Setting up Two Factor Authentication - RSA SecurID
(Feature available only in Premium and Enterprise Editions)
Step 1: Setting up Two Factor Authentication
The first step is to enable two factor authentication. To do that,
- Go to "Admin" tab and click "Two Factor Authentication"
- Choose the option "RSA SecurID". Administrators can also enable RSA On-Demand authentication, by selecting the On-Demand authentication check-box.
If you have RSA Authentication Manager and RSA SecurID Appliance in your environment, you can integrate them with PMP and leverage the RSA SecurID authentication as the second level of authentication.
For RSA SecurID authentication, PMP communicates with RSA Authentication Manager using the RSA APIs. PMP sends the user credential to RSA Authentication Manager, which validates and sends back the status to the PMP server.
PMP - RSA SecurID Integration
Following are the important steps involved in PMP-RSA SecurID Integration.
- Register the PMP server as an Agent Host in the RSA Authentication Manager
- Generate RSA Authentication Manager configuration file, or sdconf.rec in RSA manager. Copy and paste the sdconf.rec to the <PMP_Installation_Folder>/bin directory. In addition, if a node secret file (securid) exists, copy that as well
- Edit 'RSA_AGENT_HOST' property value as PMP server hostname or IP Address in the RSA Authentication API configuration file (rsa_api.properties) which is located in the default application directory (<PMP Home>\bin)
Important Note: If you are making use of PMP high availability feature, you need to carry out the above steps in the secondary server installation as well.
Two-factor Authentication using RSA SecurID - Flow of Events
Before authentication can take place, use the RSA Security Console to enter all desired PMP users into RSA Authentication Manager, assign tokens to them and activate them on the appropriate Agent Host. Ensure that the user name in RSA Authentication Manager and the corresponding one in PMP are same. In case, for the already existing RSA users, if the user name in PMP and in RSA Authentication Manager are different, you can do a mapping of names in PMP instead of editing the name in RSA. This can be done by editing the PMP user properties. (Assume the scenario that in PMP you have imported a user from Active Directory, who has the username (say) ADVENTNET\rob in PMP. In RSA Authentication Manager, assume that the username is recorded as 'rob'. In normal case, there will be mismatch of usernames between PMP and RSA Authentication Manager. To avoid that, you can do a mapping in PMP - ADVENTNET\rob will be mapped to rob).
The following sequence describes a typical PMP - RSA SecurID authentication process. Note that users must authenticate twice: first with their local LDAP or Active Directory passwords, and then with their RSA SecurID tokens.
- A user tries to access PMP web-interface
- PMP authenticates the user through ActiveDirectory or LDAP or locally
- PMP prompts for the user for a username and RSA SecurID passcode and forwards the credentials to RSA Authentication Manager through the RSA Runtime API.
- RSA Authentication Manager authenticates the user and returns a message to PMP.
- PMP grants the user access to the requested resource.
Step 2: Enforcing Two Factor Authentication for Required Users
In Step 1 above, you have chosen RSA SecurID as the option for two factor authentication. After choosing this option, you need to apply two factor autentication for the required users.
To enforce two factor authentication for a user,
- Go to "Admin" >> "Users"
- Click the button "Set 2-factor authentication"
- In the UI that opens, select the users for whom two factor authentication is to be enforced
- Click "Save"
How to connect to PMP Web-Interface when TFA is Enabled?
The users for whom two factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through PMP's local authentication or AD/LDAP authentication. Depending on the type of TFA chosen by the administrator, the second level of authentication will differ as explained below:
Note: When TFA is enabled, the login screen will ask for the username alone in the first UI. The users will be prompted to enter the passwords only in the second step.
TFA using RSA SecurID - Workflow
If the administrator has chosen TFA throgh RSA SecurID, the two factor authentication will happen as detailed below:
- Upon launching the PMP web-interface, the user has to enter the username to login to PMP and click "Login"
- Against the text field "Password", the user has to enter the local authentication password or AD/LDAP domain password as applicable
- Against the text field "RSA Passcode", enter the RSA SecurID passcode. The passcode could be a combination of PIN and Tokencode or just Tokencode alone or On-Demand PIN depending on the configuration done in RSA Authentication Manager
- If you want to leverage RSA On-Demand authenticator, select "RSA On-Demand" and proceed. In this case, you need to give the On-Demand Tokencode as specified in case 3 below.
TFA using RSA SecurID: Different Scenarios in logging into PMP
Case 1: Entering user generated / system created PIN
As mentioned above, the RSA passcode could be a combination of PIN and tokencode or just tokencode alone or a password depending on the configuration done in RSA Authentication Manager. If the settings in RSA Security Console demands the users to create a PIN on their own or use a system generated PIN, the following screen would be shown to the users after step 2 (that is, after entering the first password & RSA tokencode to login to PMP).
Note : A token’s PIN creation method is set in a token policy.
User Created PIN
In the case of user created PIN, users will get the option to enter the PIN on their own. The PIN should contain numeric characters - minimum 4, maximum 8 characters. After entering the PIN, the user will have to wait for a while until the RSA tokencode changes to a new value. Then, in the next screen, enter the new PIN and the RSA tokencode to authenticate.
System Created PIN
In the case of system created PIN, PMP itself will randomly generate a PIN and it will be shown on the screen. Users will have to note down the new PIN and wait for a while until the RSA tokencode changes to a new value. Then, in the next screen, the users will have to enter the new PIN as generated by the system and the RSA tokencode to authenticate.
Case 2: New Tokencode Mode
If a user attempts to login to PMP using a random RSA passcode or by guesswork for a specified number of time, the RSA Authentication Manager will turn the screen to the next tokencode mode to verify whether the user possesses the token. In that case, PMP prompts for next tokencode during the login. That means, the user will have to wait until the RSA device shows a new tokencode and the new code to proceed with logging into PMP.
Note: If the new tokencode entered by the user is wrong, PMP will revert to the initial login screen. Users will have to start from entering the username again
Case 3: Tokencode Mode
When RSA On-Demand authenticator is configured, you need to supply the Tokencode to log into PMP. Tokencode will be sent to the registered email id or mobile number as configured in the RSA On-Demand authentication system.
If you have configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password) AND if you have configured high availability, you need to restart the PMP secondary server once.