RSA SecurID
RSA SecurID is a service for performing two-factor authentication for accessing network resources. The RSA SecurID authentication mechanism consists of a token — either provided through hardware (e.g. a key fob) or software (a soft token). This token is assigned to a computer user and creates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded almost random key. These authentication codes can then be used to authenticate the user for various network services, including Specops Authentication.
Note
These instructions assume that users and administrators are already enrolled with RSA SecurID. Please consult with your organization about enrollment.
Note
When authenticating with RSA SecurID, the dynamic feedback at password change is not supported.
Authenticating with RSA SecurID
When RSA SecurID is set up with Specops Authentication, you can choose it as an identity service when authenticating.
- Choose RSA SecurID in the list of identity services.
-
Choose the authentication method you would like to use, then click Start for methods that require acknowledgement on your device, or click Verify after entering the correct code.
Note
The list of authentication methods depends on the Assurance Level the administrator has set for Specops Authentication. The method you used last will always be on top of the list.
Method Description SMS Tokencode You receive a token code via text message, which you input in the Code field. Approve If you have the RSA SecurID installed on your device, you will get a push notification that you acknowledge on the device. Authentication tokencode Voice tokencode You will receive a phone call informing you of the correct code. Input this code in the Code field. Emergency tokencode RSA SecurID* Generate a code on your RSA SecurID key fob and input this code in the Code field. Device Biometrics Use your device's fingerprint sensor or Face ID to authenticate. Note
*RSA SecurID is also available as a software token for most common platforms, rather than a physical device.
Note
If your organization has chosen to host the RSA SecurID API on-premise, you will only be able to authenticate using a token as an authentication method.
Note
If the administrator has set the Assurance level to High, you will see combinations of methods presented in the list (e.g. RSA SecurID and Device Biometrics). Use both methods to authenticate.
Configuring RSA SecurID (Administrators)
In order to let users authenticate using RSA SecurID, it needs to be configured as an identity service in Specops Authentication Web. This procedure assumes that the administrator has also registered with RSA SecurID and has set up their account accordingly. If your organization has chosen the On-Prem version of the API, we assume that you have configured that as well (as well as the Authentication Manager used for configuring API access).
More information on the Authentication Manager: https://community.rsa.com/s/article/Getting-Started-with-RSA-Authentication-Manager-554474b5
More information on the REST RSA SecurID Authentication API: https://community.rsa.com/s/article/RSA-SecurID-Authentication-API-Developer-s-Guide
Note
Make sure you have synced your Active Directory with RSA SecurID. For more information, please consult these RSA's help pages.
[Cloud] Configuring RSA SecurID Cloud
Note
Only hosted RSA (cloud, not on-prem) is supported by Specops Authentication.
- In Authentication Web, go to Identity Services, and click on the configuration icon next to RSA SecurID in the list.
- Set the Authentication Service Type to Cloud.
- Enter the Tenant URL. This can be found in the RSA SecurID portal. Go to My Account > Company Settings, then choose the Authentication API Keys section. There you will find the RSA SecurID Authentication API REST URL.
- If your Active Directory uses another attribute than the userPrincipalName for the RSA SecurID User, enter the attribute used in the User attribute containing SecurID User/Account identifier field.
- Indicate with the dropdown whether you want to auto-enroll users.
- Enter the API Key. This can be found in the RSA SecurID portal (https://access.securid.com/AdminInterface/login). Go to My Account > Company Settings, then choose the Authentication API Keys section. Copy the correct key there, or generate a new key by clicking the Add button.
-
Using the dropdown, indicate which Assurance Level you would like to use. The Assurance level determines which authentication methods are shown to users. See the table below for an overview of the different levels.
Note
Which methods are shown in the different Assurance Levels is configured in the RSA SecurID portal. Go to Access > Assurance Levels.
Assurance Level Description Low Shows all methods included in Assurance Levels Low, Medium, and High. Medium Shows all methods included in Assurance Levels Medium and High. High Shows only methods included in Assurance Level High. Note
If there is overlap between authentication methods at different Assurance Levels, not all methods will be presented to the user. For example, if the Assurance level is set to Medium, and the configuration includes RSA SecurID and Device Biometrics at Medium Level, while High contains a combined method for RSA SecurID and Device Biometrics, the combined method will not be shown.
-
Click Save.