Onboarding the RSA Authentication Manager

Use this task to provision users from Verify to On-Premises RSA Authentication Manager adapter.

Before you begin

  1. Configure the identity agent for authentication in Verify. See, Configuring through the Verify user interface.
  2. Deploy and configure the IBM® Security Verify Identity Brokerage On-Premises component.

Procedure

  1. Log in as administrator on IBM Security Verify.
  2. Select Applications > Applications and click Add application.
  3. Search application type as the name set for the uploaded application profile from the menu and click Add application.
    For example, if the RSA Authentication Manager profile was uploaded with name RSA Authentication Manager, then the application is found with RSA Authentication Manager(custom).
  4. In the Add applications page, select the General tab, and specify the required details.
  5. Select the Account lifecycle tab.
  6. Specify the provisioning and deprovisioning policies.
    Parameters Description
    Provision accounts

    Provision accounts are Disabled by default, which means the account creation is performed outside of IBM Security Verify.

    Select the Enabled option to automatically provision an account when the entitlement is assigned to a user. Password generations and email notification features are available for the account that is created using IBM Security Verify.

    Deprovision accounts

    Deprovision accounts is Disabled by default, which means account removal is performed outside of IBM Security Verify.

    Select the Enabled option in to automatically deprovision an account when entitlement is removed from a user.

    Account password
    Sync user's Cloud Directory password
    This option is available if Password sync is enabled on the Cloud Directory. It uses the Cloud Directory password when a regular user is provisioned to the application. Federated users receive a generated password when provisioned to the application.
    Generate password
    This option generates a random password for the provisioned account. The password is based on the Cloud Directory password policy.
    None
    This option provisions the account without a password.
    Send email notification This option is available when you select the Generate password option. When you select the Send email notification option an email notification with the auto-generated password is sent to your email address after the account is provisioned successfully.
    Grace period (days) Set the grace period in days for which deprovisioned account is kept as suspended before deleting it permanently.
    Deprovision action Delete the account. This field is available only if the deprovision account field is enabled.
  7. In General section, select Application profile from the drop-down. If the profile does not exist you must create one. For more information see, Managing identity adapter application profiles.
  8. Specify the API authentication details.
    Parameters Description
    Security Directory Integrator location URL for the IBM Security VerifyDirectory Integrator instance. For example, rmi://<ip-address>:<port>/ITDIDispatcher, where ip-address is the IBM Security Verify Directory Integrator host and port is the port number for the RMI Dispatcher.

    The default URL for the default SDI1 instance is rmi://localhost:1099/ITDIDispatcher.

    The following table shows the ports that are open in the firewall for every instance that is created. However, usage of these port numbers do not support high availability.

    Table 1. Ports
    Instance Ports
    SDI1 1199, 1198, 1197, 1196, 1195, 1194
    SDI2 2299, 2298, 2297, 2296, 2295, 2294
    SDI3 3399, 3398, 3397, 3396, 3395, 3394
    SDI4 4499, 4498, 4497, 4496, 4495, 4494
    SDI5 5599, 5598, 5597, 5596, 5595, 5594
    SDI6 6699, 6698, 6697, 6696, 6695, 6694
    SDI7 7799, 7798, 7797, 7796, 7795, 7794
    SDI8 8899, 8898, 8897, 8896, 8895, 8894
    SDI9 9999, 9998, 9997, 9996, 9995, 9994
    SDI10 11099, 11098, 11097, 11096, 11095, 11094
    For a high availability implementation, use any of these port numbers.
    • 1099
    • 2099
    • 3099
    Security domain name

    Specify the name of the security domain that the user can administer and from which principals and support data must be reconciled.

    Administrative security domains are specific to an Authentication Manager server but each server is installed with a default top-level security domain (realm). The default realm name is SystemDomain.

    To specify a security domain that is defined somewhere under a realm, use the full path to the security domain with the > character as a delimiter between security domains in the hierarchy. For example, SystemDomain>Employees>Division1.

    To specify a top-level security domain (realm), use the realm name. For example, SystemDomain.

    Administrator Name Specify the administrator user that is used to log in to the resource and to perform user management operations on the specified security domain.
    Administrator Password Specify the password for administrator user.
    Recon Limit Specify this option to set the limit for the number of user accounts, groups, or roles that are retrieved. The default is 1000. This value is used only for RSA Authentication Manager v7.1 SP2 and earlier. Later versions of the server ignore this value and return all user accounts, groups, and roles.
    Owner Optional: Specify a user as a service owner.
    Service Prerequisite Optional: Specify a service that is prerequisite to this service.
  9. Click Test Connection to test the connection to the RSA Authentication Manager on premises. The connection needs to be successful to provision or reconcile accounts on the RSA Authentication Manager application.
  10. Map the target RSA Authentication Manager attributes to the Verify attributes as required. Select the Keep updated check box for the attributes that need to be updated on the target.

  11. Select the Account sync tab.
  12. In the Adoption policy section, add one or more attribute pairs that need to match for the account sync process to assign RSA Authentication Manager accounts to their respective account owners on Verify.

  13. In the Remediation Policies section, choose a remediation policy to remediate non-compliant accounts automatically.
  14. Click Save.
  15. After the application is saved, specify the authorization policy on the Entitlements tab.