VMware Tunnel integrates with RSA Adaptive Authentication to allow end users to access internal endpoints using step-up authentication. This integration applies only to the VMware Tunnel Proxy component.

RSA Adaptive Authentication studies user and device patterns, such as location, and then determines whether or not to prompt users to log in based on its algorithm. For example, if end users attempt to access an intranet site and are prompted to authenticate, then they may not be asked to authenticate an hour later if no other device attributes have changed significantly. However, if end users travel to another country or state, then the system may prompt them to authenticate again to access the same site.

Step-Up Authentication Workflow

There are two main workflows to consider when using step-up authentication with this integration: 

  • For users who have not set their SecurID PIN.

    In this scenario, when a user initiates a connection with the VMware Tunnel for the first time (for example, when attempting to access an internal Web site), the VMware Tunnel automatically enrolls the user in the RSA Adaptive Authentication database with the Adaptive Auth User identifier value set in the AirWatch Console. Next, the user is prompted to set the SecurID PIN. The user must remember this PIN, because it is the combination of this PIN and the SecurID token number that makes the final passcode that is required to authenticate against the authentication manager to get intranet access. On subsequent requests, users are asked to enter their passcode (PIN + token).

    After the user sets the SecurID PIN for the first time and authenticates against the manager, RSA Adaptive Authentication may or may not challenge the user again for several hours. The RSA Adaptive Authentication algorithm decides when to challenge users after the initial authentication. This system is adaptive and studies the user and device patterns. Based on the data that it collects about the user and device, it then decides whether or not to challenge users on subsequent access attempts.

  • For users who have already set their SecurID PIN.

    Users who have already set their SecurID PIN are not asked to set their PIN again and can continue using their existing PIN. The VMware Tunnel enrolls such users in the RSA Adaptive Authentication database, and they are prompted to enter their passcode (a combination of their PIN + token).


  • RSA Adaptive Authentication server v7.0.

  • Authentication Manager integrated with the RSA SecurID plug-in to validate the SecurID tokens.

    • This integration is limited to the use of the RSA SecurID plug-in, along with the RSA Adaptive Authentication service. A Question-Answer based implementation of step-up authentication is not supported with this release.
  • VMware Tunnel Proxy component installed. Currently, this integration works only with the proxy component of VMware Tunnel.

  • RSA Adaptive Authentication information configured in the AirWatch Console.
    • In the AirWatch Console, you must enter some basic information related to your RSA Adaptive Authentication environment, such as host names, admin credentials, and an Adaptive Auth user identifier, which is a unique identifier for every user in your Active Directory and Authentication Manager. For more details on these settings, see Configure Advanced Settings.

Client Compatibility

  • AirWatch iOS Browser v4.5+

    AirWatch Android Browser v3.1+

  • AirWatch iOS SDK v5.5+

  • AirWatch Android SDK v15.11+