RSA Feature | Access Manager Support |
---|---|
Authentication method | Native SecurID authentication |
New PIN Mode (user-generated PINs) | Asks for new PIN with confirmation. The token may be in New PIN mode the first time the user logs in or the Authentication Manager Administrator can enable New PIN mode. New PIN mode requires the user to complete a sequence of forms to define, or have the system generate, a new PIN number. Oracle-Provided New PIN Forms and Functions:
See Also: 'SecurID New PIN Authentication'. |
Next Tokencode | During authentication, the Authentication Manager may direct the user to provide the next tokencode that appears on their SecurID token to prove that they have the assigned token. This operation is known as Next Tokencode mode, which can be triggered by one of the following situations: See Also: 'SecurID Next Tokencode Authentication'. |
Passcode |
|
Load Balancing | RSA Authentication Manager Replicas. |
Secondary server support | Yes |
SecurID user specification | Designated users |
SecurID protection of Administrators | Yes |
Access Manager features and functions |
RSA Feature | Not supported by Access Manager |
---|---|
RSA Authentication Manager 7.1 SP2 | Is not supported in an Active Directory Forest multi-domain environment |
Multiple ACE Realms | The RSA Authentication API uses an automatic response time load balancing algorithm to determine where to send an authentication request. Such requests go to either a primary RSA Authentication Manager or a replica. The automatic algorithm can be overridden by creating a manual load balancing configuration file, sdopts.rec. However manually weighting an RSA Authentication Manager as a server of last resort does not preclude the Agent from communicating with it. As such, a true failover setup cannot be achieved with this method. For more information, see your RSA Authentication Manager documentation |
System Generated PINs | Not supported by Access Manager. |
Failover | Not supported for OAM SecurID Servers because only one OAM SecurID Server can perform SecurID authentication. |
Only one designated OAM SecurID Server can complete SecurID authentication. However, every OAM Server must be registered as an RSA Authentication Agent Host on the Authentication Manager. |
---|
Enable the OAM SecurID Server to be recognized as an Authentication Manager client. |
Port 5500 (UDP) should be available for the Authentication Manager to communicate with authentication agents (OAM SecurId Server). This service receives authentication requests from Oracle SecurId Server and sends replies. For more details refer to your RSA Authentication Manager documentation. |
Manage authentication requests from the client to the Authentication Manager. |
Enforce two-factor authentication and block unauthorized access. |
Provide automatic load balancing by detecting replica Authentication Manager response times and routing authentication requests accordingly. |
Ensure that the system time on the client is correct to prevent the server and client from being out of sync. |
Failover is not supported for Access Manager. |
The SecurID Authentication Manager must be installed on a supported platform. |
The system time must be correct to prevent the server and client from being out of sync. |
The SecurID tokens or key fobs must be provisioned with the Authentication Manager by providing it with the token seed records |
Each user name must be mappable through an LDAP filter to a Distinguished Name in the directory |
An Authentication Manager slave and/or replicated Authentication Manager can provide failover if the primary Authentication Manager is down |
This integration requires a custom HTML login form and a properties file. Sample Oracle-provided custom html and custom html properties files can be found in: See Also:
|
serverRequestCacheType
from COOKIE
(default) to BASIC
, as follows:is_rsa=true
parameter and value must be specified for RSA./oam/server/auth_cred_submit
, as follows:customHTML
.properties
file is:properties
extension