Customize and Configure Domain Name

The Cloud Access Service (CAS) uses two primary types of domain names:

• Auth domain names – Used for cloud-based authentication functions.

• Access domain names – Used for CAS administration and all other purposes.

Each CAS tenant has domain names that follow these default patterns:

• Access domain names: *.access-part.securid.com

• Auth domain names: *.auth-part.securid.com

Where: access-part is the word "access" (for accounts in the US region), or "access-" followed by a region designator. For example, "access-in" for the India region.

auth-part is the word "auth" (for accounts in the US region), or "auth-" followed by a region designator. For example, "auth-anz" for the ANZ region.

See the following examples:

• mytenant.access-eu.securid.com

• mytenant.auth-eu.securid.com

For a list of region designators used by CAS in domain names, see Test Access to Cloud Access Service.

Customize and Configure your Authentication Domain Name

Before you begin 

• You must be a Super Admin for CAS.

• You must add the CNAME entry in the DNS server.

• Obtain a server certificate from a public certificate authority (CA) for the custom domain name, along with the certificate chain used to sign the certificate. For more information, see List of Trusted Certificate Authorities for HFED and Trusted Headers Applications.

• This feature is licensed. See ID Plus Subscription Plans.

A custom domain name replaces the default authentication (auth) domain name for your tenant and is used for all cloud-based authentications. A custom domain name is used by:

• RSA Authentication Manager (AM) when forwarding authentications to CAS on behalf of an agent or RADIUS client.

• All relying party applications.

• My Page portal.

• All My Page SSO applications.

• All RSA Multi-Factor Authentication (MFA) Agents that connect directly to CAS.

• All RSA Authentication REST API authentications that connect to CAS.

Notes: 

• Configuring a custom domain name does not affect access domain names.

• Identity Routers use their own dedicated domain names to connect to CAS, including region-based access and auth domain names. These are not affected by configuring a custom domain name.

Procedure 

1. In the Cloud Administration Console, click My Account > Company Settings > Customization Settings. The default domain name is displayed.

2. In the Custom Domain Name field, type the new name (custom name) for your domain. Domain name does not support space and the following special characters ^~@:;#$%^&*(),.<>. However, it supports => a-z A-Z 0-9 _-. The domain name must match the Common Name (CN) on the public certificate. For example, if your custom domain name is name.cloudsso.example.com, then name.cloudsso.example.com must appear as the certificate’s Common Name.

   Alternatively, you may use a wildcard certificate. For example, if the wildcard certificate is *.cloudsso.example.com, then the domain name must follow this format:

   name.cloudsso.example.com or newdomainname.cloudsso.example.com.

   Note:  Custom Domain Name is case-insensitive.

3. Click Choose File next to the Private Key and Public Certificate fields to browse and upload the required files. Public certificates must be issued by a trusted Certificate Authority (CA). For more information, see List of Trusted Certificate Authorities for HFED and Trusted Headers Applications.Self-signed certificates or certificates issued by an internal CA are not supported. Only the certificate for the domain should be uploaded in the Public Certificate field; do not include any other components of the certificate chain.

   Note:  You must maintain your public certificate and ensure it remains up to date. If the selected certificate expires, the traffic to the custom domain name will stop working until a new valid certificate is uploaded.

4. Upload Certificate Chain according to the following scenarios: 

   • If the public CA uses intermediate certificates, those intermediate certificates must be uploaded in this field. Only intermediate certificates should be uploaded—do not include the root certificate.

   • If the CA does not use intermediate certificates, leave this field empty.

   • If the CA provides multiple intermediate certificates, combine them into a single file. The certificates must be ordered starting with the intermediate certificate that issued the server certificate, and ending with the intermediate certificate issued by the root CA.

   Note:  If you modify the Domain Name, you must re-upload the Private Key and the Certificate files before applying the changes.

5. Confirm your domain ownership by performing the following steps.

   1. Click Generate TXT Record.

   2. Copy the generated TXT record, and then add it to the DNS server.

   3. Click Save Settings.

   4. Navigate back to My Account > Company Settings > Customization Settings.

   5. After all your DNS changes are synchronized across your domain servers, click Verify Domain. The domain is verified.

6. Click Apply Changes. The Current Domain field indicates that the domain is live after the changes are applied successfully.

   Note:  The above changes must be applied only if RSA Authentication Manager(AM) or any types of the applications listed above use the custom domain name.

7. Publish your changes.

   Note:  If you want to reset the customized domain name back to the default name, click Reset Domain and then publish your changes. Make sure that you remove the CNAME entry manually from the DNS server after resetting the domain.

Updating Authentications After Configuring or Changing a Custom Domain

When a custom domain (CNAME) is configured, or when an existing custom domain name is changed, all authentications that use the current domain name must be updated to use the new custom domain name.

Until these updates are completed, affected authentications may fail. In some cases, offline or high availability authentication will be used instead. The original company authentication domain remains accessible, but it no longer functions for authentication.

As a result: 

• Authentication Manager(AM): The connection from AM to CAS must be reconnected to update AM with the custom URL. To do that:

  1. Perform steps in section "Connect Authentication Manager to CAS" on page Connect Your Cloud Access Service Deployment to Authentication Manager.

  2. Perform step 2 in section "Connect to the Cloud Access Service" on page Connect Authentication Manager to Cloud Access Service. Unless there is a need to change it, select the same Access Policy that was used previously. You can find the currently configured Access Policy Name in the AM primary’s Security Console, in Setup > System Settings > RSA Cloud Authentication Service Configuration.

• MFA Clients: Any MFA Agent that connects to CAS must be updated to point to the custom URL.

• Cloud (My Page) SSO Portal & Relying Party Applications: All configurations listed in Applications > My Applications and Authentication Clients > Relying Parties in the Cloud Admin Console will be updated automatically to show the custom domain URL once the CNAME is live. Configuration of the applications themselves must be updated to use the new URL.

• RSA Authentication REST API: client applications must be updated to use the new URL

• Any web proxy used by your network that allows the CAS authentication domain name must be modified to allow the custom domain name instead.

Note:  Identity Router (IDR): No impact, since IDRs does not use authentication URLs.