Welcome to your ID Plus trial.
You now have access to a trial environment made specifically for you. This environment covers the product’s C1 plan, which provides you with the following features:

• MFA and SSO for SaaS and web-based applications via SAML and OIDC, up to 10 applications
• Push notifications via the SecurID App and wearable devices
• One-time password (OTP) delivered on-demand through the SecurID App
• Passwordless authentication via FIDO2 and device biometrics, such as Apple Face ID, Android biometrics, and Windows Hello
• Self-service capabilities for users to enroll and manage their applications and authenticators
  Identity Store support: RSA Cloud Directory, Azure AD

Throughout this playbook, as your organization’s administrator, we will walk through some basic feature configurations for the Cloud Administration Console step by step to help you get started. By the end of this playbook, you will be able to

1. Add a local identity source.
2. Add a user to a local identity source.
3. Add access policies with and without stepup and assign them to the identity source.
4. Configure the users’ access to the RSA My Page portal.
5. Show the user how to add an authenticator and test its functionality.
6. Add applications to the RSA My Page portal.
7. Add an access policy that requires additional authentication (i.e., stepup).
8. Add an access policy with a condition that has to be met for the user to access an application.
9. Show the user how to access the applications from the RSA My Page portal complying with the access policies assigned.

With the ID Plus C1 plan, the features of setting up a RADIUS application or configuring an identity router (IDR) are not available.

Note: The steps performed and data used throughout this playbook are for trial purposes and are not suitable for the utmost security. You may perform different actions or select different parameters depending on your need for ID Plus within your organization.

1. Add an Identity Source

First, we will add a local identity source that acts as a directory to store your users.
1. From the Administration Console’s header, click Users.
2. From the drop-down list, select Identity Sources.

3. Click the Add Identity Source button.
 

4. Next to Local, click the Select button.
5. In the Identity Source Name box, type, for example, Local Directory.
 

6. Click Save from either the top or bottom of the page.
The identity source is added successfully and you can perform any of the following actions.
 

7. From the top right, click Publish Changes to activate the identity source.

The identity source is now active. Proceed with the following actions.
 

2. Add a User

The system enables you to add users individually or in bulk. Bulk users are imported through a CSV file whose template is available for download. Through the following steps, we will cover adding an individual user.
1. From the Administration Console’s header, click Users and then Management. 
 

2. On the top right, click Add a User.

Note: The Identity Source is already selected as it’s the only source available in this environment.

3. In the First Name box, type, for example, John.
4. In the Username box, type, for example, Smith.
5. In the Email Address box, type, for example, john.smith@rsa.com.
6. From the Password Creation list, select the method by which you want this user to sign in.
7. In the Password box, type the password you want to assign to this user.
8. In the Confirm Password box, type the password again.

Note: The password must contain from 10 to 64 characters in the usual deployment or 15 characters in the SecurID® Federal. The password must not include any of the following:

• Ascending or descending sequence of letters or numbers.
• A commonly used password.

You cannot repeat any of the last twenty-four passwords. When prompted, at least half of the new characters in the new password must differ from the previous password.
 

9. Click Create User from either the top or bottom of the page.

The user is created successfully and their profile is displayed.
 

Now that the user is added, you can search for them on the Management page by typing in the search box at least 3 characters:
 

3. Add Access Policies

Access policies reference identity sources and can be assigned to applications. Policies can have rules that enable you to specify which users have access, their type of access, and whether additional authentication is required. The system provides preset policies which can be modified. But for this exercise, we will show you how to customize a policy.

There are two types of policies:

• 1.0 Access Policies: These can be used for configuring only additional authentication methods. You can individually configure only an additional authentication method for each resource assigned to a policy without adding a primary authentication method. This type of policy can be assigned to an application.

• 2.0 Access Policies: These can be used for primary authentication. They allow you to define both primary and additional authentication options within the same access policy. You can configure a primary authentication method for a set of resources that use the same access policy. This type of policy cannot be assigned to an application.

Let's add a policy of each type.
1. From the Administration Console’s header, click Access and then Policies.

2. From the top right, click Add a Policy.
3. In the Name box, type No Stepup.
 

4. Click Next Step.
5. Select the check box next to the identity source we added.
 

6. Click the Rule Sets tab from the panel on the left.
7. Under Primary Authentication, select Enable.
8. From the Default Method list, select Password.

9. Click Next Step.
10. Under Target Population, click All Users.

11. Click Save and Finish from either the top or bottom of the page.

Note: This policy’s details are just for trial purposes. It doesn’t depict the highest levels of security.
You can now publish the changes made.
12. From the top right, click Add a Policy.
13. Add the same details as the policy previously created with the following differences:

• Name: Stepup
• Primary Authentication: Disabled

14. Click Save and Finish.
You can now publish the changes made.
 

4. Enable My Page

After we add a customized policy, we can start configuring the users’ My Page, which contains the following features:

• My Applications: Enabling this feature provides the user with a page that helps them manage their authentication methods
• My Authenticators: Enabling this feature provides the user with a page that gives them access to all the applications you assign to them.

You can also assign policies to My Page and determine the authentication method by which the user can have access.
1. From the Administration Console’s header, click Access and then My Page.
2. Under My Applications, click Enable.
3. From the 2.0 Access Policy for Authentication drop-down list, select No Stepup.

4. From the left panel, click the My Authenticators tab.
5. Under My Authenticators, click Enable.

6. From the 1.0 Access Policy for Authentication drop-down list, select Stepup.

7. Under the Configuration section, select the following radio buttons:

•  Deleting authenticators
•  RSA Authenticator app

8. Click Save from either the top or bottom of the page.
9. From the top right, click Publish Changes.
You can provide the user with the URL displayed on the My Page configuration page. This URL directs them to their RSA My Page to access their authenticators and applications.
 

5. Register an Authenticator as a User

Your organization’s users can access My Page. We can now show the user how to add an authenticator using their mobile devices.
1. Enter the My Page URL into your browser.
 

2. Click OK on the warning message that appears.

Note: You might be asked by your browser to allow location sharing.

3. Enter the User ID and Password created by the administrator and click Submit. You will be prompted to change the password.
 

 You will be prompted to change the password.
 

4. Fill in the displayed fields and click Submit.
 

 
5. Enter the new password and click Submit.
 

6. Read the displayed message carefully and, based on your preference, select the checkbox, and click Continue.

Note: Selecting this checkbox enables the system to recognize this browser as a known one used by you to access My Page.

The RSA page opens displaying 0 applications as the administrator has not added any yet.
 

7. From the side panel, click the My Authenticators tab.
 

8. Click the Register an authenticator button.
 

9. Click the SecurID App button.
 

10. Follow the steps displayed to install the application on your device, and then click Next.
 

11. Open the application on your device and tap Get Started.
12. Scan the QR code on the left or manually enter the details on the right of your My Page.
A success message appears stating that the credential information has been imported.
My Page confirms the device’s registration.
 

13. Click Test Now to verify the authentication is working.
 

Your device receives a sign-in approve request.
 

14. Enter the Confirmation Code and tap to approve the request.
 
The authentication is approved, and you can now see the device added to the My Authenticators page.
 

6. Add Applications

Let’s add sample applications to the users’ portal. The system provides you with a catalog that has different templates of connectors depending on your applications. Here, we are going to add SAML Direct applications using the data for a sample application provided by RSA.
1. From the Administration Console’s header, click Applications and then My Applications.
 

2. From the top right, click Add an Application. You will be redirected to the Application Catalog page.
 

3. From the top right, click Create From Template.
 

4. Click Select next to SAML Direct.
5. In the Name box, type your application’s name, for example, RSA Sample Application.
 

6. Click Next Step. 
7. Under Initiate SAML Workflow, select IdP-initiated.
 

8. Open a new tab on your browser and enter this URL: sptest.iamshowcase.com.
9. From the website’s header, click Instructions and then IDP initiated SSO.
 

10. Click the DOWNLOAD METADATA button. A page opens in your browser displaying the XML file’s content.
11. Right click the page and click Save as to save the file to your machine.
12. Go back to the Cloud Administration Console and, under Data Input Method, click Import Metadata.

13. Click the Choose File button and browse to the downloaded file to open it.
The file’s information is displayed.

14. Click Save.
15. Click Next Step.
16. From the Select a Policy drop-down list, select No Stepup.
 

17. Click Next Step and then Save and Finish.
The application is added successfully.
 

We will use the same steps we performed above to create another application. We will make different configurations to differentiate between both applications.
18. For the second application, repeat steps 1-13, except the following:

a. Name the application RSA Sample Application 2.
b. On the Connection Profile page of the application, under the Service Provider section, change the Service Provider Entity ID to IAMShowcase2.

c. Under the Statement Attributes section, in the Default Relay State box, enter Blue.

This will change the RSA sample application’s color theme to blue.

19. For the access policy, let’s select Stepup for now.
After both applications are saved, the My Applications page should appear as follows:
 

20. From the upper right corner, click Publish Changes.
When the user logs into their My Page, it displays the applications as follows:
 

They can open the application with no authentications required, as the Stepup access policy is applied with no additional authentication yet.

7. Add Additional Authentication

As the user can now log in to My Page and access applications using only their password, which we configured as the primary authentication method, let’s add a new policy that allows them to use authenticators. The system provides the user with various authentication methods either

• Biometric
• Push notification
• OTP

Before adding another access policy with additional authentication, let’s get familiar with assurance levels. The system provides 3 levels of assurance. Each level has default sets of authentication methods.
To view assurance levels,

• From the Administration Console’s header, click Access and then Assurance Levels.

This is how assurance levels work when assigned to a policy:

o If you assign a policy with a low assurance level, the user can authenticate using any of this level’s methods. The user with this assurance level can also use the authentication methods for the medium and high levels.
o If you assign a policy with a medium assurance level, the user can authenticate using any of this level’s methods. The user with this assurance level can also use the authentication methods for the high level.
o If you assign a policy with a high assurance level, the user can authenticate using any of this level’s methods. The user with this assurance level can't use the authentication methods for any other level.

Note:

• The system prompts you to authenticate with the last method you used, as it considers it a preferred method.
• The system checks whether you have the device that enables you to use the authentication method. If the device is not configured, the authentication method is skipped.
• FIDO is a passwordless standard that provides easy, phishing-resistant authentication. We support the FIDO-supported third-party authenticators which are security keys (now called device-bound passkeys), Windows Hello, and Android 7.0 or higher phones.

Now that you’re familiar with assurance levels, let’s modify the Stepup policy added in Add an Access Policy section.
1. From the Administration Console’s header, click Access and then Policies.
2. Next to the Stepup policy, click Edit.
3. From the left panel, click the Rule Sets tab, under Additional Authentication, select Required.
4. From the Assurance Level drop-down list, select Low.
All authentication methods for the selected assurance level are displayed.

5. Click Save and Finish from either the top or bottom of the page.
The policy is added successfully, and you can now apply it to an application or the user’s My Page.
6. From the top right, click Publish Changes.

8. Add a Conditional Policy

As the user already tried logging in using the Approve authentication method, let’s make changes to the low assurance level and add a new conditional policy to see how it affects the user’s authentication.
1. From the Administration Console’s header, click Access and then Assurance Levels.
2. Under Low Assurance Level, click the negative button next to the first three methods to remove them, leaving QR Code as the first method.
3. Click the ADD button.
A new row is added to represent a new method.
4. Click the method’s drop-down list and select Approve.
Your screen should look like this
 

5. Click Save from either the top or bottom of the page.
6. From the top right, click Publish Changes.

Note: This change will also affect the Stepup policy.

We will now add a new policy for the RSA Sample Application 2. We will add an access condition to this policy. We will also determine the action taken if this condition is not met.
1. Follow the same steps for adding a policy and name this one Conditional Stepup.
2. On the Rule Sets page for the policy, under Target Population, select All Users.
3. Under Access Details, click Conditional.
The conditions table appears as follows:
 

4. Click the ADD button.
 

5. From the Attributes list, select IP Address.

Note: This environment covers the features of the ID Plus C1 plan, which only allows the use of IP Address as an attribute for a conditional policy. To use any of the other attributes available in the list, you can upgrade to our E1, E2, or E3 plans which provide the following attributes:
 

 For more information about ID Plus plans, you can contact the RSA Sales team through our website https://www.rsa.com/contact/.

6. From the Value list, select Matches.
7. In the next box, type your Public/External IP address.

Note: To acquire your public IP address, you can use Google to search for My IP address.

8. From the Action list, select Authenticate.
9. From the Assurance Level list, select Medium.

10. Click Save.

11. Next to No matching condition, click the edit button.
12. From the Action list, select Allow access.

13. Click Save.
14. On the policy’s page, click Save and Finish.
15. Assign this policy to the RSA Sample Application 2.
16. Click Publish Changes.

9. Testing Authentication as a User

As the access policies created are assigned to the applications we added, let the user test their access to these applications and use the assigned authentication methods.
1. Log on to My Page.

2. Click the RSA Sample Application.
You will be prompted to authenticate using the methods set by the administrator for the Stepup access policy and the low assurance level.
Your screen should look like this. Click Show more to display other available authentication methods.

3. Scan the QR code through your SecurID application.
Authentication is successful and you now have access to the RSA Sample Application.

4. Go back to My Page and click the RSA Sample Application 2.

You were able to access this application before with no authentication as it had assigned the No Stepup policy. Now that this application has the Conditional access policy assigned, the system recognizes that your public IP address matches the condition. Therefore, authentication is required using the medium assurance level methods.

If the user tries to access the application from a different IP address, the application opens without authentication and is displayed with the different relay we set above.