Connect Authentication Manager to the Cloud Authentication Service

You can easily deploy and manage multifactor authentication methods for your Authentication Manager users. These users will be able to access agent-protected resources using the SecurID App/SecurID Authenticator on their registered devices. You do not need to replace or update your existing agents or RSA Ready products.

You can use the Authentication Manager Security Console to seamlessly connect Authentication Manager to the Cloud Authentication Service, and to invite users to download the SecurID App/SecurID Authenticator and register their devices using the cloud-based SecurID My Page. After users complete registration, use the Security Console User Dashboard to monitor users' authentication activity and perform other user management tasks, such as enabling and disabling users and deleting registered authenticators. To configure the connection, perform these steps:

Note: If you upgraded Authentication Manager to version 8.7 and your deployment was connected to the Cloud Authentication Service before you upgraded to version 8.5, you must re-connect in order to use some features, such as the embedded identity router and High Availability OTPs. To re-establish your connection, see Edit the Cloud Authentication Service Connection.

To learn about the authentication flow, see How Authentication Manager Works with the Cloud Authentication Service.

For additional information, see Manage Users in the Security Console.

Note: To view this page as a PDF, click Actions > View as PDF.

Step 1: Prepare the Cloud Authentication Service Environment

Before you connect Authentication Manager to the Cloud Authentication Service, complete the following steps to ensure that your Cloud Authentication Service deployment is ready.

  1. Get Sign-In Credentials for the Cloud Administration Console

  2. Deploy the Cloud Authentication Service

  3. Configure an Access Policy to Protect Your Sensitive Resources

  4. Enable My Page and Select an Access Policy to Protect My Page

  5. Generate the Registration Code and Registration URL

Get Sign-In Credentials for the Cloud Administration Console

Your organization must have a Cloud Authentication Service account. If you do not already have an account, contact your SecurID Sales representative at 1 800 995-5095 and choose Option 1.

Deploy the Cloud Authentication Service

You must deploy at least one identity router:

After you deploy an identity router, the Cloud Authentication Service synchronizes users. Make sure your Authentication Manager users are synchronized from external identity sources that are also synchronized to the Cloud Authentication Service.

Note: New users created in the Authentication Manager internal database, who have never had an assigned hardware or software authenticator, are not supported for Approve, Device Biometrics, or Authenticate OTP authentication.

Configure an Access Policy to Protect Your Sensitive Resources

An access policy determines which users can access your agent-protected resources and which authentication methods they are required to use. This access policy controls access for all users who authenticate using the new connection. You can configure the policy to allow access to only selected users who meet certain criteria, or to allow all users. For example, you can restrict access only to users who use a certain network or who work in certain departments. For more information, see Access Policies and Add an Access Policy.

If you using RSA Authentication Manager 8.5 or later with REST protocol authentication agents, such as RSA Authentication Agent 8.0 or later for PAM, MFA Agent 2.0 or later for Microsoft Windows, and RSA Authentication Agent 2.0 or later for Microsoft AD FS, you can configure Authentication Manager as a proxy server. Authentication Manager always validates SecurID OTPs and on-demand authentication, but sends other multifactor authentication requests directly to the Cloud Authentication Service. With this configuration, assurance levels must contain one of your licensed authentication methods. The assurance level must be specified in the access policy you plan to use.

If your authentication agents use the UDP protocol, or if you are using Authentication Manager 8.4 with Patch 4 or later, and not using RSA Authentication Manager 8.5 or later as a secure proxy server, confirm that your Cloud Authentication Service deployment meets these criteria:

  • At least one assurance level must contain Authenticate OTP, Approve authentication, or Device Biometrics. For information, see Assurance Levels.

    If a user device does not support Device Biometrics, then the user is prompted for Approve authentication if it is allowed by the assurance level.

  • Authentication Manager does not support assurance levels that combine two forms of authentication. For example, the assurance level cannot require both SecurID OTP and Approve, but the assurance level can require only one of those options.

  • The assurance level must be specified in the access policy you plan to use.

For example, this sample policy allows access to all users who authenticate with Approve and Authenticate OTP, which are configured as low assurance level options, and also Device Biometrics, which is configured as a medium assurance level option.

securid_ngx_g_am_access_policy.png

Note: You can edit settings within the access policy at any time without reconfiguring the connection. However, if you decide to rename the policy or if you select a different policy at a later date, you must reconnect Authentication Manager to the Cloud Authentication Service.

Enable My Page and Select an Access Policy to Protect My Page

SecurID My Page is a web portal that helps provide a secure way for users to complete device registration and delete their devices (if necessary). By default, My Page is disabled. You must enable it in Access > My Page before users can use My Page. You must also select the primary authentication method and access policy to use for additional authentication for signing into My Page. This policy must meet the following criteria:

  • Specify an identity source that is configured for both Authentication Manager and the Cloud Authentication Service.

  • Require an authentication method your Authentication Manager users can provide when they access My Page. For example, LDAP password or SecurID OTP.

For instructions see Manage SecurID My Page.

Generate the Registration Code and Registration URL

In the Cloud Administration Console, generate the Registration Code and Registration URL as described in Connect Authentication Manager to the Cloud Authentication Service. The code is valid for 24 hours. You can either copy this information to a text file now and save it for later, or leave this window open so that you can copy this information when you configure the connection from the wizard-based interface in the Security Console.

Step 2: Set User Expectations for Authenticator Registration and Authentication

Your SecurID OTP users must learn how to access protected resources using the new authentication methods. You must educate these users to ensure that the onboarding process goes smoothly and that users know exactly what to expect when they register authenticators and authenticate for the first time. You can provide customized instructions to your users in the e-mail template as described in Customize the Cloud Authentication Service Invitation.

What Happens During Authenticator Registration

Users complete authenticator registration with the SecurID App/SecurID Authenticator (on a phone, tablet, or desktop or PC) to authenticate to protected applications.

Authenticator registration binds the authenticator to the user. After registration, when the user needs to authenticate to an application, SecurID prompts the user for PIN+Approve, PIN+Device Biometrics, or Authenticate OTP. Users who do not register an authenticator using the SecurID App/SecurID Authenticator are not presented with authentication methods that require the app. For a description of how authenticator registration works and what users experience, see Educating Your Users on RSA Link.

What Happens During Authentication

Users can access agent-protected resources with the following methods:

Approve (Push Notifications)

Device Biometrics

SecurID Authenticate OTP

When RSA Authentication Manager 8.5 or later is configured to act as a proxy server for the Cloud Authentication Service, users can authenticate with the additional methods that are supported by their REST protocol authentication agents. If Authentication Manager cannot communicate with the Cloud Authentication Service, users are prompted for Authenticate OTP.

Users can access agent-protected resources with multifactor authentication using the methods specified by the access policy. They are prompted to authenticate with a method that is based upon their assurance level. For more information, see How Assurance Levels Are Used During Authentication.

The first option listed for an assurance level on the Assurance Levels page is presented as the default for each new user when he or she authenticates to an application or client assigned to that assurance level for the first time. A user can select another option at any time, as long as the assigned assurance level or a higher assurance level contains additional options that the user can complete. When a user successfully authenticates with an option, that option becomes the user's default for future authentications for that assurance level.

Approve (Push Notifications)

To use the Approve method, the user attempts to access the application and is prompted to enter a passcode. The user enters the PIN, then taps a button on an Authenticate device. The user can also tap an interactive notification on the device or on an Apple Watch or Android Wear watch paired to the device. The user must respond within one minute. Otherwise, the method times out and is considered a failed authentication.

Note: The PIN required for Approve authentication is different from the PIN that may be required to unlock the Authenticate OTP in the app.

Device Biometrics

Device Biometrics allows users to authenticate to applications using biometrics available on devices, such as Apple Touch ID or Face ID, Android fingerprint, or Windows Hello. To use Device Biometrics, users must first set up biometrics on their devices. SecurID does not force users to do this.

To use Device Biometrics on Windows 10 PCs, Windows Hello must be enabled. Also, keep in mind that users can sign in using a Hello PIN.

To use Device Biometrics, the user attempts to access the application and is prompted to authenticate. The user enters a PIN, and then uses a biometric method to authenticate.

Note: The PIN required for Device Biometrics authentication is different from the PIN that may be required to unlock the Authenticate OTP in the app.

SecurID Authenticate OTP

Similar to SecurID OTP, SecurID Authenticate OTP employs a one-time, randomly generated number called an OTP. The SecurID Authenticate OTP app generates the OTP on a registered device. The OTP, which is verified by the Cloud Authentication Service, is time-based and must be used before it expires. These OTPs display for one minute, but are valid for up to five minutes after they are generated and displayed on a user's device.

A PIN may be required to unlock Authenticate OTP in the app, but Authenticate OTP does not require a PIN during authentication. This method cannot be used for offline authentication.

Using PINs During the First Approve or Device Biometrics Authentication

The following table describes what users must enter during their first authentication using Approve or Device Biometrics.

Note: After the initial Approve or Device Biometrics authentication, a SecurID OTP user can change the PIN used for Approve and Device Biometrics to be different from the SecurID PIN(s). The same PIN must be used for both Approve and Device Biometrics authentication.

What the User Has User Action During First Approve or Device Biometrics Authentication
One valid SecurID OTP and PIN

The user enters the SecurID PIN, then taps Approve or authenticates with Device Biometrics.

Multiple valid SecurID OTPs and PINs

The user enters one PIN associated with any valid, assigned SecurID OTP , then taps Approve or authenticates with Device Biometrics.

Valid SecurID OTP and expired PIN

The user enters the expired PIN and is prompted to change the PIN, then taps Approve or authenticates with Device Biometrics. Or the user can reset the SecurID PIN before device registration, then use that SecurID PIN during device registration.

The new PIN applies to Approve and Device Biometrics authentication. To use the SecurID OTP, the user must create a new PIN for the OTP.

No valid SecurID OTP or PINs (for example, SecurID OTP expired)

The user enters the Authenticate OTP from his or her registered device, then taps Approve or authenticates with Device Biometrics and is prompted to create a PIN.

Valid PIN for on-demand authentication (ODA)

The user enters the PIN and is issued OTPs because ODA has priority over other types of authentication.

You can run a command line utility to prioritize Approve authentication and Device Biometrics authentication for these ODA users. For instructions, see Prioritize Approve and Device Biometrics Authentication for On-Demand Authentication Users.

Note: It is important to tell your users that, in all cases, the PIN they enter during the first Approve or Device Biometrics authentication will be required in future Approve or Device Biometrics authentications.

License Impact for High Availability OTP

Authentication Manager 8.5 or later allows Authenticate OTP authentication to continue when the Cloud Authentication Service or the connection is temporarily unavailable or too slow. Users who authenticate with other methods that are supported by the Authenticate app, such as Approve and Device Biometrics, are prompted for Authenticate OTP.

If High Availability OTP is configured, OTP records are created for each user who registered the Authenticate app with the Cloud Authentication Service. The license count increases by one for any Authenticator app user who does not currently have an assigned authenticator in Authentication Manager. Make sure that your Authentication Manager license supports any additional users that are required

Support for Users Prior to Authentication Manager 8.4 Patch 4

After you connect Authentication Manager 8.4 Patch 4 or later to the Cloud Authentication Service, users who installed the SecurID App/SecurID Authenticator and registered devices with the Cloud Authentication Service prior to Patch 4 can use Approve authentication if allowed by the access policy. After Patch 9 is applied, these users can also use Device Biometrics authentication if allowed by the access policy. Patch 4 or later allows you to manage these existing users in the Security Console User Dashboard.

Step 3: Connect to the Cloud Authentication Service

The easiest way to connect RSA Authentication Manager to the Cloud Authentication Service is by starting the wizard from the Security Console Home page. After you finish, invited users will be able to download the SecurID App/SecurID Authenticator, register their devices, and access agent-protected resources.

Authentication Manager connects to the Cloud Authentication Service on port 443. No in-bound connections from the Cloud Authentication Service to Authentication Manager are required.

Before you begin

  • Confirm that your network infrastructure allows the Authentication Manager server to connect to the Cloud Authentication Service Registration URL. You might need to change your network configuration.

  • Confirm that all of the primary and replica instances in your deployment can connect to the Cloud Authentication Service IP addresses assigned to your region. See Test Access to Cloud Authentication Service for the list of addresses.

  • Confirm that the Manage Cloud Authentication Service Users permission is enabled on the General Permissions tab in the Security Console for your Help Desk Administrators. This permission allows these administrators to view and manage Cloud Authentication Service users in the Security Console User Dashboard. For more information, see Edit Permissions for an Administrative Role.

  • Decide if you want to customize the email template that will be used to invite users to register their devices. You can customize it now or later. For more information, see Customize the Cloud Authentication Service Invitation.

Procedure

  1. In the Security Console, go to the Home page.

    securid_security_console_home_screen.png

  2. Click Configure the connection.

  3. Verify that you have met the requirements for configuring the connection. Click Next.

  4. Do the following:
    • Copy and paste the Registration Code and the Registration URL from the Cloud Administration Console or from a text file into the connection wizard.

    • (Optional) If Authentication Manager is behind an external firewall, you can configure an HTTP proxy server. Click Configure a Proxy Connection:
      • In the Proxy Host field, enter the hostname of the proxy server. For example, example.com. If you have an HTTP proxy server that does not require a certificate, you can enter either a hostname or an IP address.

      • In the Proxy Port field, enter the port used by the proxy server.

      • In the Proxy Username field, enter the unique username for the proxy server.

      • In the Proxy Password field, enter the unique password for your proxy server.

      The proxy server information that you enter is used to send telemetry data to SecurID. For more information, see Configure the Telemetry Service.

      Note: If you are using an HTTPS proxy server, you must configure it later by reconnecting to the Cloud Authentication Service on the Cloud Authentication Service Configuration page in the Security Console. For instructions, see Configure a Proxy Server.

    Click Next.

  5. Keep the Enable Cloud Authentication check box selected, and click Next.

    When enabled, all authentication agents that previously required a SecurID OTP will allow users to authenticate using both SecurID OTPs and the SecurID App/SecurID Authenticator. You can manage Cloud users from the Security Console.

  6. After the connection succeeds, keep the window open. Go to the SecurID My Page URL. You can register a device and test cloud-based authentication. Return to the Security Console, and click Next.

  7. You can invite users to download the SecurID App/SecurID Authenticator and register devices. After registration, users can access your protected resources with the supported authentication methods.
    • To invite users later, click No, Invite users later. The next page displays the procedure for inviting users later.

    • To invite users now, click Yes, Invite more users.

  8. You can customize the email message that is sent to users. For instructions, see Customize the Cloud Authentication Service Invitation.

  9. Click Close to exit.

After you finish

How Authentication Manager Works with the Cloud Authentication Service

The following graphic shows how a user with a registered mobile phone can access an agent-protected resource, in this example, using the Approve or Device Biometrics method.

securid_am_cloud_authflow_flow_approve_biometrics.png

  • After the ownership is transferred all the policies and configurations from Cloud Authentication Service will be applied for cloud authentication. The Cloud authentication service will be performing the OTP validation.

  • For transferred SID 700 authenticators when the Cloud Authentication Service is slow or unreachable, you can leverage the high availability failover in Authentication Manager.

  • PINs for transferred authenticators follow the PIN policies for the Cloud Authentication Service. Existing PINs for transferred authenticators can be used to authenticate

  • Authentication Manager supports OTP attribute definitions that store information not contained in the standard set of authenticator attributes. The Cloud Authentication Service does not support these optional attributes. Authenticator attributes are removed when authenticators are transferred to the Cloud Authentication Service.

  • For transferred authenticators or Cloud-owned authenticators, offline authentication is supported by MFA agents only in cloud direct or proxy mode.

Authenticator Eligibility for Transfer

Not Transferred by Authentication Manager (Ignored) Not Accepted by the Cloud Authentication Service (Failed)
Not a SecurID 700 hardware authenticator. X
Lost authenticator. X

Assigned authenticator that is disabled.

X
Authenticator that is being replaced or a replacement authenticator. X
Expired authenticator. X
Authenticator that does not require a PIN. X
User record is pending deletion in the Cloud Authentication Service. X
Authenticator is assigned to a user who has different e-mail addresses in Authentication Manager and the Cloud Authentication Service. X
Authenticator assigned to a user who is in the Authentication Manager internal database and not present in the Cloud Authentication Service. X
Authenticator assigned to a user who is disabled in the identity source and does not exist in the Cloud Authentication Service. X
Authentication Manager Authenticator Status Cloud Authentication Service Authenticator Status
Unassigned Unassigned
PIN Not Set Activation Pending
PIN Set

Authentication Manager administrators can view the authenticators after they are transferred to the Cloud Authentication Service, but only Cloud Authentication Service administrators can perform these tasks:

  • Edit an authenticator

  • Assign and unassign an authenticator

  • Change the PIN for an authenticator

  • Delete an authenticator

Manage Users in the Security Console

After completing the integration, you can use the Security Console to manage users and perform routine maintenance. See the following topics on RSA Link for more information.

If you want to perform this task See
Use the Security Console User Dashboard to manage users who have already registered their devices. User Dashboard
Instruct users on how to register their devices and authenticate with Approve, Device Biometrics, and Authenticate OTP. Customize the Cloud Authentication Service Invitation
Invite additional Authentication Manager users to register devices. Send a SecurID Authenticate Invitation to Users
Manage user PINs Manage PINs for Approve and Device Biometrics Authentication