Previous Topic: SecurID Authentication SchemesNext Topic: X.509 Client Certificate Authentication Schemes


How to Configure SecurID HTML Form Authentication Support for Risk-Based Authentication

RSA Risk-Based Authentication (RBA) for SecurID provides risk-based verification of user identities while preserving the username/password login experience.

To configure the SecurID HTML Form authentication support for Risk-Based Authentication (RBA), the policy administrator and the agent owner must collaborate. This scenario describes all the procedures that both must perform.

Diagram illustrating workflow to configure SecurID RBA support

The policy administrator does the following procedures:

  1. Verify that you have the latest CA SiteMinder® RBA integration script template.
  2. Generate a custom CA SiteMinder® RBA integration script.
  3. Provide the custom CA SiteMinder® RBA integration script to agent owners for deployment.

The agent owners do the following procedure:

  1. Deploy the custom CA SiteMinder® RBA integration script on each web server.
Verify That You Have the Latest CA SiteMinder® RBA Integration Script Template

The RBA integration script is based on a template that ships with the RSA Authentication Manager. However, because RSA can update the template between releases, verify that you have the most up-to-date template.

Follow these steps:

  1. Download the CA SiteMinder® RBA integration script template, using this link.
  2. Locate the integration script template that shipped with your RSA Authentication Manager server.
  3. If your server does not have a integration script template, install the template that you downloaded in Step 1. Otherwise, compare the headers of the templates and install whichever one is the newest.
Generate a Custom CA SiteMinder® RBA Integration Script

To generate a custom RBA integration script to deploy on your agents, use the RSA Security Console.

Follow these steps:

  1. Log in to the RSA Security Console and enable RBA for one or more of your agents.
  2. Choose the primary method for agents to use to authenticate users (RSA SecurID or fixed passcode).
  3. To generate your script and download it to a temporary directory, select the CA SiteMinder template.
Provide the Custom SiteMinder RBA Integration Script to Agent Owners for Deployment

The custom RBA integration script that you generated in the RSA Security Console must be deployed on each web server that is to support RBA.

Provide the custom RBA integration script to each agent owner and inform them how to deploy it.

Agent Owner Deploys the Custom CA SiteMinder® RBA Integration Script on Each Web Server

Deploy the custom CA SiteMinder® RBA integration script provided by the policy administrator on each web server that is to support RBA.

Follow these steps:

  1. Log in to the agent host and locate the default RSA SecurID login template (smpwservices.fcc). The template is located in the /siteminderagent/forms/ directory relative to the agent root.
  2. Open smpwservices.fcc in a text editor, add the following two lines immediately before the </body> tag at the bottom, and save the file:
    <script src="am_integration.js" type="text/javascript"></script>
    <script>window.onload=redirectToIdP;</script> 
    

    Important! Create a backup of smpwservice.fcc before beginning to edit it and use it to undo the changes if necessary.

  3. Copy the custom CA SiteMinder® RBA integration script (am_integration.js) to the /siteminderagent/forms/ directory and restart the web server.