RSA SecurID node

The RSA SecurID node lets users authenticate using their registered RSA authenticators.

Compatibility

Product	Compatible?
ForgeRock Identity Cloud	Yes
ForgeRock Access Management (self-managed)	No
ForgeRock Identity Platform (self-managed)	No

Product

Compatible?

ForgeRock Identity Cloud

Yes

ForgeRock Access Management (self-managed)

ForgeRock Identity Platform (self-managed)

Inputs

The username attribute must exist in the shared node state as an input to the node.

Configuration

Property	Usage
Base URL	The RSA endpoint. For connections to the RSA Cloud Authentication Service, such as https://companyname.auth.securid.com:443/mfa/v1_1 For connections through RSA Authentication Manager, such as https://RSA.AM.server:5555/mfa/v1_1
Client ID	The name used by this node as the client ID for connecting to the RSA endpoint. This can contain alphanumeric English characters only. For connections to the RSA Cloud Authentication Service, this can be any string. End users will see this value as part of push notification messages, and administrators will see this as the application name in the User Event Monitor of the RSA Cloud Administration Console. Example: ForgeRock Login Journey. For connections to RSA Authentication Manager, this value must match an Authentication Agent name configured in the RSA Authentication Manager Security Console. Example: MyAgentName
Assurance Policy ID	The name of the RSA Cloud Authentication Service policy to use. This name can contain alphanumeric English characters only. This name is required for connections to RSA Authentication Manager only when RSA AM acts as a proxy for connections to the cloud. Example: All Users Medium Assurance Level.
Client Key	The API key for connecting to the RSA endpoint. For the RSA Cloud Authentication Service, this value can be generated or obtained using the RSA Cloud Administration Console, My Account > Company Settings > Authentication API Keys. For RSA Authentication Manager, this value can be found in the RSA Security Console, Setup > System Settings > RSA SecurID Authentication API (Access Key).
Verify SSL	A boolean to verify the SSL connection. It is enabled by default. If disabled, the node ignores SSL/TLS errors, including hostname mismatch and certificates signed by an unknown Certificate Authority, such as self-signed certificates.
Prompt for MFA Choice	The string to display to end users on the MFA selection input page. Example: Select your preferred Authentication Method.
Waiting Message	The string to display to end users when a push notification has been sent to the user’s registered device. Example: Please check your registered mobile device for an authentication prompt.

Property

Usage

Base URL

The RSA endpoint.

For connections to the RSA Cloud Authentication Service, such as https://companyname.auth.securid.com:443/mfa/v1_1
For connections through RSA Authentication Manager, such as https://RSA.AM.server:5555/mfa/v1_1

Client ID

The name used by this node as the client ID for connecting to the RSA endpoint. This can contain alphanumeric English characters only.

For connections to the RSA Cloud Authentication Service, this can be any string. End users will see this value as part of push notification messages, and administrators will see this as the application name in the User Event Monitor of the RSA Cloud Administration Console.

Example: ForgeRock Login Journey.
For connections to RSA Authentication Manager, this value must match an Authentication Agent name configured in the RSA Authentication Manager Security Console.

Example: MyAgentName

Assurance Policy ID

The name of the RSA Cloud Authentication Service policy to use. This name can contain alphanumeric English characters only. This name is required for connections to RSA Authentication Manager only when RSA AM acts as a proxy for connections to the cloud.

Example: All Users Medium Assurance Level.

Client Key

The API key for connecting to the RSA endpoint.

For the RSA Cloud Authentication Service, this value can be generated or obtained using the RSA Cloud Administration Console, My Account > Company Settings > Authentication API Keys.
For RSA Authentication Manager, this value can be found in the RSA Security Console, Setup > System Settings > RSA SecurID Authentication API (Access Key).

Verify SSL

A boolean to verify the SSL connection. It is enabled by default. If disabled, the node ignores SSL/TLS errors, including hostname mismatch and certificates signed by an unknown Certificate Authority, such as self-signed certificates.

Prompt for MFA Choice

The string to display to end users on the MFA selection input page.

Example: Select your preferred Authentication Method.

Waiting Message

The string to display to end users when a push notification has been sent to the user’s registered device.

Example: Please check your registered mobile device for an authentication prompt.

Outputs

None

Outcomes

Success: The user completed the RSA authentication process and does not require any further steps according to the RSA Assurance Policy this node references.
Failure: The user has failed the RSA MFA authentication.
Not Enrolled: The user is not enrolled in any RSA authentication methods required by the specified policy.
Cancel: The user pressed the cancel button.
Error: An error occurred. Refer to Troubleshooting.

Troubleshooting

Review the log messages to find the reason for the error and address the issue appropriately.

Limitations and known issues

The RSA SecurID node supports most RSA authentication methods; however, the following RSA authentication methods are not supported:
- FIDO: Customers can consider using the ForgeRock WebAuthn nodes as an alternative.
- LDAP Directory Password or RSA Cloud Authentication Service password: Customers can consider using ForgeRock Platform Password and Data Store Decision nodes, or Pass-through Authentication nodes as alternatives.
SecurID tokens are not supported in Next Tokencode mode.
RSA API returns multiple authentication options when only the New PIN mode option should be returned. This situation occurs when all these conditions are met:
- The RSA SecurID node connects to the RSA Cloud Authentication Service directly or through RSA Authentication Manager as a proxy.
- The configured policy & assurance level & user-enrolled authenticators include SecurID and other authentication methods.
- The user selects the SecurID option, and their SecurID token is in new PIN mode.
  
  Seeing multiple options can be confusing when only the New PIN option is expected. The RSA team is aware of this RSA API behavior and is evaluating ways to correct the behavior to ensure that the REST API returns only the SecurID new PIN and passcode prompts.
The RSA SecurID node only supports English characters for:
- Client ID
- Assurance Policy ID

Examples

Identity Cloud provides sample journeys. You can download the JSON file to understand and implement the most common RSA SecurID use cases.

This example journey highlights using the RSA SecurID node to authenticate users: