VMware Tunnel integrates with RSA Adaptive Authentication to allow end users to access internal endpoints using step-up authentication. There are two main workflows to consider when using step-up authentication with this integration:
- Users who have not set their SecurID PIN
- Users who have set their SecurID PIN
For users who have not set their SecurID PIN
In this scenario, when a user initiates a connection with the VMware Tunnel for the first time (for example, when attempting to access an internal Web site), the VMware Tunnel automatically enrolls the user in the RSA Adaptive Authentication database with the Adaptive Auth User identifier value set in the Workspace ONE UEM console. Next, the user is prompted to set the SecurID PIN. The user must remember this PIN, because it is the combination of this PIN and the SecurID token number that makes the final passcode that is required to authenticate against the authentication manager to get intranet access. On subsequent requests, users are asked to enter their passcode (PIN + token).
After the user sets the SecurID PIN for the first time and authenticates against the manager, RSA Adaptive Authentication may or may not challenge the user again for several hours. The RSA Adaptive Authentication algorithm decides when to challenge users after the initial authentication. This system is adaptive and studies the user and device patterns. Based on the data that it collects about the user and device, it then decides whether or not to challenge users on subsequent access attempts.
For users who have set their SecurID PIN
Users who have set their SecurID PIN are not asked to set their PIN again and can continue using their existing PIN. The VMware Tunnel enrolls such users in the RSA Adaptive Authentication database, and they are prompted to enter their passcode (a combination of their PIN + token).
Configure RSA Authentication in the UEM console.
In the UEM console, you must enter some of the basic information related to your RSA Adaptive Authentication environment, such as host names, admin credentials, and an Adaptive Auth user identifier, which is a unique identifier for every user in your Active Directory and Authentication Manager.
- Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Configuration and select the Advanced tab.
- Configure the following RSA Adaptive Authentication settings.
Setting Description RSA Adaptive Auth Integration Enable this setting if you want to integrate the Proxy component with RSA authentication for comprehensive Web browsing security. Adaptive Auth Server URL Enter your RSA Adaptive Auth server URL. This setting displays after you enable RSA Adaptive Auth Integration. Adaptive Auth Admin Username
Enter the RSA admin account user name.This setting displays after you enable RSA Adaptive Auth Integration.
Adaptive Auth Admin Password Enter the RSA admin account password for the user name you entered. This setting displays after you enable RSA Adaptive Auth Integration. Adaptive Auth Version Enter your RSA Adaptive Authentication version. This setting displays after you enable RSA Adaptive Auth Integration. Adaptive Auth User Identifier
Enter the RSA Adaptive Auth user identifier.This setting displays after you enable RSA Adaptive Auth Integration.
- Select Save.