Setting Up Two Factor Authentication - RSA Securid(Feature available only in Premium and Enterprise editions)
Summary of steps:
- Configuring two factor authentication in Password Manager Pro.
- Setting up Password Manager Pro - RSA SecurID integration.
- Enforcing two factor authentication for required users.
Step 1: Configuring two factor authentication in Password Manager Pro
- Navigate to Admin >> Authentication >> Two-factor Authentication.
- Choose the option RSA SecurID.
- Click "Save".
Step 2: Setting up Password Manager Pro - RSA SecurID integration
RSA Secur ID
If you have RSA Authentication Manager and RSA SecurID Appliance in your environment, you can integrate them with Password Manager Pro and leverage RSA SecurID authentication as the second level of authentication.
For RSA SecurID authentication, Password Manager Pro communicates with RSA Authentication Manager using the RSA APIs. Password Manager Pro sends the user credential to RSA Authentication Manager, which validates and sends back the status to the Password Manager Pro server.
Password Manager Pro - RSA SecurID integration
- Register the PMP server as an Agent Host in the RSA Authentication Manager.
- Generate RSA Authentication Manager configuration file, or sdconf.rec in RSA manager. Copy and paste the sdconf.rec under the <PMP_Installation_Folder>/bin directory. In addition, if a node secret file (securid) exists, copy that as well.
- Edit 'RSA_AGENT_HOST' property value as PMP server hostname or IP Address in the RSA Authentication API configuration file (rsa_api.properties) which is located in the default application directory (<PMP Home>\bin).
Note: If you are making use of PMP high availability feature, you need to carry out the above steps in the secondary server installation as well.
RSA SecurID - Flow of events
Before authentication can take place, use the RSA Security Console to enter all desired Password Manager Pro users into RSA Authentication Manager, assign tokens to them and activate them on the appropriate Agent Host. Ensure that the user name in RSA Authentication Manager and the corresponding one in Password Manager Pro are same. In case, for the already existing RSA users, if the user name in Password Manager Pro and in RSA Authentication Manager are different, you can do a mapping of names in Password Manager Pro instead of editing the name in RSA. This mapping can be done by editing the Password Manager Pro user properties.
(Assume the scenario that in Password Manager Pro, you have imported a user from Active Directory, who has the username (say) ADVENTNET\rob in Password Manager Pro. In RSA Authentication Manager, assume that the username is recorded as 'rob'. In normal cases, there will be a mismatch of usernames between Password Manager Pro and RSA Authentication Manager. To avoid that, you can do a mapping in Password Manager Pro - ADVENTNET\rob will be mapped to rob).
The following sequence describes a typical Password Manager Pro - RSA SecurID authentication process. Note that users must authenticate twice: first with their local Azure AD/AD/LDAP passwords, and then with their RSA SecurID tokens.
- A user tries to access Password Manager Pro web-interface.
- Password Manager Pro authenticates the user through ActiveDirectory or LDAP or locally.
- Password Manager Pro prompts the user for a username and RSA SecurID passcode and forwards the credentials to RSA Authentication Manager through the RSA Runtime API.
- RSA Authentication Manager authenticates the user and returns a message to Password Manager Pro.
- Password Manager Pro grants the user access to the requested resource.
Step 3: Enforcing two factor authentication for required users
In Step 1 above, you have chosen 'RSA SecurID' for two factor authentication. Now, you need to apply two factor authentication for the required users.
To enforce two factor authentication for a user,
- Navigate to "Users" tab.
- Click the button "Set 2-factor authentication" from the "More Actions" list.
- In the UI that opens, select the users for whom two factor authentication is to be enforced.
- Click "Save".
How to connect to Password Manager Pro web-interface when TFA is enabled?
The users for whom two factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Password Manager Pro's local authentication or AD/LDAP authentication. Depending on the type of TFA chosen by the administrator, the second level of authentication will differ as explained below:
- Upon launching the Password Manager Pro web-interface, the user has to enter the username and local authentication or AD/LDAP password to login to Password Manager Pro and click "Login".
- Against the text field "RSA Passcode", enter the RSA SecurID passcode. The passcode could be a combination of PIN and Tokencode or just Tokencode alone or On-Demand PIN depending on the configuration done in RSA Authentication Manager.
- If you want to leverage RSA On-Demand authenticator, select "RSA On-Demand" and proceed. In this case, you need to give the On-Demand Tokencode as specified in case 3 below.
TFA using SecurID - Different scenarios in logging into Password Manager Pro
Case 1 - Entering user generated / system created PIN
As mentioned above, the RSA passcode could be a combination of PIN and tokencode or just tokencode alone or a password depending on the configuration done in RSA Authentication Manager. If the settings in RSA Security Console demands the users to create a PIN on their own or use a system generated PIN, the following screen would be shown to the users after step 2 (that is, after entering the first password & RSA tokencode to log in to Password Manager Pro).User Created PIN
In the case of user created PIN, users will get the option to enter the PIN on their own. The PIN should contain numeric characters - minimum 4, maximum 8 characters. After entering the PIN, the user will have to wait for a while until the RSA tokencode changes to a new value. Then, in the next screen, enter the new PIN and the RSA tokencode to authenticate.System Created PIN
In the case of system created PIN, Password Manager Pro itself will randomly generate a PIN and it will be shown on the screen. Users will have to note down the new PIN and wait for a while until the RSA tokencode changes to a new value. Then, in the next screen, the users will have to enter the new PIN as generated by the system and the RSA tokencode to authenticate.
Case 2: New Tokencode Mode
If a user attempts to log in to Password Manager Pro using a random RSA passcode or by guesswork for a specified number of time, the RSA Authentication Manager will turn the screen to the next tokencode mode to verify whether the user possesses the token. In that case, PMP prompts for next tokencode during the login. That means, the user will have to wait until the RSA device shows a new tokencode and the new code to proceed with logging into Password Manager Pro.
Note: If the new tokencode entered by the user is wrong, Password Manager Pro will revert to the initial login screen. Users will have to start from entering the username again.
Case 3: Tokencode Mode
When RSA On-Demand authenticator is configured, you need to supply the Tokencode to log into Password Manager Pro. Tokencode will be sent to the registered email id or mobile number as configured in the RSA On-Demand authentication system.
If you have configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the Password Manager Pro secondary server once.