Setting up RSA SecurID authentication

You can set up RSA SecurID as an authenticator in ADSelfService Plus in two steps:

1. Include the ADSelfService Plus server in the SecurID SECURITY CONSOLE as an authentication agent.
2. Configure ADSelfService Plus for RSA SecurID.

Prerequisites

Including ADSelfService Plus as an authentication agent in the RSA SecurID SECURITY CONSOLE

1. Log in to your RSA admin console (e.g., https://adssp-rsa.mydomain.com/sc ).
2. Navigate to Access > Authentication Agents. Click Add New.



3. Enter the hostname of the ADSelfService Plus server in the Hostname field and click Resolve IP to establish a connection between the SecurID SECURITY CONSOLE and the ADSelfService Plus server.
4. Click Save to add the ADSelfService Plus server as an authentication agent.

Configuring ADSelfService Plus for RSA SecurID

RSA SecurID configuration can be done using either of these methods:

• REST API Integration
• SDK Integration

Note: It is recommended to configure RSA authentication using REST API as RSA SecurID no longer supports SDK Integration.

Steps to configure RSA SecurID with REST API integration

1. Log into the RSA admin console and navigate to Setup > System Settings.
2. Under Authentication Settings, click RSA SecurID Authentication API.
3. Copy the Access ID, Access Key, and Communication Port details.
4. Log into the ADSelfService Plus admin console and navigate to Admin > Configuration > Self-Service > Multi-factor Authentication > RSA SecurID.
5. From the Choose the Policy drop-down, select a policy.

Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

6. Click RSA SecurID.
7. For Integration Type, select REST API.



8. Enter the hostname of RSA Authentication Manager in the API Host Name field.
9. Paste the port number and access key obtained in Step 3 in the Port and Access Key fields, respectively.
10. Enter the authentication agent's name (i.e., the hostname or access URL of the ADSelfService Plus server) in the Client Id field.
11. Check the Secure API requests to RSA server with HMAC Authentication box to verify the integrity of the authentication requests. Please follow the steps mentioned under HMAC prerequisites before enabling HMAC authentication.



12. Enter the access ID copied in Step 3, in the Access Id field.
13. Select a Username Pattern that matches the User Account Format in the RSA admin console.

Note: Users across different domains can have the same username, causing ambiguity during RSA mapping. To ensure secure authentication, we strongly recommend using a username pattern that includes the domain. This Username Pattern needs to match the RSA User Account Format in the RSA admin console, to accurately map domain user accounts to RSA user accounts.

14. Click Test Connection and Save.

Steps to configure RSA SecurID with SDK integration

1. Ensure that the required JAR files listed below are present in the <ADSelfService_Plus_install_directory>/lib folder.
   
   • authapi-8.6.jar
   • log4j-1.2.12rsa-1.jar
   • cryptojcommon-6.1.3.3.jar
   • jcmFIPS-6.1.3.3.jar
   • cryptojce-6.1.3.3.jar
     

Note: These JAR files pertain to the latest version of Authentication Agent SDK for Java (version 8.6). If they are not present in the <ADSelfService_Plus_install_directory>/lib folder, please download them from RSA Community.

2. In the RSA admin console, navigate to Access > Authentication Agents > Generate Configuration File.
3. Click Generate Config File to download the AM_Config.zip file.
4. Extract the sdconf.rec file from the ZIP file.
5. Log into the ADSelfService Plus admin portal and navigate to Admin > Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup > RSA SecurID.
6. From the Choose the Policy drop-down, select a policy.

Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

7. Click RSA SecurID.
8. For Integration Type, select SDK.



9. Click Browse and select the sdconf.rec file downloaded from the SecurID SECURITY CONSOLE.
10. Select a Username Pattern that matches the User Account Format in the RSA admin console.

Note: Users across different domains can have the same username, causing ambiguity while matching RSA accounts to ADSelfService Plus user accounts during MFA. To ensure secure authentication, we strongly recommend using a Username Pattern that includes the domain name (domain_dns_name) or email (email_id) to accurately map domain user accounts to RSA User Accounts, which need to be in the same format. Utilizing only the username (user_name) in the Username Pattern is discouraged for security reasons.

11. Click Save.

Once enabled, users belonging to the policy for which RSA authentication has been enabled will be asked to verify their identity with their SecurID tokens while logging in.

HMAC prerequisites

Hash-based message authentication code (HMAC) is used to validate the authentication requests that are exchanged between authentication agents and the RSA SecurID Authentication API.

1. Log on to the appliance with the Secure Shell client or access the appliance on a virtual machine with the VMware vSphere Client, Hyper-V Virtual Machine Manager, or Hyper-V Manager.
   
2. To verify authentication requests by implementing HMAC, type the following:
   
1. ./rsautil store –a update_config
   
2. auth_manager.rest_service.authorization.mode 1 GLOBAL 501
   
3. To use only the RSA SecurID Authentication API's access key for authentication, type the following:
   
1. ./rsautil store –a update_config
   
2. auth_manager.rest_service.authorization.mode 0 GLOBAL 501