IDR SSO - Step 1: Plan
There are a few things you need to plan to deploy your system.
What You Need to Know
RSA uses a hybrid architecture that consists of two components:
Cloud Access Service (CAS) is a cloud service that provides an easy-to-use Cloud Administration Console and powerful identity assurance engine.
The Identity Router is an on-premise virtual appliance that securely connects your on-premise resources, such as Active Directory, to CAS.
You can deploy the identity router in your on-premises VMware or Hyper-V environment, or on the Amazon Web Services (AWS) cloud.
Planning Network Interfaces for the Identity Router
You can plan your network based on the services that you need in the deployment.
One Network Interface: One-network-configured appliance uses single network for all traffic to and from the identity router (including the application portal, Cloud RADIUS, and so on). All services including the application portal share the same interface.
Two Network Interfaces: Two-network-configured appliance uses two network interfaces for traffic to and from the identity router. One interface is designated as portal, the other as management. The portal interface is used by the application portal. It is usually connected to an Internet-facing network segment, such as the DMZ. The management interface is used by all other services. It is usually attached to an internal network segment, such as the Local Area Network (LAN).
For more details, see Identity Router Network Interfaces and Default Ports.
Note: After you deploy an identity router with one network interface, you cannot change the configuration to support two network interfaces and vice versa.
Relying party deployments support both standalone and embedded identity routers that are deployed with one or two network interfaces.
RADIUS services are available in standalone identity routers that are deployed with one or two network interfaces. If the identity router is deployed with two network interfaces, the RADIUS service listens on the management interface.
SSO Agent deployments require a standalone identity router. The identity router can be deployed with one or two network interfaces. If the identity router is deployed with two network interfaces, the SSO agent will be available from the portal interface.
For details on planning network interfaces, see Identity Router Network Interfaces and Default Ports.
In all deployments with AWS, the identity router has one network interface to which you assign public and private IP addresses and connect other network resources from the internet or your private network.
Based on your network choice, use one of the following planning worksheets:
Planning Worksheet and Connection Requirements for One Network Interface
Planning Worksheet and Connection Requirements for Two Network Interfaces
If you plan to use two network interfaces, skip the following section and continue with Planning Worksheet and Connection Requirements for Two Network Interfaces.
Planning Worksheet and Connection Requirements for One Network Interface
The following sections describe how to plan the worksheet and the connection requirements for one network interface.
Planning Worksheet
Add your values to the following worksheet. You will use this information in the next section and during setup.
Item | Your Values |
|---|---|
Cloud Administration Console and CAS |
The following are example URLs using the region-specific domain names: US deployment tenantName-idr-useast.auth.securid.com tenantName-idr-useast.access.securid.com ANZ deployment tenantName-idr-auc.auth-anz.securid.com tenantName-idr-auc.access-anz.securid.com EMEA deployment tenantName-idr-euwest.auth-eu.securid.com tenantName-idr-euwest.access-eu.securid.com Federal deployment tenantName-idr-govva.auth.securidgov.com tenantName-idr-govva.access.securidgov.com India deployment tenantName-idr-inc.auth-in.securid.com tenantName-idr-inc.access-in.securid.com Japan deployment tenantName-idr-jpe.auth-jp.securid.com tenantName-idr-jpe.access-jp.securid.com Canada deployment tenantName-idr-cac.auth-ca.securid.com tenantName-idr-cac.access-ca.securid.com tenantName-idr-cae.auth-ca.securid.com tenantName-idr-cae.access-ca.securid.com Singapore deployment tenantName-idr-sea.auth-sg.securid.com tenantName-idr-sea.access-sg.securid.com tenantName-idr-aue.auth-sg.securid.com tenantName-idr-aue.access-sg.securid.com Make sure to whitelist the wildcard base authentication and access domain names if you are using DNS firewall rules so that identity routers can connect to the Cloud using the region-specific domain names. Your authentication service domain appears in the Cloud Administration Console on the Platform > Identity Router > Registration page when you add an identity router. Note: A set of one or more DNS servers must be configured for each identity router (IDR). The set of DNS server(s) must be able to resolve internal and external domain names, including the securid.com names used by CAS. For instructions on checking the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console. To test access to the IP addresses, see Test Access to Cloud Access Service |
SSO Agent only: Protected domain name This is a unique subdomain prepended to your registered domain name and is used by all traffic managed by the identity router, for example, sso.example.com. For more information, see Protected Domain Name. |
|
SSO Agent only: Load balancer
| |
Active Directory server LDAP directory server
| |
DNS server IP address DNS servers IP addresses | |
| NTP server IP address | |
| Backups server IP address | |
| Internal user subnet IP address | |
RADIUS only: RADIUS client IP address | |
| Required only for VMware and Hyper-V identity router deployments: | |
Identity router management interface (private, required for all deployments).
| |
| Required only for Amazon Web Services identity router deployments: | |
Identity router
Note: For identity routers in AWS, netmask and gateway information is obtained automatically during instance launch, according to the VPC subnet settings. |
|
AWS environment configuration details
| |
Connectivity Requirements
Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules. Update your firewall rules before continuing with the next step.
Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. If you deploy the identity router in the Amazon cloud, the route tables, security groups, and network ACLs in your AWS environment must also allow these connections. Update your connectivity settings before continuing with the next step.
Source | Destination | Protocol and Port | Purpose |
|---|---|---|---|
0.0.0.0/0
| CAS Both CAS environments Both CAS environments and <Your load balancer public IP address> | TCP 443 TCP 80, 443 | External user access to CAS External user access to CAS, application portal, and applications |
SSO Agent only: <Your internal (corp network) end users>
| Both CAS environments and <Your load balancer private IP address> | TCP 80, 443 | Internal user access to CAS, application portal, and applications |
< Your administrators>
| For on-premises identity routers:
For identity routers in the Amazon cloud: | TCP 9786 | Identity Router Setup Console |
For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> | Cloud Administration Console and CAS Cloud Administration Console and both CAS environments Note: If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and CAS IP addresses for your region are whitelisted. Note: If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and CAS IP addresses for your region are whitelisted. Also, confirm that you can access both environments. For instructions, see Test Access to Cloud Access Service. | TCP 443 | Identity router registration |
For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router public IP address> | <Your protected resource> | TCP 443 or custom port | Application integration |
SSO Agent only: <Your load balancer private IP address>
| <Your identity router management interface IP address> | TCP 443 | Load balancer health check of pool members |
For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> | <Your Active Directory server IP address> <Your LDAP directory server IP address> | TCP 389 TCP 636 | LDAP directory user authentication and authorization |
For on-premises identity routers: <Your identity router portal interface IP address or identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> | <Your DNS server IP address>
| UDP 53 | DNS |
RADIUS only: <Your RADIUS client IP address>
| For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> | UDP 1812 | RADIUS |
RADIUS only: <Your RADIUS client IP address>
| For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> | UDP 1812 | (Optional) RADIUS |
For on-premises identity routers: <Your identity router portal interface IP address or identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> | <Your NTP server IP address> | UDP 123 | Network time server synchronization |
| <Your administrator computer>
| For on-premises identity routers: <Your identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> | TCP 22 | (Optional) SSH for troubleshooting |
If you plan to use one network interface, skip the following section.
Planning Worksheet and Connection Requirements for Two Network Interfaces
The following sections describe how to plan the worksheet and the connection requirements for two network interfaces.
Planning Worksheet
Add your values to the following worksheet. You will use this information in the next section and during setup.
Item | Your Values |
|---|---|
Cloud Administration Console and CAS |
The following are example URLs using the region-specific domain names: US deployment tenantName-idr-useast.auth.securid.com tenantName-idr-useast.access.securid.com ANZ deployment tenantName-idr-auc.auth-anz.securid.com tenantName-idr-auc.access-anz.securid.com EMEA deployment tenantName-idr-euwest.auth-eu.securid.com tenantName-idr-euwest.access-eu.securid.com Federal deployment tenantName-idr-govva.auth.securidgov.com tenantName-idr-govva.access.securidgov.com India deployment tenantName-idr-inc.auth-in.securid.com tenantName-idr-inc.access-in.securid.com Japan deployment tenantName-idr-jpe.auth-jp.securid.com tenantName-idr-jpe.access-jp.securid.com Canada deployment tenantName-idr-cac.auth-ca.securid.com tenantName-idr-cac.access-ca.securid.com tenantName-idr-cae.auth-ca.securid.com tenantName-idr-cae.access-ca.securid.com Singapore deployment tenantName-idr-sea.auth-sg.securid.com tenantName-idr-sea.access-sg.securid.com tenantName-idr-aue.auth-sg.securid.com tenantName-idr-aue.access-sg.securid.com Make sure to whitelist the wildcard base authentication and access domain names if you are using DNS firewall rules so that identity routers can connect to the Cloud using the region-specific domain names. Your authentication service domain appears in the Cloud Administration Console on the Platform > Identity Router > Registration page when you add an identity router. Note: A set of one or more DNS servers must be configured for each identity router (IDR). The set of DNS server(s) must be able to resolve internal and external domain names, including the securid.com names used by CAS. For instructions on checking the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console. To test access to the IP addresses, see Test Access to Cloud Access Service |
SSO Agent only: Protected domain name This is a unique subdomain prepended to your registered domain name and is used by all traffic managed by the identity router, for example, sso.example.com. For more information, see Protected Domain Name. |
|
SSO Agent only: Load balancer
| |
Active Directory server LDAP directory server
| |
DNS server IP address DNS servers IP addresses | |
| NTP server IP address | |
| Backups server IP address | |
| Internal user subnet IP address | |
RADIUS only: RADIUS client IP address | |
| Required only for VMware and Hyper-V identity router deployments: | |
Identity router management interface (private, required for all deployments).
| |
Identity router portal interface (public, required for IDR SSO Agent deployments with on-premises identity router). For more details, see Identity Router Network Interfaces and Default Ports.
|
|
| Required only for Amazon Web Services identity router deployments: | |
Identity router
Note: For identity routers in AWS, netmask and gateway information is obtained automatically during instance launch, according to the VPC subnet settings. |
|
AWS environment configuration details
| |
Connectivity Requirements
Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules. Update your firewall rules before continuing with the next step.
Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. If you deploy the identity router in the Amazon cloud, the route tables, security groups, and network ACLs in your AWS environment must also allow these connections. Update your connectivity settings before continuing with the next step.
Source | Destination | Protocol and Port | Purpose |
|---|---|---|---|
0.0.0.0/0
| CAS Both CAS environments Both CAS environments and <Your load balancer public IP address> | TCP 443 TCP 80, 443 | External user access to CAS External user access to CAS, application portal, and applications |
SSO Agent only: <Your internal (corp network) end users>
| Both CAS environments and <Your load balancer private IP address> | TCP 80, 443 | Internal user access to CAS, application portal, and applications |
< Your administrators>
| For on-premises identity routers:
For identity routers in the Amazon cloud: | TCP 443
| Identity Router Setup Console |
For on-premises identity routers: <Your identity router portal interface IP address> | Cloud Administration Console and CAS Cloud Administration Console and both CAS environments Note: If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and CAS IP addresses for your region are whitelisted. Note: If your company uses URL filtering, be sure that *.access.securid.com, *.auth.securid.com, and CAS IP addresses for your region are whitelisted. Also, confirm that you can access both environments. For instructions, see Test Access to Cloud Access Service. | TCP 443 | Identity router registration |
For on-premises identity routers: <Your identity router portal interface IP address> | <Your protected resource> | TCP 443 or custom port | Application integration |
SSO Agent only: <Your load balancer private IP address>
| <Your identity router portal interface IP address> | TCP 80, 443 | Load balancer traffic to pool members |
SSO Agent only: <Your load balancer private IP address>
| <Your identity router management interface IP address> | TCP 443 | Load balancer health check of pool members |
For on-premises identity routers: <Your identity router management interface IP address> | <Your Active Directory server IP address> | TCP 389 | LDAP directory user authentication and authorization |
For on-premises identity routers: <Your identity router portal interface IP address or identity router management interface IP address> For identity routers in the Amazon cloud: <Your identity router private IP address> | <Your DNS server IP address>
| UDP 53 | DNS |
RADIUS only: <Your RADIUS client IP address>
| For on-premises identity routers: <Your identity router management interface IP address> | UDP 1812 | RADIUS |
RADIUS only: <Your RADIUS client IP address>
| For on-premises identity routers: <Your identity router management interface IP address> | UDP 1812 | (Optional) RADIUS |
For on-premises identity routers: <Your identity router portal interface IP address or identity router management interface IP address> | <Your NTP server IP address> | UDP 123 | Network time server synchronization |
| <Your administrator computer>
| For on-premises identity routers: <Your identity router management interface IP address> | TCP 22 | (Optional) SSH for troubleshooting |
IDR SSO - Step 2: Configure Company Information and Certificates
Related Articles
Cloud Access Service Quick Setup Guide for RADIUS Clients - Step 1: Plan Number of Views Cloud Access Service POC Quick Setup Guide - Step 1: Plan Number of Views Cloud Access Service Quick Setup Guide for My Page SSO - Step 1: Plan Number of Views Cloud Access Service Quick Setup Guide for IDR SSO Number of Views Cloud Access Service POC Quick Setup Guide - Step 6: Test Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) Supported On-Demand Authentication (ODA) SMS providers for use with RSA Authentication Manager 8.x Deploying RSA Authenticator 6.2.2 for Windows Using DISM
