RSA SecurID Authentication
RSA SecurID is considered the most secure authentication system available. Access Manager Plus allows you to setup Two-Factor Authentication if you have RSA Authentication Manager and RSA SecurID Appliance in your environment. RSA SecurID is based on a physical key such as a USB token, smart card, key fob, etc. When a user needs to login, he will provide the username and a unique password which is a combination of PIN and the code that is displayed on the authenticator.
Summary of Steps
- Configuring Two-Factor Authentication in Access Manager Plus
- Integrating RSA SecurID with Access Manager Plus
- Enforcing Two-Factor Authentication for Required Users
- Connecting to Access Manager Plus Web Interface when TFA through RSA SecurID is Enabled
4.1 Possible Scenarios while Logging into Access Manager Plus using RSA SecurID
1. Configuring Two-Factor Authentication in Access Manager Plus
- Navigate to Admin >> Authentication >> Two-factor Authentication.
- Choose the option RSA SecurID and click Save. Administrators can also enable RSA On-Demand authentication, by selecting the On-Demand authentication check-box.
- Click Confirm to enforce RSA SecurID as the second factor of authentication.
2. Integrating RSA SecurID with Access Manager Plus
You can integrate RSA SecurID with Access Manager Plus by following the below steps:
- Register the Access Manager Plus server as an Agent Host in the RSA Authentication Manager.
- Generate RSA Authentication Manager configuration file, or sdconf.rec in RSA manager. Copy and paste the sdconf.rec to the <AMP_SERVER_HOME>\bin directory. In addition, if a node secret file (securid) exists, copy and paste that as well.
- In the RSA Authentication API configuration file (rsa_api.properties), edit the RSA_AGENT_HOST property value as Access Manager Plus's server hostname or IP address. This file will be located in the default application directory (<AMP_SERVER_HOME>\bin).
2.1 Mapping Access Manager Plus users to RSA Authentication Manager
- Before the Two-Factor Authentication can take place, use the RSA Security Console to enter all desired Access Manager Plus users into RSA Authentication Manager, assign tokens and activate them on the appropriate Agent Host.
- Ensure that the user name in RSA Authentication Manager and the corresponding user name in Access Manager Plus are the same. For an already existing RSA user, in case there is a user name mismatch between Access Manager Plus and RSA Authentication Manager, you can map the correct user name in Access Manager Plus by editing the user properties in Access Manager Plus.
For Example, if you have imported a user by the name 'ZYLKER\rob' from Active Directory into Access Manager Plus and in RSA Authentication Manager, the username is recorded as 'rob', there will be a mismatch. To avoid that, you can edit the user name in Access Manager Plus and get the name 'ZYLKER\rob' mapped to 'rob')
The following sequence describes the authentication process between Access Manager Plus and RSA SecurID:
- When user first tries to access Access Manager Plus, authentication is done through ActiveDirectory or LDAP or locally.
- Access Manager Plus prompts the user for a username and the RSA SecurID passcode, both of which are sent to the RSA Authentication Manager through the RSA Runtime API.
- RSA Authentication Manager then authenticates the user and returns a message to Access Manager Plus.
- Access Manager Plus grants the user access to the requested connection.
3. Enforcing Two-Factor Authentication for the Required Users
- Once you confirm RSA SecurID as the second factor of authentication, in a new pop-up window, you will be prompted to select users for whom Two-Factor Authentication should be enforced.
- You can enable or disable Two-Factor Authentication for a single user or multiple users in bulk from here. To enable Two-Factor Authentication for a single user, click Enable beside the respective username. For multiple users, select the required usernames and click Enable at the top of the user list. Similarly, you can also Disable Two-Factor Authentication from here.
- You can also select the users later by navigating to Users >> More Actions >> Two-factor Authentication.
4. Connecting to Access Manager Plus Web Interface when TFA through RSA SecurID is Enabled
The users who have Two-Factor Authentication enabled for their accounts will have to authenticate twice successively during login. As mentioned above, the first level of authentication will be through Access Manager Plus's local authentication or AD/LDAP authentication. Depending on the type of TFA chosen by the administrator, the second level of authentication will differ as explained below:
- Upon launching the Access Manager Plus web-interface, the user has to enter the username and local authentication or AD/LDAP password to login to Access Manager Plus and click Login.
- Against the text field RSA Passcode, enter the RSA SecurID passcode. The passcode could be a combination of PIN and Tokencode or just the Tokencode alone or the On-Demand PIN depending on the configuration done in RSA Authentication Manager.
- If you want to leverage the RSA On-Demand authenticator, select RSA On-Demand and proceed. In this case, you need to provide the On-Demand Tokencode as specified in case 3 below.
4.1 Possible Scenarios while logging into Access Manager Plus using RSA SecurID
Case 1: Entering user generated / system created PIN
As mentioned above, the RSA passcode could be a combination of PIN and tokencode or just tokencode alone or a password depending on the configuration done in RSA Authentication Manager. If the settings in RSA Security Console demands the users to create a PIN on their own or use a system generated PIN, the following options would be shown to the users after step 2 (that is, after entering the first password and RSA tokencode to log in to Access Manager Plus).
User Created PIN:
In the case of user created PIN, users will get the option to enter the PIN on their own. The PIN should contain numeric characters - minimum of 4 and a maximum of 8 characters. After entering the PIN, the user will have to wait for a while until the RSA tokencode changes to a new value. Then, in the next screen, enter the new PIN and the RSA tokencode to authenticate.
System Created PIN:
In the case of system created PIN, Access Manager Plus itself will randomly generate a PIN and it will be shown on the screen. Users will have to note down the new PIN and wait for a while until the RSA tokencode changes to a new value. Then, in the next screen, the users will have to enter the new PIN as generated by the system and the RSA tokencode to authenticate.
Case 2: New Tokencode Mode
If a user attempts to log in to Access Manager Plus using a random RSA passcode or by guesswork for a specified number of times, the RSA Authentication Manager will turn the screen to the New Tokencode mode to verify whether the user possesses the token. In that case, Access Manager Plus prompts for next tokencode during the login. That means, the user will have to wait until the RSA device shows a new tokencode and the new code to proceed with logging into Access Manager Plus.
Note: If the new tokencode entered by the user is wrong, Access Manager Plus will revert to the initial login screen. Users will have to start again by entering the username.
Case 3: Tokencode Mode
When RSA On-Demand authenticator is configured, you need to supply the Tokencode to log into Access Manager Plus. Tokencode will be sent to the registered email id or mobile number as configured in the RSA On-Demand authentication system.