so, I've been tasked with migrating off the no longer supported Client Authentication feature to Identity Awareness. We use RSA SecurID Tokens as part of that browser-based authentication.
I have it working for users that were existing Client Auth users, but I'm having issues with new employees that are authenticating for the first time.
The issue stems from the fact that new users have to create a unique PIN number as part of the first login process which is then combined with the RSA generated token code on future login sessions. So, when using Client Auth a new user will login with their username and the code that's generated by the RSA Token. The system then presents them with a screen that asks them to create a PIN and once that's created all future logins are username with a password of PIN + TOKEN CODE. Identity Awareness is treating that first login as a password failure instead of recognizing that it's a first-time login.
What I'm assuming is that there's some additional configuration necessary to get Identity Awareness to handle this login flow correctly, but I can't seem to find documentation on how to implement this. Can anyone point me in the right direction to get this done? I've asked through the normal support case, but they claim they only handle break/fix issues and not configuration assistance. I've escalated to my accounts team, but thought I'd post here in case someone has had to do this in their environment.