A simple authentication node for ForgeRock's [Identity Platform][forgerock_platform] 7.3.0 and above. The RSA SecurID node lets you use the RSA Cloud Authentication Service (RSA ID Plus) or RSA Authentication Manager from within an authentication journey on your Identity Cloud environment.
Copy the .jar file from the ../target directory into the ../web-container/webapps/openam/WEB-INF/lib directory where AM is deployed. Restart the web container to pick up the new node. The node will then appear in the authentication trees components palette.
This node lets users authenticate using their registered RSA authenticators, including:
- SecurID OTP (hardware and software tokens), including new PIN mode
- SecurID Authenticate OTP
- Emergency Access Code
- Approve (Push Notifications)
- Device Biometrics
- QR Code
- SMS OTP
- Voice OTP
Identity Cloud provides sample journeys to help you understand the most common RSA SecurID use cases. To use the samples, download the JSON files for sample journeys and import the downloaded sample journeys into your Identity Cloud environment.
To use this node, you must:
- Enroll RSA authenticators. Refer to RSA SecurID setup for more information.
- Ensure the username on the shared node state matches one of the following:
- The username, alternate username, or email address of the user in the RSA Cloud Authentication.
- The username in RSA Authentication Manager.
The RSA SecurID node in Identity Cloud can be used with the RSA Cloud Authentication Service or RSA Authentication Manager. Depending on which integration you choose, the RSA setup differs slightly.
- Configure the following using the RSA Cloud Administration Console:
- Assurance Levels: Refer to the Configure Assurance Levels page in the RSA documentation
- Policies: Refer to the Manage Access Policies page in the RSA documentation .
Note the policy name you will use when configuring the RSA SecurID node in your Identity Cloud journey.
- Authentication API Keys: Refer to the Manage the SecurID API Keys in the RSA documentation .
Note the SecurID Authentication API REST URL and Authentication API key you will use when configuring the RSA SecurID node in your Identity Cloud journey.
- End users enroll their RSA authenticators: Refer to the Manage My Page in the RSA documentation.
- Using the RSA Authentication Manager Security console, configure the following:
- Go to Access > Authentication Agents > Add New and add a new access agent.
Note the Authentication Agent name. You will need this when configuring the RSA SecurID node in your Identity Cloud journey. For additional information, refer to the Add an Authentication Agent page in RSA documentation.
- Go to Setup > System Settings > RSA SecurID Authentication API, and note the access key. You will use this key in the SecurID node configuration. For additional information, refer to the Configure the RSA SecurID Authentication API for Authentication Agents page in the RSA documentation.
- You’ll need the REST API URL for your RSA environment. Get the REST API URL from your RSA Authentication Manager administrator.
Refer to the implementation details of RSA SecurID node here.
The RSA SecurID node lets users authenticate using their registered RSA authenticators.
| Product | Compatible? |
|---|---|
ForgeRock Identity Cloud |
✓ |
ForgeRock Access Management (self-managed) |
✓ |
ForgeRock Identity Platform (self-managed) |
✓ |
The username attribute must exist in the shared node state as an input to the node.
| Property | Usage |
|---|---|
Base URL |
The RSA endpoint.
|
Client ID |
The name used by this node as the client ID for connecting to the RSA endpoint. This can contain alphanumeric English characters only.
|
Assurance Policy ID |
The name of the RSA Cloud Authentication Service policy to use. This name can contain alphanumeric English characters only. This name is required for connections to RSA Authentication Manager only when RSA AM acts as a proxy for connections to the cloud. Example: All Users Medium Assurance Level. |
Client Key |
The API key for connecting to the RSA endpoint.
|
Verify SSL |
A boolean to verify the SSL connection. It is enabled by default. If disabled, the node ignores SSL/TLS errors, including hostname mismatch and certificates signed by an unknown Certificate Authority, such as self-signed certificates. |
Prompt for MFA Choice |
The string to display to end users on the MFA selection input page. Example: Select your preferred Authentication Method. |
Waiting Message |
The string to display to end users when a push notification has been sent to the user’s registered device. Example: Please check your registered mobile device for an authentication prompt. |
None
-
Success -
The user completed the RSA authentication process and does not require any further steps according to the RSA Assurance Policy this node references.
-
Failure -
The user has failed the RSA MFA authentication.
-
Not Enrolled -
The user is not enrolled in any RSA authentication methods required by the specified policy.
-
Cancel -
The user pressed the cancel button.
-
Error -
An error occurred. Refer to the 'Troubleshooting' section.
Review the log messages to find the reason for the error and address the issue appropriately.
The RSA SecurID node supports most RSA authentication methods; however, the following RSA authentication methods are not supported:
FIDO: Customers can consider using the ForgeRock WebAuthn nodes as an alternative.
LDAP Directory Password or RSA Cloud Authentication Service password: Customers can consider using ForgeRock Platform Password and Data Store Decision nodes, or Pass-through Authentication nodes as alternatives.
SecurID tokens are not supported in Next Tokencode mode.
RSA API returns multiple authentication options when only the New PIN mode option should be returned. This situation occurs when all these conditions are met:
The RSA SecurID node connects to the RSA Cloud Authentication Service directly or through RSA Authentication Manager as a proxy.
The configured policy & assurance level & user-enrolled authenticators include SecurID and other authentication methods.
The user selects the SecurID option, and their SecurID token is in new PIN mode.
Seeing multiple options can be confusing when only the New PIN option is expected. The RSA team is aware of this RSA API behavior and is evaluating ways to correct the behavior to ensure that the REST API returns only the SecurID new PIN and passcode prompts.
The RSA SecurID node only supports English characters for:
Client ID
Assurance Policy ID
Identity Cloud provides sample journeys. You can download the JSON file to understand and implement the most common RSA SecurID use cases.
This example journey highlights using the RSA SecurID node to authenticate users:
