We're trying to configure our new RSA Risk-based Authentication (aka Adaptive Auth) solution to work with our SA4500. We have configured the RSA auth server, added it to our realm and imported the .js file to the custom sign-in page, as well as modifying the LoginPage.thtml with the script tags as indicated by the EMC/RSA implementation guide..
A quick note about our RSA topology: We currently have all of our RSA infrastructure BEHIND the firewall in our LAN, aka not on the DMZ not exposed to the internet at all. This is the part that's got me stumped.. when designing this solution, RSA told us that we did not need to expose any of our Adaptive Auth servers to the internet and that the SA4500 was supposed to intermediate all of the requests to those servers. The problem I have with that answer is this: When a user hits the Juniper login page, and inputs their LDAP credentials (we're using RSA as a secondary auth server), they are redirected to an RSA URL, which returns a 404 error. This is due to the fact that the URL redirect is of the form https://rsaserver.company.com, which doesn't resolve because it's not exposed to the internet.
First, has anyone seen this deployment architecture, and second, has anyone gotten it working?
All suggestions/comments/criticisms welocome.
I believe the Adaptive Authentication Adapter should be reachable from the internet.
to prove this from the internal network access the SA , once the user is authenticated this will forward you to https://rsaserver.company.com after which you should be authenticated and presented with the bookmark page.
You should be able to set up an Authorisation Only sign-in policy (and associated role and resource policy) to enable access to the internal URL needed during login.
You can tie down which URLs are accessible with the resource policy but remember anything allowed can be access unauthenticated.
The RSA Adaptive Authentication Adapter (adapters-juniper-aa webapp), needs to be accessible from the user's device.
There is a redirect to this URL and this url actively collects the device prints and if necessary front-ends the step-up authentication.