured for both Authentication Manager and the Cloud Authentication Service.
Require an authentication method your Authentication Manager users can provide when they access My Page. For example, LDAP password or SecurID OTP.
For instructions see Manage My Page.
Generate the Registration Code and Registration URLGenerate the Registration Code and Registration URL
In the Cloud Administration Console, generate the Registration Code and Registration URL as described in Connect Authentication Manager to the Cloud Authentication Service. The code is valid for 24 hours. You can either copy this information to a text file now and save it for later, or leave this window open so that you can copy this information when you configure the connection from the wizard-based interface in the Security Console.
Step 2: Set User Expectations for Authenticator Registration and AuthenticationStep 2: Set User Expectations for Authenticator Registration and Authentication
Your SecurID OTP users must learn how to access protected resources using the new authentication methods. You must educate these users to ensure that the onboarding process goes smoothly and that users know exactly what to expect when they register authenticators and authenticate for the first time. You can provide customized instructions to your users in the e-mail template as described in Customize the Cloud Authentication Service Invitation.
What Happens During Authenticator Registration
Users complete authenticator registration with the SecurID App/SecurID Authenticator (on a phone, tablet, or desktop or PC) to authenticate to protected applications.
Authenticator registration binds the authenticator to the user. After registration, when the user needs to authenticate to an application, RSA prompts the user for PIN+Approve, PIN+Device Biometrics, or Authenticate OTP. Users who do not register an authenticator using the SecurID App/SecurID Authenticator are not presented with authentication methods that require the app. For a description of how authenticator registration works and what users experience, see Educating Your Users .
What Happens During Authentication
Users can access agent-protected resources with the following methods:
When Authentication Manager 8.5 or later is configured to act as a proxy server for the Cloud Authentication Service, users can authenticate with the additional methods that are supported by their REST protocol authentication agents. If Authentication Manager cannot communicate with the Cloud Authentication Service, users are prompted for Authenticate OTP.
Users can access agent-protected resources with multifactor authentication using the methods specified by the access policy. They are prompted to authenticate with a method that is based upon their assurance level. For more information, see How Assurance Levels Are Used During Authentication.
The first option listed for an assurance level on the Assurance Levels page is presented as the default for each new user when he or she authenticates to an application or client assigned to that assurance level for the first time. A user can select another option at any time, as long as the assigned assurance level or a higher assurance level contains additional options that the user can complete. When a user successfully authenticates with an option, that option becomes the user's default for future authentications for that assurance level.
Approve (Push Notifications)
To use the Approve method, the user attempts to access the application and is prompted to enter a passcode. The user enters the PIN, then taps a button on an Authenticate device. The user can also tap an interactive notification on the device or on an Apple Watch or Android Wear watch paired to the device. The user must respond within one minute. Otherwise, the method times out and is considered a failed authentication.
Note: The PIN required for Approve authentication is different from the PIN that may be required to unlock the Authenticate OTP in the app.
Device Biometrics allows users to authenticate to applications using biometrics available on devices, such as Apple Touch ID or Face ID, Android fingerprint, or Windows Hello. To use Device Biometrics, users must first set up biometrics on their devices. RSA does not force users to do this.
To use Device Biometrics on Windows 10 PCs, Windows Hello must be enabled. Also, keep in mind that users can sign in using a Hello PIN.
To use Device Biometrics, the user attempts to access the application and is prompted to authenticate. The user enters a PIN, and then uses a biometric method to authenticate.
Note: The PIN required for Device Biometrics authentication is different from the PIN that may be required to unlock the Authenticate OTP in the app.
Similar to SecurID OTP, Authenticate OTP employs a one-time, randomly generated number called an OTP. The Authenticate OTP app generates the OTP on a registered device. The OTP, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires. These OTPs display for one minute, but are valid for up to five minutes after they are generated and displayed on a user's device.
A PIN may be required to unlock Authenticate OTP in the app, but Authenticate OTP does not require a PIN during authentication. This method cannot be used for offline authentication.
Using PINs During the First Approve or Device Biometrics AuthenticationUsing PINs During the First Approve or Device Biometrics Authentication
The following table describes what users must enter during their first authentication using Approve or Device Biometrics.
Note: After the initial Approve or Device Biometrics authentication, a SecurID OTP user can change the PIN used for Approve and Device Biometrics to be different from the SecurID PIN(s). The same PIN must be used for both Approve and Device Biometrics authentication.
|What the User Has||User Action During First Approve or Device Biometrics Authentication|
|One valid SecurID OTP and PIN||
The user enters the SecurID PIN, then taps Approve or authenticates with Device Biometrics.
|Multiple valid SecurID OTPs and PINs||
The user enters one PIN associated with any valid, assigned SecurID OTP , then taps Approve or authenticates with Device Biometrics.
|Valid SecurID OTP and expired PIN||
The user enters the expired PIN and is prompted to change the PIN, then taps Approve or authenticates with Device Biometrics. Or the user can reset the SecurID PIN before device registration, then use that SecurID PIN during device registration.
The new PIN applies to Approve and Device Biometrics authentication. To use the SecurID OTP, the user must create a new PIN for the OTP.
|No valid SecurID OTP or PINs (for example, SecurID OTP expired)||
The user enters the Authenticate OTP from his or her registered device, then taps Approve or authenticates with Device Biometrics and is prompted to create a PIN.
|Valid PIN for on-demand authentication (ODA)||
The user enters the PIN and is issued OTPs because ODA has priority over other types of authentication.
You can run a command line utility to prioritize Approve authentication and Device Biometrics authentication for these ODA users. For instructions, see Prioritize Approve and Device Biometrics Authentication for On-Demand Authentication Users.
Note: It is important to tell your users that, in all cases, the PIN they enter during the first Approve or Device Biometrics authentication will be required in future Approve or Device Biometrics authentications.
License Impact for High Availability OTP
Authentication Manager 8.5 or later allows Authenticate OTP authentication to continue when the Cloud Authentication Service or the connection is temporarily unavailable or too slow. Users who authenticate with other methods that are supported by the Authenticate app, such as Approve and Device Biometrics, are prompted for Authenticate OTP.
If High Availability OTP is configured, OTP records are created for each user who registered the Authenticate app with the Cloud Authentication Service. The license count increases by one for any Authenticator app user who does not currently have an assigned authenticator in Authentication Manager. Make sure that your Authentication Manager license supports any additional users that are required
Support for Users Prior to Authentication Manager 8.4 Patch 4
After you connect Authentication Manager 8.4 Patch 4 or later to the Cloud Authentication Service, users who installed the SecurID App/SecurID Authenticator and registered devices with the Cloud Authentication Service prior to Patch 4 can use Approve authentication if allowed by the access policy. After Patch 4 is applied, these users can also use Device Biometrics authentication if allowed by the access policy. Patch 4 or later allows you to manage these existing users in the Security Console User Dashboard.
Step 3: Connect to the Cloud Authentication ServiceStep 3: Connect to the Cloud Authentication Service
The easiest way to connect Authentication Manager to the Cloud Authentication Service is by starting the wizard from the Security Console Home page. After you finish, invited users will be able to download the SecurID App/SecurID Authenticator, register their devices, and access agent-protected resources.
Authentication Manager connects to the Cloud Authentication Service on port 443. No in-bound connections from the Cloud Authentication Service to Authentication Manager are required.
Before you begin
Confirm that your network infrastructure allows the Authentication Manager server to connect to the Cloud Authentication Service Registration URL. You might need to change your network configuration.
Confirm that all of the primary and replica instances in your deployment can connect to the Cloud Authentication Service IP addresses assigned to your region. See Test Access to Cloud Authentication Service for the list of addresses.
Confirm that the Manage Cloud Authentication Service Users permission is enabled on the General Permissions tab in the Security Console for your Help Desk Administrators. This permission allows these administrators to view and manage Cloud Authentication Service users in the Security Console User Dashboard. For more information, see Edit Permissions for an Administrative Role.
Decide if you want to customize the email template that will be used to invite users to register their devices. You can customize it now or later. For more information, see Customize the Cloud Authentication Service Invitation.
In the Security Console, go to the Home page.
Click Configure the connection.
Verify that you have met the requirements for configuring the connection. Click Next.
- Do the following:
Copy and paste the Registration Code and the Registration URL from the Cloud Administration Console or from a text file into the connection wizard.
- (Optional) If Authentication Manager is behind an external firewall, you can configure an HTTP proxy server. Click Configure a Proxy Connection:
In the Proxy Host field, enter the hostname of the proxy server. For example, example.com. If you have an HTTP proxy server that does not require a certificate, you can enter either a hostname or an IP address.
In the Proxy Port field, enter the port used by the proxy server.
In the Proxy Username field, enter the unique username for the proxy server.
In the Proxy Password field, enter the unique password for your proxy server.
The proxy server information that you enter is used to send telemetry data to RSA. For more information, see Configure the Telemetry Service.
Note: If you are using an HTTPS proxy server, you must configure it later by reconnecting to the Cloud Authentication Service on the Cloud Authentication Service Configuration page in the Security Console. For instructions, see Configure a Proxy Server.
- Keep the Enable Cloud Authentication check box selected, and click Next.
When enabled, all authentication agents that previously required a SecurID OTP will allow users to authenticate using both SecurID OTPs and the SecurID App/SecurID Authenticator. You can manage Cloud users from the Security Console.
After the connection succeeds, keep the window open. Go to the RSA My Page URL. You can register a device and test cloud-based authentication. Return to the Security Console, and click Next.
- You can invite users to download the SecurID App/SecurID Authenticator and register devices. After registration, users can access your protected resources with the supported authentication methods.
To invite users later, click No, Invite users later. The next page displays the procedure for inviting users later.
To invite users now, click Yes, Invite more users.
You can customize the email message that is sent to users. For instructions, see Customize the Cloud Authentication Service Invitation.
Click Close to exit.
After you finish
- If you have not yet invited users to register their devices and authenticate using the SecurID App/SecurID Authenticator, see Send a SecurID Authenticate Invitation to Users.
- You can optionally configure Authentication Manager to act as a secure proxy server that sends authentication requests to the Cloud Authentication Service. This feature supports all authentication methods supported by REST protocol authentication agents, whether verified by Authentication Manager or the Cloud Authentication Service.See SecurID Authentication Manager Secure Proxy Server for the Cloud Authentication Service.
- You can allow SecurID 700 hardware OTP users to authenticate to the Cloud Authentication Service. See Transfer SecurID 700 Hardware Authenticator Ownership to the Cloud Authentication Service.
How Authentication Manager Works with the Cloud Authentication ServiceHow Authentication Manager Works with the Cloud Authentication Service
The following graphic shows how a user with a registered mobile phone can access an agent-protected resource, in this example, using the Approve or Device Biometrics method.
Transfer SecurID 700 Hardware Authenticator Ownership to the Cloud Authentication ServiceTransfer SecurID 700 Hardware Authenticator Ownership to the Cloud Authentication Service
You can choose to transfer ownership and administration of the SecurID 700 hardware authenticators that you select from Authentication Manager to the Cloud Authentication Service. After the authenticator records are transferred to the cloud, Authentication Manager no longer manages the authenticators and can not take back ownership. For more information, see SecurID Hardware Authenticators.
Manage Users in the Security ConsoleManage Users in the Security Console
After completing the integration, you can use the Security Console to manage users and perform routine maintenance. See the following topics on RSA Link for more information.
|If you want to perform this task||See|
|Use the Security Console User Dashboard to manage users who have already registered their devices.||User Dashboard|
|Instruct users on how to register their devices and authenticate with Approve, Device Biometrics, and Authenticate OTP.||Customize the Cloud Authentication Service Invitation|
|Invite additional Authentication Manager users to register devices.||Send a SecurID Authenticate Invitation to Users|
|Manage user PINs||Manage PINs for Approve and Device Biometrics Authentication|