--- title: RSA SecurID node description: The RSA SecurID node lets you perform multi-factor authentication (MFA) by integrating with RSA SecurID. End users can authenticate with their registered RSA authenticators using one of the following services: component: auth-node-ref version: latest page_id: auth-node-ref::rsa-securid canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/rsa-securid.html keywords: ["Authenticator", "RSA", "SecurID"] superseded_by: https://docs.pingidentity.com/auth-node-ref/latest/rsa-securid.html section_ids: example: Example availability: Availability inputs: Inputs dependencies: Dependencies rsa-securid-setup: RSA SecurID setup cas: CAS authentication_manager: Authentication Manager configuration: Configuration outputs: Outputs callbacks: Callbacks outcomes: Outcomes errors: Errors --- # RSA SecurID node The RSA SecurID node lets you perform multi-factor authentication (MFA) by integrating with RSA SecurID. End users can authenticate with their registered RSA authenticators using one of the following services: * [RSA Cloud Access Service (CAS)](https://community.rsa.com/s/article/Cloud-Access-Service-Overview-235ded8d) * [RSA Authentication Manager](https://community.rsa.com/s/article/How-RSA-Authentication-Manager-Protects-Your-Resources-f6d03a2f) The node supports the following [RSA MFA methods](https://community.rsa.com/s/article/Authentication-Methods-for-Cloud-Authentication-Service-Users-80e1a27a): * Push Notifications (Approve) * QR Code * Biometrics * Authenticate OTP * SecurID OTP * SMS OTP * Voice OTP * Emergency Access Code | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | FIDO, LDAP Directory Password, and OATH OTP methods aren't supported by this node. If you require these authentication methods, consider using alternative nodes instead.> **Collapse: Alternative nodes** > > * **FIDO**: use the WebAuthn nodes ([WebAuthn Authentication node](webauthn-authentication.html), [WebAuthn Registration node](webauthn-registration.html), and [WebAuthn Device Storage node](webauthn-device-storage.html)). > > * **LDAP Directory Password**: use the [Platform Password node](platform-password.html) with the [Data Store Decision node](data-store-decision.html), or use the [Pass-through Authentication node](passthrough-authentication.html). > > * **OATH OTP**: use the OATH nodes ([OATH Token Verifier node](oath-token-verifier.html), [OATH Registration node](oath-registration.html), and [OATH Device Storage node](oath-device-storage.html)). | ## Example The following example journey validates the user's credentials before they complete MFA with an RSA authenticator: ![Example RSA SecurID journey](_images/securid-example-journey.png) * The [Page node](page.html) containing the [Platform Username node](platform-username.html) and [Platform Password node](platform-password.html) prompts for credentials. * The [Data Store Decision node](data-store-decision.html) validates the username-password credentials. * The RSA SecurID node handles the MFA flow with RSA SecurID and attempts to authenticate the user using one of their registered RSA authenticators. * If the user hasn't registered any RSA authenticators, authentication fails and evaluation continues along the `Not Enrolled` outcome path. * If the user has a single authentication method available to them, they're prompted to complete the MFA challenge using that method. * If the user has multiple authentication methods available to them, they can choose which one to use before being prompted to complete the MFA challenge using that method. * If the user completes the MFA challenge successfully, they're authenticated and logged in. * If the user fails to complete the MFA challenge, authentication fails and evaluation continues along the `Failure` outcome path. ## Availability | Product | Available? | | ------------------------------------- | ---------- | | PingOne Advanced Identity Cloud | Yes | | PingAM (self-managed) | Yes | | Ping Identity Platform (self-managed) | Yes | ## Inputs This node requires a `username` in the incoming node state to identify the user. Implement a [Platform Username node](platform-username.html) earlier in the journey. ## Dependencies You must complete the [RSA SecurID setup](#rsa-securid-setup) before using this node to authenticate users. If you want to use a custom HTTP Client for communicating with the RSA Authentication API, you must configure an [Http Client service](https://docs.pingidentity.com/pingoneaic/am-reference/services-configuration.html#realm-httpclient) first. Additionally, the `username` in the incoming node state must match one of the following: * The username, alternate username, or email address of the user in the RSA CAS. * The username in the Authentication Manager. ### RSA SecurID setup The setup required depends on whether you have integrated with CAS or Authentication Manager: #### CAS 1. Configure the following using the Cloud Administration Console: * **Assurance Levels**: Find more information in [Configure Assurance Levels](https://community.rsa.com/s/article/Configure-Assurance-Levels-cb0a8b18) in the RSA documentation. * **Access Policies**: Find more information in [Manage Access Policies](https://community.securid.com/s/article/Manage-Access-Policies-14b3a6b2) in the RSA documentation. Make a note of the Access Policy name. You'll need this to configure the RSA SecurID node. * **Authentication API Keys**: Find more information in [Manage the RSA Authentication API Keys (Legacy Clients)](https://community.securid.com/s/article/Manage-the-RSA-Authentication-API-Keys-Legacy-Clients-09a51852) in the RSA documentation. Make a note of the RSA Authentication API REST URL and API key. You'll need these to configure the RSA SecurID node. 2. Make sure end users have registered their RSA authenticators. Find more information in [Manage My Page](https://community.rsa.com/s/article/Manage-My-Page-9410c3e9) in the RSA documentation. #### Authentication Manager 1. Configure the following using the Security Console: * **Authentication Agents**: Find more information in [Add an Authentication Agent](https://community.rsa.com/s/article/Add-an-Authentication-Agent-3e61c187) in the RSA documentation. Make a note of the Authentication Agent name. You'll need this to configure the RSA SecurID node. * **Authentication API Keys**: Find more information in [Configure the RSA SecurID Authentication API for Authentication Agents](https://community.rsa.com/s/article/Configure-the-RSA-SecurID-Authentication-API-for-Authentication-Agents-b82a1744) in the RSA documentation. Make a note of the API Key. You'll need this to configure the RSA SecurID node. 2. Get the RSA Authentication API REST URL from your RSA Authentication Manager administrator. You'll need this to configure the RSA SecurID node. ## Configuration | Property | Usage | | ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | SecurID URL | The RSA Authentication API REST URL. The URL format depends on whether you're connecting to CAS or Authentication Manager:- CAS: `https://companyname.auth.securid.com/mfa/v1_1` - Authentication Manager: `https://rsa-auth-manager-server:5555/mfa/v1_1` | | Client ID | The name used by this node as the client ID for connecting to the SecurID URL.- If you're connecting to CAS, this value is optional and can be any string. This value is included in push notification messages seen by end users and is the application name displayed in the Cloud Administration Console. For example: `Example Login Journey` - If you're connecting to the Authentication Manager, this value must match the name of an Authentication Agent configured in the Authentication Manager Security Console. For example: `MyAgentName` | | Assurance Policy | This property only applies if you're connecting to CAS or when the Authentication Manager is operating as a secure proxy server for the cloud. The name of the Access Policy to use. This value must match the name of an Access Policy configured in the CAS Cloud Administration Console.For example: `All Users Medium Assurance Level` | | Client Key Secret Label Identifier | An identifier used to create a secret label for mapping to the RSA API key in a secret store. Advanced Identity Cloud uses this identifier to create a specific secret label for this node. The secret label takes the form `am.authentication.nodes.securid.identifier.client.key` where identifier is the value of Client Key Secret Label Identifier. The identifier can only contain alphanumeric characters `a-z`, `A-Z`, `0-9`, and periods (`.`). It can't start or end with a period. | | Authentication Attempt Timeout | This property only applies if you're connecting to CAS. The number of seconds before the authentication request to RSA times out. | | HTTP Client | The HTTP Client to use for communicating with the Authentication API. Leave blank to use the default HTTP Client. | | Prompt for MFA Choice | Add a custom, localized message to display to the end user with the list of available MFA methods:> **Collapse: Add instructions** > > 1. Click [icon: plus, set=fa]. > > 2. In the Key field, enter the locale. For example, `en-gb`.[(1)](#locale-footnote) > > 3. In the Value field, enter the message. > > 4. Click Done. > > 5. Repeat to add more messages and save your changes when you're done.Leave blank to use the default message.Default: `Select your preferred MFA method` | | Waiting Message | Add a custom, localized message to display to the end user when a push notification has been sent to their registered device:> **Collapse: Add instructions** > > 1. Click [icon: plus, set=fa]. > > 2. In the Key field, enter the locale. For example, `en-gb`.[(1)](#locale-footnote) > > 3. In the Value field, enter the message. > > 4. Click Done. > > 5. Repeat to add more messages and save your changes when you're done.Leave blank to use the default message.Default: `Waiting for your response` | (1) Specify a [locale that Java supports](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/Locale.html), such as `en-gb`. Otherwise, the node throws a configuration exception with an `Invalid locale provided` message. ## Outputs This node doesn't change the shared state. ## Callbacks The node sends the following callbacks: * `ChoiceCallback` Displays a list of available MFA methods to the user and contains the Prompt for MFA Choice. * `ConfirmationCallback` Lets the user choose to proceed or cancel. * `PasswordCallback` Prompts the user to enter the token code, PIN, or OTP as required by the selected MFA method. * `PollingWaitCallback` Waits for the user to respond to the push notification and contains the Waiting Message. * `ScriptTextOutputCallback` Executes a JavaScript script that renders the QR code when the QR Code method is selected. Learn more in [Supported callbacks](https://docs.pingidentity.com/pingoneaic/am-authentication/callbacks-supported.html). ## Outcomes * `Success` The user successfully authenticated. * `Failure` The user failed to authenticate. * `Not Enrolled` The user isn't enrolled in any of the available MFA methods. * `Cancel` The user pressed the Cancel button. * `Error` An error occurred during node execution. ## Errors The node can log the following errors: * `username does not exist in node state` The `username` attribute is missing from the shared state. Make sure you implement a suitable node earlier in the journey to capture the `username`. * `Expected response to contain methodResponseCode` The verification response received from RSA is missing the response code. * `Failed to initialize SecurID: HTTP response` The node failed to connect to the SecurID URL. Check the SecurID URL, Client ID, and Client Key Secret Label Identifier properties. * `Failed to verify SecurID: HTTP response` The node received an unsuccessful response code from the RSA verify endpoint. Review the error message from RSA included in the HTTP response.