After the Workspace ONE Access connector is configured as the authentication agent in the RSA Authentication Manager server, you set up RSA SecurID in the Workspace ONE Access console.
Note: This information applies to
Workspace ONE Access connector 21.08 and later. If you are using an earlier version of the connector, see earlier versions of the
Managing User Authentication Methods in Workspace ONE Access guide.
Prerequisites
- Verify that RSA Authentication Manager (the RSA SecurID server) is installed and properly configured.
- If you have deployed multiple RSA Authentication Manager server instances, you must configure them behind a load balancer. Make sure that you meet the requirements listed in Workspace ONE Access Requirements for RSA SecurID Load Balancer.
- Make sure that all User Auth service instances in your environment are Workspace ONE Access Connector version 21.08. You cannot configure User Auth authentication methods if you mix connector versions 21.08 and 20.x.
- If a proxy server is configured with the User Auth service, the communication port that is configured for the RSA Authentication Manager server must be open on the proxy server.
Procedure
- In the Workspace ONE Access console page, click NEW and select RSA SecurID (cloud deployment).
- In the Directory and Hosts screen, select the directory and the service hosts to configure with this authentication method.
- In the Configuration page, configure the RSA SecurID authentication method settings.
Information from the RSA Authentication Manager server is required when you configure the page.
| Option |
Action |
| Number of authentication attempts allowed |
Enter the maximum number of failed login attempts when using the RSA SecurID token. The default is five attempts.
Note: When more than one directory is configured and you implement RSA SecurID authentication with additional directories, configure
Number of authentication attempts allowed with the same value for each RSA SecurID configuration. If the value is not the same, SecurID authentication fails.
|
| SecurID Server Hostname |
Enter the RSA Authentication Manager server host name, for example, myserver.example.com. If you have configured multiple instances of the RSA Authentication Manager server behind a load balancer, enter the load balancer host name instead. For example, lb.example.com. |
| SecurID Server Communication Port |
Enter the communication port of the RSA Authentication Manager instance. The default port is 5555. To get the communication port number, log in to the RSA Security Console, navigate to the page, and copy the Communication Port number. |
| SecurID Server Access Key |
Enter the Access Key from the RSA Authentication Manager instance. To get the access key, in the RSA Security Console, navigate to the page, and copy the Access Key listed under Agent Credentials. |
| SecurID Server CA/SSL certificate |
If the RSA Authentication Manager server or the load balancer server has a self-signed certificate, copy and paste the certificate into the text box. If the server has a certificate signed by a public Certificate Authority, uploading a certificate is not required. |
| Authentication Attempt timeout in seconds |
Enter the number of seconds for which the authentication attempt should be available. The authentication attempt times out after that. The default value is 180 seconds. |
- Click NEXT to review the configuration and then click SAVE.
What to do next
Add the RSA SecurID authentication method to the built-in identity provider.
Add the authentication method to the default access policy. In the console, go to the page and edit the default policy rules to add the SecurID authentication method to the rule. See Managing Access Policies in the Workspace ONE Access Service.
