CrowdStrike Falcon Identity Protection - Authentication Manager - RSA MFA API (REST) Configuration - RSA Ready Implementation Guide
This article describes how to integrate CrowdStrike Falcon Identity Protection with RSA Authentication Manager (AM) using RSA MFA API (REST).
Configure AM
Perform these steps to configure AM using the REST API.
Procedure
- Install the CrowdStrike on-premise MFA enablement tool within your network.
- Enable RSA SecurID Authentication API in AM administration console.
- Set up an authentication agent in the AM administration console.
Configure CrowdStrike Falcon Identity Protection
Perform these steps to configure CrowdStrike Falcon Identity Protection.
Set up the CrowdStrike On-premise MFA Enablement Tool
To set up the CrowdStrike on-premise MFA enablement tool in your environment and enable MFA through on-premise providers, follow these steps:
- Check the prerequisites.
- Create an API client.
- Install the CrowdStrike on-premise MFA enablement tool.
Integrate Identity Protection with AM
To integrate Identity Protection with AM, follow these steps:
- Import the AM server certificate into the on-premise MFA enablement tool.
- Download a copy of the root server certificate file from the AM administration console.
For more information, see Download an RSA Authentication Manager Server Certificate in the RSA documentation. - As a local administrator on the endpoint that is running the on-premise MFA enablement tool:
- In a command prompt, change directory to C:\Program Files\CrowdStrike Identity Protection\CrowdStrike On-premises MFA Enablement\jre64\bin.
If you did not install the on-premise MFA enablement tool in the default directory, update the path as required. - Run the following command: keytool -import -trustcacerts -keystore "C:\ProgramData\CrowdStrike Identity Protection\CrowdStrike On-premises MFA Enablement\cacerts_crowdstrike" -storepass changeit -alias <MyAlias> -file "<path/to/rsa_server_certificate.cer>".
Specify the path to the CER file you downloaded from AM, and specify an alias to help you identify the certificate. - Restart the on-premise MFA enablement tool service to start using the newly imported certificate.
- In a command prompt, change directory to C:\Program Files\CrowdStrike Identity Protection\CrowdStrike On-premises MFA Enablement\jre64\bin.
- Download a copy of the root server certificate file from the AM administration console.
- Enable the SecurID authentication API in AM.
- As described in Configure the RSA SecurID Authentication API for Authentication Agents in the RSA documentation, enable the authentication API to allow the on-premise MFA enablement tool to access your AM instance.
- Make a note of the API Access Key value.
You will use this value in the Authentication API Key property when configuring the connector.
- Create an authentication agent in AM.
- As described in Deploying an Authentication Agent That Uses the REST Protocol in the RSA documentation, create an authentication agent to help you identify the source of authentication events when viewing RSA AM logs, and configure the connection port.
- Make a note of the Hostname value. Use this value in the Authentication API Agent Name property when configuring the connector.
- Make a note of the port number the authentication agent will use, often 5555. Use this value in the Port Number property when configuring the connector.
- Configure the AM connector in the Falcon console.
- In the Falcon console, go to Identity Protection > Configure > Connectors.
- In the Select connector list, select RSA AM and click Add.
- Enter the values you obtained from AM in the following fields:
- Domain (the domain name that hosts your AM server)
- Port Number
- Authentication API Key
- Authentication API Agent Name
- (Optional) In the User Identifier section, select the attribute that contains the value the MFA provider requires to uniquely identify a user.
For example, you might have your MFA provider configured to require the e-mail address or principal name.
We recommend that you keep the Default setting. - Click Save.
The indicator turns green within a minute, indicating the connection was successfully established. - If the indicator does not turn green:
- Refresh the page.
- Verify that the hostname is accessible.
- Verify that all the parameters are entered correctly. If not, re-enter the parameter and click Save.
- Test the connection by creating an identity verification policy rule for an AM MFA-enrolled user. Make sure to select the RSA AM option in the Connector list.
When attempting to log on to a workstation that is not associated with them, the user should receive an on-screen notification to perform MFA.
For more information, see Identity Protection Policy.
The configuration is complete.
Related Articles
SilverFort - RSA MFA API (REST) Configuration - RSA Ready Implementation Guide Number of Views CrowdStrike Falcon Identity Protection - Cloud Authentication Service - RSA MFA API (REST) Configuration - RSA Ready Imple… Number of Views ManageEngine ADSelfService Plus - RADIUS Configuration - RSA Ready Implementation Guide Number of Views Barracuda Networks CloudGen Firewall - RSA MFA API (REST) Configuration - RSA Ready Implementation Guide Number of Views ManageEngine ADSelfService Plus - RSA MFA API (REST) - RSA Ready Implementation Guide Number of Views
Trending Articles
An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process
Don't see what you're looking for?
