Advanced Identity Cloud

RSA SecurID node

The RSA SecurID node lets users authenticate using their registered RSA authenticators.


Product Compatible?

PingOne Advanced Identity Cloud


ForgeRock Access Management (self-managed)


ForgeRock Identity Platform (self-managed)



The username attribute must exist in the shared node state as an input to the node.


Property Usage

Base URL

The RSA endpoint.

  • For connections to the RSA Cloud Authentication Service, such as

  • For connections through RSA Authentication Manager, such as https://RSA.AM.server:5555/mfa/v1_1

Client ID

The name used by this node as the client ID for connecting to the RSA endpoint. This can contain alphanumeric English characters only.

  • For connections to the RSA Cloud Authentication Service, this can be any string. End users will see this value as part of push notification messages, and administrators will see this as the application name in the User Event Monitor of the RSA Cloud Administration Console.

    Example: ForgeRock Login Journey.

  • For connections to RSA Authentication Manager, this value must match an Authentication Agent name configured in the RSA Authentication Manager Security Console.

    Example: MyAgentName

Assurance Policy ID

The name of the RSA Cloud Authentication Service policy to use. This name can contain alphanumeric English characters only. This name is required for connections to RSA Authentication Manager only when RSA AM acts as a proxy for connections to the cloud.

Example: All Users Medium Assurance Level.

Client Key

The API key for connecting to the RSA endpoint.

  • For the RSA Cloud Authentication Service, this value can be generated or obtained using the RSA Cloud Administration Console, My Account > Company Settings > Authentication API Keys.

  • For RSA Authentication Manager, this value can be found in the RSA Security Console, Setup > System Settings > RSA SecurID Authentication API (Access Key).

Verify SSL

A boolean to verify the SSL connection. It is enabled by default. If disabled, the node ignores SSL/TLS errors, including hostname mismatch and certificates signed by an unknown Certificate Authority, such as self-signed certificates.

Prompt for MFA Choice

The string to display to end users on the MFA selection input page.

Example: Select your preferred Authentication Method.

Waiting Message

The string to display to end users when a push notification has been sent to the user’s registered device.

Example: Please check your registered mobile device for an authentication prompt.





The user completed the RSA authentication process and does not require any further steps according to the RSA Assurance Policy this node references.


The user has failed the RSA MFA authentication.

Not Enrolled

The user is not enrolled in any RSA authentication methods required by the specified policy.


The user pressed the cancel button.


An error occurred. Refer to Troubleshooting.


Review the log messages to find the reason for the error and address the issue appropriately.

Limitations and known issues

  • The RSA SecurID node supports most RSA authentication methods; however, the following RSA authentication methods are not supported:

    • FIDO: Customers can consider using the ForgeRock WebAuthn nodes as an alternative.

    • LDAP Directory Password or RSA Cloud Authentication Service password: Customers can consider using ForgeRock Platform Password and Data Store Decision nodes, or Pass-through Authentication nodes as alternatives.

  • SecurID tokens are not supported in Next Tokencode mode.

  • RSA API returns multiple authentication options when only the New PIN mode option should be returned. This situation occurs when all these conditions are met:

    • The RSA SecurID node connects to the RSA Cloud Authentication Service directly or through RSA Authentication Manager as a proxy.

    • The configured policy & assurance level & user-enrolled authenticators include SecurID and other authentication methods.

    • The user selects the SecurID option, and their SecurID token is in new PIN mode.

      Seeing multiple options can be confusing when only the New PIN option is expected. The RSA team is aware of this RSA API behavior and is evaluating ways to correct the behavior to ensure that the REST API returns only the SecurID new PIN and passcode prompts.

  • The RSA SecurID node only supports English characters for:

    • Client ID

    • Assurance Policy ID


Advanced Identity Cloud provides sample journeys. You can download the JSON file to understand and implement the most common RSA SecurID use cases.

This example journey highlights using the RSA SecurID node to authenticate users:

rsa securid journey
Copyright © 2010-2024 ForgeRock, all rights reserved.