RSA Authentication Manager Secure Proxy Server for Cloud Authentication Service
You can use RSA Authentication Manager (AM) 8.5 and later as a secure proxy server that sends authentication requests to Cloud Authentication Service (CAS). This feature offers the following benefits:
- Creates one secure connection to CAS for authentication requests as opposed to connecting to CAS with many authentication agents.
There is no need to configure firewall rules for multiple authentication agents. You can prevent certain users from accessing external resources, but allow these users to authenticate to CAS through AM.
- Supports all authentication methods supported by REST protocol authentication agents, whether verified by AM or CAS.
- Provides high availability using Authenticate Tokencode or RSA SecurID passcodes when RSA Authentication Manager cannot communicate with CAS.
- Supports offline authentication to AM or CAS for the authentication agents that support this feature.
- Supports passwordless authentication when AM functions as a secure proxy for CAS. This feature is supported from AM 8.9 onwards and works with the MFA Agent for Windows.
RSA Authentication Manager 8.5 or later enables this feature by default when you connect to CAS or upgrade a deployment that was previously connected with RSA Authentication Manager 8.4 Patch 4 or later. To configure this feature, including enabling Send multifactor authentication request to the Cloud on the Cloud connection, see Configure RSA Authentication Manager as a Secure Proxy Server for Cloud Authentication Service.
The following table shows the possible deployment options. For more specific information, see your authentication agent documentation.
| Scenario | Authentication Methods | High Availability |
|---|---|---|
Direct connection to RSA Authentication Manager 8.5 or later with the UDP protocol or the REST protocol. RSA Authentication Manager is not connected to CAS. | AM handles authentication, for example, RSA SecurID hardware and software tokens, on-demand authentication, and AM emergency access methods. | Does not apply. |
Direct connection to CAS with the REST protocol. AM is not connected to CAS. | CAS handles authentication, for example, Approve, Device Biometrics, Authenticate Tokencode, RSA SecurID hardware and software tokens, Emergency Tokencode, SMS Tokencode, and Voice Tokencode. | Does not apply. |
Direct connection to RSA Authentication Manager 8.5 or later with the UDP protocol or the REST protocol. AM is connected to CAS. | AM validates RSA SecurID hardware and software tokens that are managed in AM, on-demand authentication, and AM emergency access methods. When a user authenticates by using a cloud-managed method and the connection to CAS is available, AM forwards the authentication request to CAS. Cloud-managed methods include Authenticate Tokencode, Approve, Device Biometrics, and SecurID 700 tokens that are managed in CAS. AM automatically downloads High Availability Tokencode records from CAS by using a batch job that runs each day.
| When CAS or the connection from AM to CAS is unavailable and High Availability (HA) Tokencode is enabled, AM validates Authenticate Tokencodes locally by using downloaded HA Tokencode records. SecurID 700 tokens that are managed in AM support high availability because the token records are already available in AM. SecurID 700 tokens that are managed in CAS support high availability when token records are available in AM, regardless of whether HA Tokencode is enabled. |
Direct connection to CAS with the REST protocol is updated to use RSA Authentication Manager 8.5 or later as a secure proxy server. AM is connected to CAS. | Applications send authentication requests to AM by using the REST protocol. When the Initialize request includes a cloud access policy or assurance level, AM treats the request as a proxy request and forwards the authentication flow to CAS. CAS evaluates the access policy or assurance level and determines the authentication methods, which can include Approve, Device Biometrics, Authenticate Tokencode, SecurID 700 tokens that are managed in CAS, Emergency Access Code, SMS Tokencode, and Voice Tokencode. If a connection from CAS to AM is configured, CAS can invoke AM to perform step-up authentication with RSA SecurID hardware or software tokens that are managed in AM. | When CAS or the connection from AM to CAS is unavailable, AM cannot act as a secure proxy server to CAS. In this state, AM validates Authenticate Tokencodes and SecurID tokencodes locally by using downloaded tokencode records when user records are present in AM. AM does not evaluate cloud access policies or assurance levels. |
RADIUS client agent directly connected to RSA Authentication Manager 8.5 or later. AM is connected to CAS. | The RADIUS client sends authentication requests to AM. AM validates RSA SecurID hardware and software tokens that are managed in AM, on-demand authentication, and AM emergency access methods. When a user authenticates by using a Cloud‑managed method and the connection to CAS is available, AM forwards the authentication request to CAS. When the RADIUS client is configured for the Cloud MFA Experience and linked to a CAS RADIUS access policy, CAS validates cloud‑managed methods including Approve, Authenticate Tokencode, Device Biometric, SMS Tokencode, Voice Tokencode, Emergency Access Code, and SecurID Tokencode (including SecurID 700 tokens that are managed in CAS). | When CAS or the connection from AM to CAS is unavailable and HA Tokencode is enabled, AM validates tokencodes locally for RADIUS users by using downloaded HA Tokencode records. This includes Authenticate Tokencodes and SecurID tokencodes from both AM‑owned and Cloud‑owned tokens, such as SecurID 700, when user data is available. When CAS is unreachable and the Cloud MFA Experience is enabled for the RADIUS client, modern cloud authenticators (for example, Approve, Device Biometrics, SMS Tokencode, Voice Tokencode, and Emergency Access Code) are not offered. AM prompts the user to enter a tokencode only. SecurID 700 tokens that are managed in AM support HA because the token records are already available in AM. SecurID 700 tokens that are managed in CAS support HA when token records are available in AM, regardless of whether HA Tokencode is enabled. |
High Availability Tokencode for the Secure Proxy Server
When AM acts as a secure proxy server for CAS and the high availability feature is configured, users can access RSA SecurID protected resources when CAS or the connection is temporarily unavailable or too slow.
AM automatically downloads High Availability Tokencode records from CAS. AM determines if CAS is reachable, and if local authentication is needed.
When CAS is not reachable, authentication proceeds as follows:
- Authentication agents prompt users for Authenticate Tokencode or RSA SecurID passcode.
- The access policy in CAS is not applied. For example, a user who normally authenticates with Approve or Device Biometrics is prompted for Authenticate Tokencode or RSA SecurID passcode.
- If the Authenticate Tokencode is in Next Token mode or New PIN mode, AM uses the downloaded tokencode records to successfully authenticate.
- AM determines whether a user is enabled, disabled, or locked. User status from the CAS is not available until the connection is restored
- If CAS is not reachable from AM, RSA MFA Agents that are configured for passwordless authentication use previously downloaded day files to complete authentication. This offline fallback applies only to agents performing passwordless authentication.
Authentication records and information about the status of communication between AM and CAS is recorded in log files and the AM System Activity Monitor.
An internal REST protocol agent called @#RSAHighAvailability_#@_InternalAgent1#@ provides High Availability Tokencodes to users when the connection to CAS is not available. You cannot edit, enable, disable, or delete this internal agent.
For configuration instructions, see Configure High Availability OTP.
Offline Authentication for RSA Authentication Agents
When you use RSA Authentication Manager as a secure proxy server, some authentication agents support offline authentication to CAS:
- Offline emergency access codes can be automatically downloaded for users who access the authentication agent. Users can continue to authenticate if the connection to AM or CAS is not available. For more information, see Emergency Tokencode.
- Authentication agents automatically download offline data day files through AM for uninterrupted authentication to CAS. If an authentication agent is unable to access AM, then the authentication agent uses the downloaded day files for authentication. For instructions on configuring offline authentication, see your agent documentation.
Related Articles
Configure RSA Authentication Manager as a Secure Proxy Server for Cloud Authentication Service Number of Views Enable Secure Shell on the Appliance Number of Views RSA Authentication Manager as a Proxy Server to the Cloud Number of Views Skyhigh Secure Web Gateway (Cloud using Agents) - RSA Ready Implementation Guide Number of Views Skyhigh Secure Web Gateway (Cloud using Browser Setting) - SAML Relying Party Configuration - RSA Ready Implementation Guide Number of Views
Trending Articles
RSA Release Notes for RSA Authentication Manager 8.8 RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle RSA Release Notes: Cloud Access Service and RSA Authenticators RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor…
