Use Keycloak to configure a plugin that enables RSA token authentication.
Access to the Keycloak UI is needed.
Verify the Shasta domain is being used.
This is indicated in the dropdown in the upper left of the UI.
Click on Authentication under the Configure header of the navigation area on the left side of the page.
Click on the Flows tab.
Click on the Browser flow.
Click the Actions dropdown and click on duplicate.
Enter RSA - Browser for the New Name type.
Click on Duplicate
Click the Add Step button in the table header.
Search RSA and click on the RSA then click add.
Update the Requirement field.
Set the table values to the following:
| Field | Requirement |
|---|---|
Cookie |
Alternative |
Kerberos |
Disabled |
Identity Provider Redirector |
Alternative |
RSA - Browser Forms |
REQUIRED |
Username Password Form |
REQUIRED |
RSA - Browser - Conditional OTP |
CONDITIONAL |
Condition - User Configured |
DISABLED |
OTP Form |
DISABLED |
RSA |
REQUIRED |
Click the Gear icon on the RSA line of the table.
Enter the different configuration options:
| Configuration Field | Value |
|---|---|
Alias |
Enter the desired alias. For example, RSA could be used. |
RSA URL |
The base URL of the RSA API service. For example, https://rsa.mycompany.com:5555/ |
RSA Verify Endpoint |
/mfa/v1_1/authn/initialize |
Keycloak Client ID |
The authentication agent. For example, rsa.mycompany.com. The value is from Access > Authentication Agents > Manage Existing in the RSA Console. |
RSA Authentication Manager Client Key |
The key for the RSA API. |
Set the Shared username if applicable.
If the usernames are the same in Keycloak and RSA, then this can be set to ON. This means that the browser flow will not ask for the username for the RSA validation.
Click Save.
Return to the Flows tab on the Authentication page.
Click on the Direct Grant flow.
Click the Actions dropdown and click on duplicate.
Enter RSA - CLI for the New Name type.
Click on Duplicate.
Click the Add Step button in the table header.
Click the Add Step button in the table header.
Search RSA and click on the RSA-CLI then click add.
Set the table values to the following:
| Field | Requirement |
|---|---|
RSA - CLI |
REQUIRED |
RSA - CLI Direct Grant - Conditional OTP |
DISABLED |
Click Save.
Return to the Flows tab on the Authentication page.
Click on the RSA - Browser flow.
Click the Actions dropdown and click on Bind flow.
Choose the Browser flow from the dropdown and click Save.
Return to the Flows tab on the Authentication page.
Click on the RSA - CLI flow.
Click the Actions dropdown and click on Bind flow.
Choose the Direct grant flow from the dropdown and click Save.
Switch to the Relm Settings under then Configure header of the navigation area on the left side of the page.
Go to the Themes tab.
Under the Login theme dropdown select shasta-rsa.
Click on Save.
After this is set up, verify that it is working:
Point a browser at the following URL: http://auth.cmn.SYSTEM_DOMAIN_NAME/keycloak/realms/shasta/account
The browser will be directed to the user login page. The first screen will ask for the username and password in Keycloak. After logging in this way, the next page will ask for the RSA username and token code.
(ncn-mw#) Get a token using the direct grant flow.
Replace USER with a user in Keycloak, PWD_NAME with the user’s password, RSA_USER with the user in RSA, and TOKEN_CODE with the token code:
curl -i -d grant_type=password -d client_id=shasta -d username=USER \
-d password=PWD_NAME -d rsa_username=RSA_USER -d rsa_otp=TOKEN_CODE \
https://api-gw-service-nmn.local/keycloak/realms/shasta/protocol/openid-connect/token