Standard Fields
Field Description

RSA Authentication Agent

The unique name that you entered in the Hostname field in Registering PingFederate as an agent in the RSA Security Console , such as MyPingFederate. PingFederate uses this to identify itself to the RSA Authentication Manager API.


If you've integrated the Authentication Manager with the RSA Cloud Authentication Service (CAS), you can leave this field blank if you fill out the Assurance Policy ID field instead.


The base URL of the primary RSA Authentication Manager including the hostname, port number and REST URL root path.

For example: https://RSA_Authentication_Manager_Hostname:REST_API_Port/mfa/v1_1.

The default REST API port is 5555.

RSA Access ID

A unique string that the RSA Authentication Manager uses to identify individual REST API client. This is required if the security key type is HMAC.

RSA Access Key

A unique string that the RSA Authentication Manager generates and uses as a shared secret with REST API clients.

Advanced Fields
Field Description

Use Custom Cipher Suites

Cipher suites are used to send information securely when the adapter makes TLS requests to RSA Authentication Manager.

Cleared (default) – The adapter uses all cipher suites available to the adapter. For a complete list, see Enum CipherSuites in the OkHttp documentation.

Selected – Restricts the adapter to the cipher suites entered in the Custom Cipher Suites field. This allows your organization to use only cipher suites that meet your unique security standards. Select this if your environment has special requirements.

This check box is cleared by default.

Custom Cipher Suites

The cipher suites that the adapter uses when Use Custom Cipher Suites is selected.

Separate multiple ciphers with a comma. For example, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA256.

For a complete list, see Enum CipherSuites in the OkHttp documentation.

This field is blank by default.

Challenge Retries

The number of failed user authentications after which the account locking service blocks future attempts.


To enable this feature, follow the steps in Account lockout protection in the PingFederate documentation.

The default value is 5.

Security Key Type

The method of security key authentication to use against the RSA Authentication REST API. If Access Key is enabled, the plain key will be used. If HMAC is enabled an HMAC calculated from the Access Key, a hash of the request body, the Access ID, and other request-specific information will be used.

Assurance Policy ID

The access policy name that's configured in the Cloud Administration Console. You can get the access policy name from your Cloud Authentication Service Super Admin.


If you're using the RSA Authentication Manager integrated with the Cloud Authentication Service, you must enter a valid value for either the Assurance Policy ID field or the RSA Authentication Agent field.

Logout Path

Path on the PingFederate server to end a user's IdP session. Must include the initial slash. For example, /mylogoutpath.

The value is added to the following to create the logout URL: https://pf_host:port/ext

This field is blank by default.

Logout Redirect

The URL that the adapter redirects the user to after they log out. Applies only when Logout Path is set above. When provided, this URL takes precedence over any Logout Template specified below.

This field is blank by default.

Logout Template

HTML template to render after the user logs out. Applies when Logout Path is set above and Logout Redirect is blank. The template file must be located in <pf_home>/server/default/conf/template.

The default value is:

Authentication Context Value

Additional information provided to the SP to assess the level of confidence in the assertion. This value will override the default authentication context used by the adapter.

This field is blank by default.

Verify HTTPS Hostname

When a connection is established with RSA Authentication Manager, PingFederate matches the target host name against the names stored inside the server's X.509 certificate. This security measure ensures that PingFederate is connecting to the correct server.

This check box is selected by default.

Override Internal User ID

Allows you to specify a custom user identifier attribute for authentication with RSA SecurID.

By default, the adapter takes the username attribute from the PingFederate authentication policy and uses it for both frontend display and backend authentication with RSA Authentication Manager.

To use a different attribute for backend authentication, select this check box and enter the custom attribute in the Internal User ID Attribute field.

Not selected (default)
Frontend display: username
Backend authentication: username
Frontend display: username
Backend authentication: <custom attribute>

In either case, if no username attribute is available, the user-facing template shows an error.

This check box is cleared by default.

Internal User ID Attribute

When Override Internal User ID is selected, this field determines the user identifer attribute used to authenticate the user with RSA Authentication Manager.

The attribute must be available in the PingFederate authentication policy. The attribute name is case sensitive.

This field is blank by default.

Test Username

The username that's used to test the configuration on the Actions tab.

HTML Template Prefix

A file prefix that identifies the customizable HTML templates that the adapter instance uses. The template files must be located in <pf_home>/server/default/conf/template.


If you customize the template file names in /server/default/conf/template, make sure to use the same prefix consistently and enter that new prefix in this field.

The default value is:


Messages Files

Identifies the customizable language-pack file that the adapter uses.

If you customize the file name in the /server/default/conf/language-packs directory, enter the new name here.

The default value is rsa-securid-messages.

Error Message Key Prefix

Prefix for error messages in the language pack.

The default value is rsa.securid.error.

API Request Timeout

The amount of time in milliseconds that PingFederate allows when establishing a connection with RSA Authentication Manager or waiting for a response to a request. A value of 0 disables the timeout.

The default value is 5000.

Proxy Settings

Defines proxy settings for outbound HTTP requests.

The default value is System Defaults.

Custom Proxy Host

The proxy server host name to use when Proxy Settings is set to Custom.

This field is blank by default.

Custom Proxy Port

The proxy server port to use when Proxy Settings is set to Custom.

This field is blank by default.