The overall RSA Prime solution architecture topology, across all Prime components and running against RSA Authentication Manager, is illustrated in the diagram below:

Under this Prime architecture configuration:

• Multiple, load balanced Prime Services servers co-host the AMIS, SSP, and HDAP components.
  • The Internal Self-Service Portal instances are accessible only to end-users on the enterprise's internal network.
  • The Help Desk Admin Portal is accessed by help desk personnel and token administrators (who also may have RSA AM Security Console access).
  • The AMIS component provides REST web services that the Prime portals leverage to interface with the Authentication Manager servers.  AMIS also provides ancillary services such as workflow, e-mail invitation and user notification services.
    (Although not depicted above, the AMIS REST web services can be also be used by the enterprise to integrate its own in-house applications and systems with the RSA AM platform.)
• A set of multiple, load-balanced External Self-Service servers co-host externally accessible instances of Prime Self-Service as well as RSA AM Web-Tiers.
  • The External Self-Service Portal instances can be configured with different authentication methods and to serve a more constrained set of self-service functions, based on the enterprise's security practices.
  • The Web-Tier component is utilized strictly to support proxying of CT-KIP communications for secure, dynamic soft token provisioning.

As of January 2019, Prime also provides for integration with the RSA Cloud Authentication Service and management of RSA SecurID Authenticate mobile devices.  This expanded RSA SecurID solution footprint and additional technical details are captured in the following diagram: