Quick Setup Guide - Connect Authentication Manager to Cloud Authentication Service
Generate the registration code and URL for Connecting AM to CAS
Download and Install Embedded Identity Router or Install a Standalone Identity Router
Add the Same Identity Source to CAS (External) or Add an Internal Identity Source
What You Need to Have
| Item | Description |
|---|---|
| RSA Authentication Manager 8.5 or later. | Authentication Manager must be deployed in your environment. |
| A Cloud Authentication Service account with sign-in credentials for the Cloud Administration Console. | If you do not already have an account, call 1.800.995.5095 and choose Option 1 to speak to your RSA Sales Representative. |
| An identity source (Active Directory or LDAP server or internal identity store) supported by your current version of Authentication Manager. | Create a group of a limited number of users (for example, SecurID Test Group) to synchronize and test with. |
| SSL/TLS certificate from your LDAP directory server | Used for an encrypted connection (LDAPS) to your directory server. Download the SSL/TLS certificate from your directory server. If your directory server does not have a certificate, install one. See Cloud Authentication Service Certificates. |
| A mobile device or Windows PC | See RSA Authenticate Device Requirements. |
What You Need to Know
RSA uses a hybrid architecture that consists of two components:
The Cloud Authentication Service, which provides an easy-to-use Cloud Administration Console and a powerful identity assurance engine.
An identity router that does the following:
Connects the Cloud Authentication Service to your identity sources.
Sends authentication requests to the Cloud Authentication Service for validation.
Enforces access policies to determine which applications users can access, when additional authentication is needed, and which authentication methods are required.
Note: The embedded IDR management subnet interface uses the internal IP range 172.17.0.1/16, and the embedded IDR docker subnet interface uses the internal IP range 172.19.01/16. These IP addresses are used by default by Authentication Manager when the embedded IDR is configured on Authentication Manager.
Add your values to the following worksheet. You will use this information later.
| Item | Your Values |
|---|---|
| Cloud Administration Console and Cloud Authentication Service |
The following are example URLs using the region-specific domain names: US deployment tenantName-idr-useast.auth.securid.com tenantName-idr-useast.access.securid.com ANZ deployment tenantName-idr-auc.auth-anz.securid.com tenantName-idr-auc.access-anz.securid.com EMEA deployment tenantName-idr-euwest.auth-eu.securid.com tenantName-idr-euwest.access-eu.securid.com Federal deployment tenantName-idr-govva.auth.securidgov.com tenantName-idr-govva.access.securidgov.com India deployment tenantName-idr-inc.auth-in.securid.com tenantName-idr-inc.access-in.securid.com Japan deployment tenantName-idr-jpe.auth-jp.securid.com tenantName-idr-jpe.access-jp.securid.com Make sure to whitelist the wildcard base authentication and access domain names if you are using DNS firewall rules so that identity routers can connect to the Cloud using the region-specific domain names. Your authentication service domain appears in the Cloud Administration Console on the Platform >Identity Router > Registration page when you add an identity router. Note: A set of one or more DNS servers must be configured for each identity router (IDR). The set of DNS server(s) must be able to resolve internal and external domain names, including the securid.com names used by the Cloud Authentication Service. To check the status of your Cloud connections, see View Identity Router Status in the Cloud Administration Console. To test access to the IP addresses, see Test Access to Cloud Authentication Service. |
| Telemetry | telemetry.access.securid.com |
| Embedded identity router |
|
LDAP directory server
|
Connectivity Requirements
Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. Update your connectivity settings before continuing with the next step.
| Source | Destination | Protocol and Port | Purpose |
|---|---|---|---|
| 0.0.0.0/0 | Both Cloud Authentication Service environments | TCP 443 | External user access to Cloud Authentication Service |
The embedded identity router supports the use of one network interface.
| Cloud Administration Console and both Cloud Authentication Service environments Note: If your company uses URL filtering, be sure that *.access URL ( *.access.securid.com, *.access-anz.securid.com, *.access-eu.securid.com, *.access.securidgov.com, or *.access-in.securid.com), *.auth URL (*.auth.securid.com, *.auth-anz.securid.com, *.auth-eu.securid.com, *.auth.securidgov.com, or *.auth-in.securid.com), and the Cloud Authentication Service IP addresses for your region are whitelisted. Also, confirm that you can access both environments. | TCP 443 | Identity router registration |
| All Authentication Manager primary and replica instances | The two embedded identity router URLs for your region that are listed in the previous table. | TCP 443 | Embedded identity router deployment |
| <Your identity router management interface IP address> | <Your LDAP directory server IP address> | TCP 636 | LDAP directory user authentication and authorization |
| <Your identity router management interface IP address> | <Your DNS server IP address> | UDP 53 | DNS |
| <Your identity router management interface IP address> | <Your NTP server IP address> | UDP 123 | Network time server synchronization |
| RSA Authentication Manager internal firewall | Authentication Manager | TCP 9786 | Identity router configuration and to communicate with Authentication Manager
|
If RSA Authentication Manager is behind an external firewall that restricts outbound traffic, you must Configure a proxy server as given below.
Note: RSA Authentication Manager only supports HTTP-basic authentication for proxy servers.
Procedure
In the Security Console, click Setup > System Settings.
Click RSA Cloud Authentication Service Configuration.
Under RSA Cloud Authentication Service Firewall Proxy Configuration, click Enable Proxy Configuration.
In the Proxy Host field, enter the hostname of the proxy server. For example, example.com. If you have an HTTP proxy server that does not require a certificate, you can enter either a hostname or an IP address.
In the Proxy Port field, enter the port used by the proxy server.
If the proxy server does not require credentials, leave these fields blank. Otherwise, enter the following:
- In the Proxy Username field, enter the unique username for the proxy server.
- In the Proxy Password field, enter the unique password for the proxy server.
(HTTPS proxy server only) If you make changes to an HTTPS proxy server, a new Registration Code and Registration URL is required. You must connect to the Cloud Authentication Service again and accept a new certificate.
This step does not apply to HTTP proxy servers.
To connect again, do the following:
- Under Register RSA AM with the RSA Cloud Authentication Service, copy and paste the Registration Code and the Registration URL from the Cloud Administration Console, or obtain this information from a Cloud Authentication Service Super Admin and manually enter it.
- Apply the changes to the HTTPS proxy server by clicking Connect to the RSA Cloud Authentication Service. Saving the changes on the page does not update the connection.
- You are prompted to trust a proxy server certificate. Verify the certificate with your help desk or network administrator, and click Yes.
The trusted proxy server certificate cannot be deleted in AM. You can replace the certificate by updating the proxy server connection or by connecting to a new proxy server, and then connecting to the Cloud Authentication Service again.
- Restart the proxy server.
The proxy server information that you enter automatically updates the connection information for the Telemetry service that sends telemetry data to RSA. For more information, see Configure the Telemetry Service.
- Click Save.
Generate the registration code and URL for Connecting AM to CAS
To connect Authentication Manager (AM) to RSA Cloud Authentication Service (CAS), you must first generate a registration code and URL from Cloud Administration Console and then copy them to AM.
Log in to the Cloud Administration Console of your CAS tenant.
From Platform, click Authentication Manager.
Under Connection from Authentication Manager, do the following:
Choose an appropriate access policy, and then click Generate Code.
Copy the Registration Code and Registration URL to the RSA Security Console.
To enable high availability, click Enable under High Availability OTP.
Click Publish Changes.
Connect AM to CAS
From RSA Security Console, go to Setup > System Settings.
From Authentication Settings, click RSA Cloud Authentication Service Configuration
Under Register RSA Authentication Manager with RSA Cloud Authentication Service, enter the Registration Code and Registration URL copied from CAS.
Click Connect to the RSA Cloud Authentication Service.
To install standalone IDR, refer to the Standalone IDR Quick Start Guide (QSG). After completing the IDR installation and configuration, proceed to "Configure the Agent to Use Modern MFA Methods".
Download and Install Embedded Identity Router
From RSA Security Console, go to the Home tab.
Under Quick Links, click Configure the Embedded Identity Router.
Under RSA Cloud Authentication Service Configuration, click Download & Install Identity Router.
The system downloads and installs the identity router image automatically.
You can also choose to install a standalone IDR. For more details, see Install a Standalone Identity Router.
Configure Identity Router
After installing the identity router, you need to configure it.
From RSA Security Console, go to Setup > System Settings.
From Authentication Settings, click RSA Cloud Authentication Service Identity Router.
Under RSA Cloud Authentication Service Identity Router, click Configure Identity Router.
Log in to the Identity Router. The credentials for initial login are:
Username: idradmin
Password: s1mp13.
Note: It is recommended to change the password when prompted.
To register the identity router, do the following:
From the Cloud Administration Console, go to Platform, and click Identity Routers.
Click Add an Identity Router.
On the Basic Information tab, select the platform as Authentication Manager, type a name for the platform, and then click Save and Next Step.
Click the Registration tab to view the registration details.
Copy the Registration Code and Authentication Service Domain to the identity router configuration page of RSA Security Console.
Click Submit and ensure that the registration is completed.
Navigate back to the CAS Identity Router page and ensure the IDR status is changed to Active.
On the CAS console, click Publish Changes.
For more information on configuring the Identity Router, see RSA Community.
Connect CAS to AM
To use SecurID as an authentication method, the Super Admin for CAS must connect the CAS deployment to the AM server. These configuration settings allow all identity routers to communicate with AM.
Procedure
In the Security Console, click Access > Authentication Agents > Add New.
Under Authentication Agent Basics, enter a name into the Hostname field. For example: identityrouters.
Click Save.
Click Yes, Save Agent.
In the Cloud Administration Console, click Platform > Authentication Manager.
Click Configure Connection.
In the Authentication Agent Name field, enter the agent name that you created in step 2.
To upload the sdconf.rec file, click Choose File and select the file.
Click Save.
Click Publish Changes to apply the settings to all identity routers in the deployment. You must publish before you test the connection, but remember that publishing applies these settings and all pending changes to all identity routers.
Click Test Connection. A graphic shows the connection status for each configured identity router. If any components are not connected, investigate the cause.
After you finish
The Super Admin for the Cloud Authentication Service must make sure assurance levels and access policies are configured to require SecurID Token where appropriate.
Add the Same Identity Source to CAS (External)
You must connect both Authentication Manager and CAS to the same identity source for hybrid authentication.
From Cloud Administration Console, go to Users > Identity Sources.
Click Add Identity Sources and then select an identity source.
Note: For hybrid authentication, ensure you connect CAS to the same identity source that Authentication Manager is connected to.
Fill the Basic Information and Connection Settings.
Basic Information:Connection Settings:
Under Directory Servers, click ADD.
Add the directory server details and then click Save.
Click Test Connection to verify if the configuration works. If the connection is successful, click Next Step.
Click Refresh Attributes and then click Next Step until you reach Save and Finish.
Click Publish Changes.
If you have completed adding an identity source (external), skip the below section and continue withSynchronize the Identity Source.
Add an Internal Identity Source
You can choose to connect Authentication Manager internal database identity source from Cloud Authentication Service(CAS) or from Authentication Manager.
RSA Authentication Manager Internal Database Identity Source
CAS has the capability to utilize users stored in a single AM server's internal database as an identity source. While users can only be managed within the AM database, passwords can be bi-directionally synced and managed either in AM or CAS.
In the AM Security Console, when users are fully synchronized from internal database to CAS, a new "RSA Authentication Manager Internal Database" identity source will be created automatically in CAS. For more information, see the "User Synchronization" section in Chapter 6: Deploying Cloud Authentication in RSA Authentication Manager 8.7 SP2 Administrator's Guide. Only one identity source of this type can be configured per CAS tenant.
CAS allows users to change or reset their passwords, and their passwords are synchronized back to AM.
Procedure
In the Cloud Administration Console, click Users > Identity Sources.
Click Edit next to the "RSA Authentication Manager Internal Database" identity source.
By default, in the Identity Source Name field, the Authentication Manager’s hostname will be used as the default name for the "RSA Authentication Manager Internal Database" identity source cannot be edited.
(Optional) In the Description field, enter a description for the identity source.
In the Password Type section, select one of the following options:
RSA Authentication Manager Server (synced to CAS) option if you want users to use their synced passwords from Authentication Manager to CAS for authentication in any sign-in page, and the Cloud Authentication Service stores and validates their passwords. By default, this option is selected. Select if the RSA Password from is Required or Allowed.
No Password if you want an identity provider to authenticate users. In this case, the Cloud Authentication Service does not store or validate users' passwords. For information about configuring an identity provider, see Adding Identity Provider.
Data from the Internal Database
AM provides an internal database where you can create users and user groups. For users and user groups in the internal database, administrators can use the Security Console to do the following:
- Add, modify, and view user and user group data.
Enable or disable AM functions, such as ODA and RBA, for individual users, including users whose accounts are in an LDAP directory.
Synchronize the Identity Source
From Cloud Administration Console, go to Users > Identity Sources.
Locate the identity source that you want to synchronize, click the arrow next to Edit, and select Synchronization.
Click Synchronize Now. The system synchronizes the identity sources.
Register an Authenticator
For Administrators
From Cloud Administration Console, go to Users > Management.
Search for and select the user to assign an authenticator.
Under Registration Code:
Select an authenticator.
Click Generate Code and provide the user with the generated code, organization ID, and Email ID.
For Users
The user must install the RSA Authenticator and then add an OTP credential by entering the details provided by the admin.
You can proceed with agent configuration and testing authentication from here, if you have installed standalone IDR.
To install and configure the agent, follow the instructions provided in RSA MFA Agent 2.3 for Microsoft Windows Installation and Administration Guide, or consult previous versions.
Configure the Agent to Use Modern MFA Methods
To configure the RSA MFA Agent installed on the Windows machine, do the following.
Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > RSA Desktop > RSA Settings.
Open Cloud Authentication Service Access Policy, add the access policy, and then click Apply.
Restart the RSA MFA Agent Service.
Test Authentication
Now that the configurations are complete, the users can use the modern authentication methods such as push notification, Approve, OTP and so on as configured in the CAS Access Policy by the Administrator.
Log in to the protected application such as, a computer or an application.
RSA sends a notification to your device as configured in the CAS Access Policy by the Administrator.
Respond to the notification. For example, if the notification is an Approve, tap Approve.
What to Do Next
To get MFA experience and High Availability(HA), administrators can setup MFA experience for AM users by referring to:
Users can manage their authenticators and access applications by referring to:
