Quick Setup - Connect Authentication Manager to Cloud Access Service with an Embedded Identity Router
a month ago

Quick Setup - Connect Authentication Manager to Cloud Access Service with an Embedded Identity Router

This guide helps you quickly set up your production deployment for Cloud Access Service (CAS) with an embedded identity router in Authentication Manager (AM).

An embedded Identity Router can be used for CAS access to Active Directory and LDAPv3 directory, and can also be used by CAS to access AM to process authentications with SecurID tokens and other types of authenticators assigned to users in AM. By downloading and configuring the embedded identity router to the AM primary instance and each replica instance, you can save the time and cost of deploying separate identity routers in your network for these functions.

An embedded IDR provides the following two functions to CAS:

  • Active Directory and LDAPv3 identity source user synchronization and password verification
  • Connectivity to AM for verification of OTPs for authenticators assigned to users in AM

These two functions may be required when processing a CAS-managed authentication, such as Relying Party, SSO, MFA Agent or AM integration.

Note:   The embedded identity router does not support authentication to applications through RADIUS in the Cloud Access Service, nor IDR-Based single sign-on (SSO) Web Applications using the RSA Application Portal. To use IDR-based RADIUS or IDR-based SSO, you must deploy at least one identity router on another platform.

To deploy an identity router, perform these steps:

Step 1: Plan

Review the Planning Guide for a conceptual overview of CAS.

What You Need to Have

ItemDescription
Authentication ManagerAM must be deployed in your environment.
A CAS account with sign-in credentials for the Cloud Administration Console.

If you do not already have an account, contact RSA Sales.

An identity source (Active Directory, LDAPv3, or AM internal database) supported by your current version of AM.Create a group of a limited number of users (for example, SecurID Test Group) to synchronize and test with.
SSL/TLS certificate from your LDAP directory servers (if used)

Used for an encrypted connection (LDAPS) to your directory servers. Download the SSL/TLS certificate from your directory server. If your directory servers do not have a certificate, install one to protect the connection with LDAPS. Or, use LDAP instead. See Cloud Access Service Certificates.

Note:  Both Active Directory and LDAPv3 directory servers are accessed by the IDR using LDAP or LDAPS protocols. Both types of identity sources are referred to as "LDAP" in this guide.

A mobile device or Windows or macOS PCSee RSA Authenticator App Device Requirements in Cloud Access Service User System Requirements.

What You Need to Know

RSA uses a hybrid architecture that consists of two components:

  • CAS, which provides an easy-to-use Cloud Administration Console and a powerful identity assurance engine.

  • An (optional) identity router (IDR) that does the following:

    • Connects CAS to your identity sources.

    • (Not supported by embedded IDRs) Sends authentication requests to CAS for validation When the IDR SSO Agent or RADIUS is configured in CAS.

    • (Not supported by embedded IDRs) Enforces access policies to determine which applications users can access, when additional authentication is needed, and which authentication methods are required when the IDR SSO Portal is configured.

    • Optionally connects to AM. This allows users with AM-assigned authenticators to use those authenticators to access applications managed by CAS.

You are deploying an embedded identity router, which is easier to set up than a standalone identity router.

Note that embedded IDRs do not support the IDR SSO Agent or Cloud Access Service RADIUS. To use either of those CAS features, a standalone identity router is required (not embedded in AM). See section Identity Router Platforms in Identity Router for alternatives.

Add your values to the following worksheet. You will use this information later.

ItemYour Values
Cloud Administration Console and Cloud Access Service

  • US deployment: <authentication_service_domain> (Base authentication domain: *.auth.securid.com), *.access.securid.com, (52.188.41.46, 52.160.192.135)

    Regions: useast, uswest

  • ANZ deployment:<authentication_service_domain> (Base authentication domain: *.auth-anz.securid.com), *.access-anz.securid.com (20.37.53.30, 20.39.99.202)

    Regions: auc, auc2

  • EMEA deployment: <authentication_service_domain> (Base authentication domain: *.auth-eu.securid.com), *.access-eu.securid.com (51.105.164.237, 52.155.160.141)

    Regions: euwest, eun

  • Federal deployment: <authentication_service_domain> (Base authentication domain: *.auth.securidgov.com), *.access.securidgov.com (20.140.188.86, 52.244.104.80)

    Regions: govva, govaz

  • India deployment: <authentication_service_domain> (Base authentication domain: *.auth-in.securid.com), *.access-in.securid.com (20.198.118.36, 104.211.224.21)

    Regions: inc, ins

  • Japan deployment: <authentication_service_domain> (Base authentication domain: *.auth-jp.securid.com), *.access-jp.securid.com (20.222.126.85, 20.89.231.15)

    Regions: jpe, jpw

  • Canada deployment: <authentication_service_domain> (Base authentication domain: *.auth-ca.securid.com), *.access-ca.securid.com (52.237.25.141, 52.235.45.88)

    Regions: cac, cae

  • Singapore deployment: <authentication_service_domain> (Base authentication domain: *.auth-sg.securid.com), *.access-sg.securid.com (20.247.160.143, 20.11.115.116)

    Regions: sea, aue

The following are example URLs using the region-specific domain names:

US deployment

tenantName-idr-useast.auth.securid.com

tenantName-idr-useast.access.securid.com

tenantName-idr-uswest.auth.securid.com

tenantName-idr-uswest.access.securid.com

ANZ deployment

tenantName-idr-auc.auth-anz.securid.com

tenantName-idr-auc.access-anz.securid.com

tenantName-idr-auc2.auth-anz.securid.com

tenantName-idr-auc2.access-anz.securid.com

EMEA deployment

tenantName-idr-euwest.auth-eu.securid.com

tenantName-idr-euwest.access-eu.securid.com

tenantName-idr-eun.auth-eu.securid.com

tenantName-idr-eun.access-eu.securid.com

Federal deployment

tenantName-idr-govva.auth.securidgov.com

tenantName-idr-govva.access.securidgov.com

tenantName-idr-govaz.auth.securidgov.com

tenantName-idr-govaz.access.securidgov.com

India deployment

tenantName-idr-inc.auth-in.securid.com

tenantName-idr-inc.access-in.securid.com

tenantName-idr-ins.auth-in.securid.com

tenantName-idr-ins.access-in.securid.com

Japan deployment

tenantName-idr-jpe.auth-jp.securid.com

tenantName-idr-jpe.access-jp.securid.com

tenantName-idr-jpw.auth-jp.securid.com

tenantName-idr-jpw.access-jp.securid.com

Canada deployment

tenantName-idr-cac.auth-ca.securid.com

tenantName-idr-cac.access-ca.securid.com

tenantName-idr-cae.auth-ca.securid.com

tenantName-idr-cae.access-ca.securid.com

Singapore deployment

tenantName-idr-sea.auth-sg.securid.com

tenantName-idr-sea.access-sg.securid.com

tenantName-idr-aue.auth-sg.securid.com

tenantName-idr-aue.access-sg.securid.com

Make sure the wildcard base authentication and access domain names are allowed if you are using DNS firewall rules so that identity routers can connect to the Cloud using the region-specific domain names.

Your authentication service domain appears in the Cloud Administration Console on the Platform >Identity Router > Registration page when you add an identity router.

Note:  The embedded IDR uses the DNS servers configured on AM. Check the Network Settings in AM so that AM is able to resolve windows.net domain names and the IDR is able to resolve internal and external domain names, including the securid.com names used for CAS.

To check the status of your Identity Router's Cloud connections, see View Identity Router Status in the Cloud Administration-Console.

To test access to the IP addresses, see Test Access to Cloud Access Service.

Telemetrytelemetry.access.securid.com
Embedded identity router

Note:  A list of dynamic IP addresses used for .blob.core.windows.net is available under the AzureStorage(systemService) entries in the Azure IP Ranges .json file, available for download at https://www.microsoft.com/en-us/download/details.aspx?id=56519.

Note:  For federal deployments, the IP addresses used for .blob.core.usgovcloudapi.net are available at https://www.microsoft.com/en-us/download/details.aspx?id=57063.

LDAP directory server

  • IP address
  • FQDN
  • Base DN of users (the root where users will be synchronized from, for example, DC=company, DC=com)
  • Administrator account credentials that RSA can use to connect to the directory server
 

Connectivity Requirements

Replace the values in the table below with your values from the table above. This table identifies the connectivity requirements that you might need to provide to your IT group to update firewall rules for your network. Update your connectivity settings before continuing with the next step.

SourceDestinationProtocol and PortPurpose
0.0.0.0/0Both CAS environmentsTCP 443External user access to CAS

The embedded identity router supports the use of one network interface.


<Your identity router management interface IP address>

Cloud Administration Console and both CAS environments

Note: If your company uses URL filtering, be sure that *.access URL ( e.g., *.access.securid.com, *.access-anz.securid.com, *.access-eu.securid.com, *.access.securidgov.com, or *.access-in.securid.com), *.auth URL (*.auth.securid.com, *.auth-anz.securid.com, *.auth-eu.securid.com, *.auth.securidgov.com, or *.auth-in.securid.com), and the CAS IP addresses for your region are allowed. Also, confirm that you can connect to the *.access and *.auth URLs for your tenant. For more information, see Test Access to Cloud Access Service.

TCP 443Identity router registration
All AM primary and replica instances

The two embedded identity router URLs for your region that are listed in the previous table.

TCP 443Embedded identity router deployment
<Your identity router management interface IP address>

<Your LDAP directory server IP address>

TCP 636LDAP directory user authentication and authorization
<Your identity router portal interface IP address or identity router management interface IP address><Your DNS server IP address>UDP 53DNS
<Your identity router portal interface IP address or identity router management interface IP address><Your NTP server IP address>UDP 123Network time server synchronization
AM internal firewallAuthentication ManagerTCP 9786Identity router configuration

Note:  The embedded IDR management subnet interface uses the internal IP range 172.17.0.1/16, and the embedded IDR docker subnet interface uses the internal IP range 172.19.0.1/16. These IP addresses are used by default by AM when the embedded IDR is configured on AM. Although these two subnets are only used internally by AM, to use an embedded IDR, they must not be in use elsewhere in your organization's network. The two subnets must be reserved by your organization for use only by AM. If the IP ranges of these subnets are already included in subnets elsewhere in your organization's network, choose two alternate, unused private subnets that can be reserved instead solely for use by AM. Follow these instructions to choose alternate subnets and reconfigure AM servers to use them with embedded IDRs.

Step 2: Set Up the Cloud Connection

If your current AM deployment is not connected to CAS, you must configure the connection.

Before you begin 

Know which access policy will be applied to all users who access these resources, or configure a new access policy. An access policy determines which users can access your protected resources and which authentication methods they are required to use. You can use a preconfigured policy or create your own. For more information, see Access Policies.

Procedure 

  1. In the Cloud Administration Console, generate the Registration Code and Registration URL as described in Connect Authentication Manager to the Cloud Access Service. This code is valid for 24 hours. You can either copy the code to a text file and save it for later or leave the window open to copy it when you configure the connection from the wizard-based interface in the Security Console.

  2. In the Security Console, click Setup > System Settings.

  3. Click Cloud Authentication Service Configuration.

  4. If AM is behind an external firewall that restricts outbound traffic, you must configure a proxy server.

  5. Connect AM to CAS:

    1. Under Register Authentication Manager with the Cloud Authentication Service, copy and paste the Registration Code and the Registration URL.
    2. Click Connect to the Cloud Authentication Service.

    A message indicates that the connection is established. CAS details are automatically updated and saved.

  6. Under Cloud Authentication Service Configuration, click Enable Cloud Authentication.

  7. Optionally, select the Send Multifactor Authentication Requests to the Cloud check box.

    When selected, AM acts as a secure proxy server that sends authentication requests to CAS. This feature supports all authentication methods supported by REST protocol authentication agents, when verified by CAS. To support authenticators verified by AM, a separate connection must be configured from CAS to AM (see Enable SecurID Token Users to Access Resources Protected by the Cloud Access Service).

  8. Click Save.

Step 3: Deploy the Embedded Identity Router

You can download and configure an embedded identity router on the primary instance and/or one or more replica instances. Deploying more than one identity router provides redundancy in a promotion for maintenance or disaster recovery situation. The embedded identity router is not included in AM backup files.

Procedure 

  1. In the Cloud Administration Console, add an identity router record for AM platform. Either record the Registration Code and the Authentication Service Domain or plan to copy this information later.

  2. In the Security Console, click Setup > System Settings.

  3. Click Cloud Authentication Service Identity Router.

  4. Click Download & Install Identity Router.

    Progress messages display. The process takes a couple of minutes, depending upon your network speed.

    You can click Back to navigate away from the page without stopping the process.

    After installation is complete, you must register the identity router with CAS.

  5. Click Configure Identity Router to open the Identity Router Setup Console.

  6. The first time you log on, use these credentials:

    Username: idradmin

    Password: s1mp13

    You are prompted to change the password.

    Record this password, so that you can access it when you need it.

  7. Sign in with the new password.

  8. Find the Registration Code and Authentication Service Domain fields you copied in Step 1 and paste them into the Identity router Setup Console.

  9. Click Submit. The identity router is registered with CAS.

After you finish 

(Optional) Deploy embedded identity routers on other AM servers in the deployment.

Step 4: Connect the Identity Source to the Cloud Access Service

Connect an LDAP Directory to the Cloud Access Service

Perform these steps if you need to connect to an LDAP directory quickly using only required settings. If you want to use advanced options, see Add an Identity Source.

WatchtheVideoGraphic

Procedure 

  1. In the Cloud Administration Console, click Users > Identity Sources.

  2. Click Add an Identity Source > Select next to the directory to add.

  3. Enter the identity source name and root (the base DN for users from the planning worksheet).

  4. Optionally, in the SSL/TLS Certificates section:

    1. Select Use SSL/TLS encryption to connect to the directory servers.

    2. Click Add and select the SSL/TLS certificate.

  5. In the Directory Servers section, add each directory server in the identity source, and test the connection.

  6. Click Next Step.

  7. On the User Attributes page, click Refresh Attributes, and verify that a valid list of attributes appears.

  8. Select the checkbox Synchronize the selected policy attributes with the Cloud Authentication Service.

  9. In the Policies column, select sAMAccountName, virtualGroups, and memberOf or other attributes that you might use to identify users.

    attributes2

  10. Click Next Step.

  11. In the User Search Filter field, specify your test group using a filter. The following is an Active Directory example:

    (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=<yourgroup_distinguishedName>))

    Where <yourgroup_distinguishedName> is the name of your test administrator group.

    For example, (&(objectCategory=Person)(sAMAccountName=*)(objectClass=user)(mail=*)(memberOf=CN=SecurIDAccessUsers,OU=Groups,DC=Corp,DC=local))

  12. Click Save and Finish.

  13. Click Publish Changes.

Synchronize the LDAP Directory

Synchronize data between the CAS and your LDAP directory to ensure that CAS reflects any updates made to the LDAP directory.

During synchronization, users are added and attribute values that you selected in the previous step are copied to CAS. User passwords are not synchronized.

Procedure 

  1. In the Cloud Administration Console, click Users > Identity Sources.

  2. Next to your identity source, select Synchronization from the drop-down menu.

  3. In the Identity Source Details section, click Synchronize Now.

    Depending on the number of users you are synching, this process can take a number of minutes.

Connect the AM Internal Database to the Cloud Access Service

If users in the AM internal database need to authenticate using CAS, follow the steps on page Synchronize Users from Internal Database to CAS.

Step 5: Enable My Page

RSA My Page is a web portal that helps provide a secure way for users to complete authenticator registration. Perform these steps to enable My Page for your company. If you want to configure advanced settings for My Page, see Manage My Page.

WatchtheVideoGraphic

Procedure 

  1. In the Cloud Administration Console, click Access > My Page.

  2. In the My Authenticators tab, enable My Authenticators.

  3. Write down your My Page URL.

  4. In the 2.0 Access Policy for Authentication drop-down list, select an access policy to manage user access to the available authenticator registration functions in My Page.

  5. Click Save.

Step 6: Protect a Resource

Configure an application to be protected by RSA. Configure an application to be protected by CAS, such as a Relying Party, My Page, or MFA Agent application. In the configuration wizard, select the preconfigured access policyAll Users Low Assurance Level. If you prefer to create a policy, see Add, Clone, or Delete an Access Policy.

For instructions for all supported applications, see RSA Ready.

Step 7: Test

Register a Device with the RSA Authenticator App

Perform these steps to quickly register a device. Use a user who is in an identity source with a directory server connected to the embedded IDR. For additional information, see Registering Devices with the RSA Authenticator App.

WatchtheVideoGraphic

Procedure 

  1. On one device (for example, your computer), go to the RSA My Page provided by your administrator.

  2. Complete any authentication that you are prompted for.

  3. In the My Authenticators tab, click Register an authenticator.

  4. Click RSA Authenticator App and then follow the on-screen instructions to download the RSA Authenticator app.

  5. On another device (iOS, Android, macOS, or Windows), install the RSA Authenticator app:

  6. On your computer, on the Registration page, click Next.

  7. On your mobile device, open the RSA Authenticator app.

  8. Accept the Terms of Service and Privacy Policy.

  9. Allow or deny Google Analytics data collection. You can select either option to use the Authenticator app.

  10. Tap Get Started.

  11. Allow the app to access your camera.

  12. Scan the QR code that displays on My Page.

The app home screen appears, and the app is ready for use.

ngx_g_mdr_home_updated_205x360

  1. Tap Allow to allow the RSA Authenticator app to send notifications.

  2. On your computer, on the Registration page, click Test Now. RSA sends a notification to your registered device. If you do not want to test, you can click Done.

  3. On your mobile device, tap the notification and approve it.

  4. The My Page home screen displays. You have successfully registered and tested your device.

Step 8: Sign Into the Protected Resource

As a user who is in an identity source connected to the embedded IDR, perform the following.

Procedure 

  1. Start the sign-in process to the protected resource.

    RSA sends a notification to your phone.

  2. Tap Approve on your mobile device.

  3. Select Remember this browser, and click Continue.

    You are signed into the resource.

Step 9: Optional Next Steps

TaskInstructions

Invite existing users to complete the authentication registration process using My Page to help you test the new deployment.

  1. Prepare users with the resources provided by Educating Your Users.

  2. Decide if you want to customize the email template that will be used to invite users. See Customize the Cloud Access Service Invitation.

  3. Invite users to install and register the Authenticator app and access agent-protected resources. See Send an SecurID Authenticate Invitation to Users.

View the status of the identity routers, test the identity router, and perform related tasks.

Manage Identity Routers in the Cloud Administration Console

Troubleshoot identity router issues.

Download Troubleshooting Files

See Enable Emergency Debug Logging in Troubleshooting Identity Router Issues

See Generate and Download the Identity Router Log Bundle in Troubleshooting Identity Router Issues

 

 

Related Articles

Trending Articles

Don't see what you're looking for?