Implementing Risk-Based Authentication
Complete the following tasks to implement risk-based authentication (RBA).
Before you begin
Choose a backup authentication method so that users can continue to access network resources if AM is unavailable or user authentication is unsuccessful. See Backup Authentication Method for Risk-Based Authentication.
Procedure
Update the Domain Name System (DNS) with entries for AM. For instructions, see Planning for Domain Name System Updates.
Specify the RBA policy for your deployment integration. For instructions, see Add a Risk-Based Authentication Policy.
Ensure high availability for RBA. See Backup Authentication Method for Risk-Based Authentication.
Obtain the RSA Authentication Agent software or third party product. See RSA Authentication Agents.
Deploy the RSA Authentication Agent software or third party product. See Deploying an Authentication Agent that Uses the UDP.
Use the implementation guide that you downloaded when you obtained the agent to configure your agent to pass authentication requests to and from AM.
Test the RBA integration. See Testing Your Risk-Based Authentication Integration.
Implementing Risk-Based Authentication
Complete the following tasks to implement risk-based authentication (RBA).
Before you begin
Choose a backup authentication method so that users can continue to access network resources if AM is unavailable or user authentication is unsuccessful. See Backup Authentication Method for Risk-Based Authentication.
Procedure
Update the Domain Name System (DNS) with entries for AM. For instructions, see Planning for Domain Name System Updates.
Specify the RBA policy for your deployment integration. For instructions, see Add a Risk-Based Authentication Policy.
Ensure high availability for RBA. See Backup Authentication Method for Risk-Based Authentication.
Obtain the RSA Authentication Agent software or third party product. See RSA Authentication Agents.
Deploy the RSA Authentication Agent software or third party product. See Deploying an Authentication Agent that Uses the UDP.
Use the implementation guide that you downloaded when you obtained the agent to configure your agent to pass authentication requests to and from AM.
Test the RBA integration. See Testing Your Risk-Based Authentication Integration.
Backup Authentication Method for Risk-Based Authentication
RSA recommends that you set up a replicated deployment of AM. A replica instance ensures high availability for risk-based authentication (RBA). If you do not use a replica instance, configure your web-based application to use a backup authentication method. A backup authentication method allows users to continue accessing network resources if AM becomes unavailable or user authentication is unsuccessful.
When RBA is configured for your web-based application, AM authenticates the user using the directory server and internal database in your environment. To ensure an effective backup method, plan to revert authentication configuration of the web-based application so that it authenticates users directly using the directory server.
The backup method that you use depends on your web-based application and the other products in your environment that are involved in user authentication workflow. Consider the following methods:
Use the original logon page for your web-based application.
Redirect users to the original logon page, or replace the modified logon page with the original version.
Using your web-based application, create a backup method that is specific to the user population that uses RBA.
Change the authentication workflow only for the user population, group, or domain that uses RBA.
Using your web-based application, create a backup method that is specific to the network resource that you are protecting with RBA.
Change the profile or policy for the network resource that you are protecting with RBA.
For more information, see your agent documentation.
Install the RBA Integration Script Template
If the RBA integration script template that you downloaded from https://www.rsa.com/en-us/products-services/identity-access-management/securid/authentication-agents is newer than the integration script template that is installed in AM, use the newer one. You must perform this procedure to find the version number in your deployment. The version number is located in the integration script template header, for example, <Version>1.0</Version>.
Before you begin
If you want to use SSH, enable SSH connectivity on the AM appliance. For instructions, see Enable Secure Shell on the Appliance.
Procedure
Using an SSH client or an SCP client, log on to the appliance using the operating system account User ID rsaadmin and password.
Copy the downloaded integration script template to the /opt/rsa/am/utils/rba-agents directory on the appliance.
Wait a few minutes for AM to refresh the list of integration script templates.
Verify that the version number in the header of the generated integration script (.js file) is the same as the version number in the header of the downloaded integration script template (.xml file). For example, look for <Version>1.0</Version> near the top of the generated .js file or the .xml template.
Repeat step 1 through step 3 for each agent.
After you finish
Related Articles
How to implement group security to limit access to web pages by Windows groups. Number of Views Add a Risk-Based Authentication Policy Number of Views RSA Governance & Lifecycle Recipes: Varonis - Best Practices for Planning and Implementing NTFS Permissions Number of Views Risk-Based Authentication Data Flow Number of Views Configure Silent Collection for a Risk-Based Authentication Policy Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes: Cloud Access Service and RSA Authenticators An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA Release Notes for RSA Authentication Manager 8.8
