Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MauriceM
Explorer
Jump to solution

Identity Awareness with RSA SecurID

so, I've been tasked with migrating off the no longer supported Client Authentication feature to Identity Awareness.  We use RSA SecurID Tokens as part of that browser-based authentication.

I have it working for users that were existing Client Auth users, but I'm having issues with new employees that are authenticating for the first time.

The issue stems from the fact that new users have to create a unique PIN number as part of the first login process which is then combined with the RSA generated token code on future login sessions. So, when using Client Auth a new user will login with their username and the code that's generated by the RSA Token. The system then presents them with a screen that asks them to create a PIN and once that's created all future logins are username with a password of PIN + TOKEN CODE.  Identity Awareness is treating that first login as a password failure instead of recognizing that it's a first-time login.

What I'm assuming is that there's some additional configuration necessary to get Identity Awareness to handle this login flow correctly, but I can't seem to find documentation on how to implement this.  Can anyone point me in the right direction to get this done?  I've asked through the normal support case, but they claim they only handle break/fix issues and not configuration assistance. I've escalated to my accounts team, but thought I'd post here in case someone has had to do this in their environment.

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Pretty sure Captive Portal does not support this authentication flow.
As such, it would be an RFE that would need to be discussed with your local Check Point office.

However, it appears SecurID supports SAML per https://community.rsa.com/t5/securid-cloud-authentication/saml-applications-idr/ta-p/623025 
We support SAML from R80.40 and above, which allows the authentication flow to happen entirely in the Identity Provider.
Therefore, this authentication flow should work.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Pretty sure Captive Portal does not support this authentication flow.
As such, it would be an RFE that would need to be discussed with your local Check Point office.

However, it appears SecurID supports SAML per https://community.rsa.com/t5/securid-cloud-authentication/saml-applications-idr/ta-p/623025 
We support SAML from R80.40 and above, which allows the authentication flow to happen entirely in the Identity Provider.
Therefore, this authentication flow should work.

0 Kudos
MauriceM
Explorer

Appreciate the response @PhoneBoy I don't think the SAML option will work for my RSA appliance, but I'll see if this can be handled via an Enhancement.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events