If you create and distribute RSA SecurID software tokens to end users, users need enter only their PIN, rather than their PIN and a token code, to authenticate.

Setup Requirements

You can use Compressed Token Format (CTF) or dynamic seed provisioning, which is also called CT-KIP (Cryptographic Token Key Initialization Protocol), to set up an easy-to-use RSA authentication system. With this system, you generate a URL to send to end users. To install the token, end users paste this URL directly into Horizon Client on their client devices. The dialog box for pasting this URL appears when end users connect to a Connection Server instance with Horizon Client.

Horizon Client also supports file-based provisioning. When a file-based software token is issued to a user, the authentication server generates an XML-format token file called an SDTID file. Horizon Client can import the SDTID file directly. Users can also start Horizon Client by tapping the SDTID file in a file browser.

After the software token is installed, end users enter a PIN to authenticate. With external RSA tokens, end users must enter a PIN and the token code generated by a hardware or software authentication token.

The following URL prefixes are supported for end users that copy and paste the URL into Horizon Client when Horizon Client is connected to an RSA-enabled Connection Server instance:

  • viewclient-securid://
  • http://127.0.0.1/securid/

End users can install the token by tapping the URL. Both the viewclient-securid:// and http://127.0.0.1/securid/ prefixes are supported. Not all browsers support hyperlinks that begin with http://127.0.0.1. Some file browsers, such as the File Manager app on the ASUS Transformer Pad, cannot link the SDTID file with Horizon Client.

For information about using dynamic seed provisioning or file-based (CTF) provisioning, see the Web page RSA SecurID Software Token for iPhone Devices at http://www.rsa.com/node.aspx?id=3652 or RSA SecurID Software Token for Android at http://www.rsa.com/node.aspx?id=3832.

Instructions to End Users

When you create a CTFString URL or CT-KIP URL to send to end users, you can generate a URL with or without a password or activation code. Send this URL to end users in an email that includes the following information.

  • Instructions for navigating to the Install Software Token dialog box.

    Instruct end users to tap External Token in the Horizon Client dialog box that prompts them for RSA SecurID credentials when they connect to a Connection Server instance.

  • CTFString URL or CT-KIP URL in plain text.

    If the URL has formatting on it, end users receive an error message when they try to use it in Horizon Client.

  • Activation code, if the CT-KIP URL that you create does not already include the activation code.

    End users must enter this activation code in a text box of the dialog box.

  • If the CT-KIP URL includes an activation code, instruct end users that they need not enter a value in the Password or Activation Code text box in the Install Software Token dialog box.