topic Re: Identity Awareness with RSA SecurID in Firewall and Security Management

Identity Awareness with RSA SecurID

MauriceM — Fri, 19 May 2023 18:26:08 GMT

so, I've been tasked with migrating off the no longer supported Client Authentication feature to Identity Awareness. We use RSA SecurID Tokens as part of that browser-based authentication.

I have it working for users that were existing Client Auth users, but I'm having issues with new employees that are authenticating for the first time.

The issue stems from the fact that new users have to create a unique PIN number as part of the first login process which is then combined with the RSA generated token code on future login sessions. So, when using Client Auth a new user will login with their username and the code that's generated by the RSA Token. The system then presents them with a screen that asks them to create a PIN and once that's created all future logins are username with a password of PIN + TOKEN CODE. Identity Awareness is treating that first login as a password failure instead of recognizing that it's a first-time login.

What I'm assuming is that there's some additional configuration necessary to get Identity Awareness to handle this login flow correctly, but I can't seem to find documentation on how to implement this. Can anyone point me in the right direction to get this done? I've asked through the normal support case, but they claim they only handle break/fix issues and not configuration assistance. I've escalated to my accounts team, but thought I'd post here in case someone has had to do this in their environment.

Re: Identity Awareness with RSA SecurID

PhoneBoy — Fri, 19 May 2023 20:13:41 GMT

Pretty sure Captive Portal does not support this authentication flow.
As such, it would be an RFE that would need to be discussed with your local Check Point office.

However, it appears SecurID supports SAML per https://community.rsa.com/t5/securid-cloud-authentication/saml-applications-idr/ta-p/623025
We support SAML from R80.40 and above, which allows the authentication flow to happen entirely in the Identity Provider.
Therefore, this authentication flow should work.

Re: Identity Awareness with RSA SecurID

MauriceM — Mon, 22 May 2023 20:30:14 GMT

Appreciate the response @PhoneBoy I don't think the SAML option will work for my RSA appliance, but I'll see if this can be handled via an Enhancement.