About RSA SecurID
The RSA SecurID integration connects Serval to the RSA SecurID Authentication API, the MFA service provided by RSA ID Plus / Cloud Authentication Service. An admin supplies an API URL, Access ID, and Client Key; Serval stores the Client Key encrypted and attaches it automatically to every call it makes on your behalf. Workflows then use a single “RSA SecurID API request” action to drive the full MFA flow. This connector is currently marked Beta in Serval’s integrations UI, and the connection is identified by the host of your API URL (for example, your-tenant.securid.com). Authentication: API key - the Client Key is sent as an authentication header on every request. Data sync: None. The integration is on-demand only - no background sync, webhooks, or polling. Outside your workflow runs, the only traffic is the connection health check, which runs when you trigger it and after you save configuration changes.What the RSA SecurID integration enables
| Capability | Description |
|---|---|
| RSA SecurID API request | A single workflow action that calls the RSA Authentication API with your credentials attached automatically. |
| Initialize an authentication attempt | Start an MFA attempt for a user and get back the attempt ID and the challenge methods the user can complete. Supports assurance levels (ALLOW / LOW / MEDIUM / HIGH / DENY), policy selection, and pre-collected credentials for single-step auth. |
| Verify authentication credentials | Submit collected credentials (password, OTP, and so on) for an attempt. Responses report SUCCESS, FAIL, ERROR, CHALLENGE (more input needed), or IN_PROCESS (poll again, for example while a push approval is pending). |
| Check authentication status | Look up or confirm the result of a previous authentication attempt from another session using its attempt ID. |
| Cancel an authentication attempt | Explicitly cancel a pending attempt (for user action or timeout). |
| Fetch localized prompt resources | Retrieve translated prompt text for rendering authentication prompts in the user’s language. |
| AI context | Serval’s AI knows the RSA SecurID Authentication API endpoint catalog and can help you build workflows against it. |
Get your credentials
You need three values from RSA: the Authentication API base URL, an Access ID, and a Client Key (RSA also calls it the Access Key). For RSA ID Plus / Cloud Authentication Service, all three come from the Cloud Administration Console. RSA’s official guide is Manage the RSA Authentication API Keys.Open API Access Management
Navigate to Platform > API Access Management. (Older console versions list these keys under My Account > Company Settings instead.)
Select the Authentication API Keys tab
This tab lists your Authentication API keys (up to 10 can exist).
Add a key and copy the key value
Add a new key and copy the key value - this is the Client Key you will paste into Serval. RSA also calls it the Access Key.
Connect in Serval
Open the RSA SecurID connect form
Find RSA SecurID in Serval’s integrations list (it is labeled Beta) and open the connect form.
Enter the API URL (required)
Paste your tenant’s Authentication API base URL, for example https://your-tenant.securid.com. The helper text reads “The RSA SecurID Authentication API base URL (e.g., https://your-tenant.securid.com)”. Leaving it empty shows “This field is required”. The https:// requirement is only checked when you submit: a plain http:// URL is rejected with “Failed to install integration: Invalid RSA SecurID configuration: API URL must start with https://”.
Enter the Access ID (required)
The helper text reads “The Access ID from the RSA REST configuration interface”. Leaving it empty shows “This field is required”.
Enter the Client Key (required)
A masked password field. The helper text reads “The client-key (Access Key) from the RSA REST configuration interface”. This field has no inline emptiness check - submitting without it fails with “Failed to install integration: Invalid RSA SecurID configuration: client key is required”.
When editing an existing connection, the Client Key shows as a masked value (bullets plus its last 4 characters) - use the Replace button, or the pencil icon on the connection’s settings page, to enter a new one. An untouched or blank Client Key keeps the current value, and the same applies to a cleared API URL or Access ID: blank means keep existing. Only paste a complete new Client Key when you are rotating credentials. If an update is rejected (for example a non-https API URL), the settings page shows “Failed to update configuration”.
Verifying the connection
The integration runs one health check, Validate RSA SecurID API Connection. It makes a lightweight, read-only call to RSA’s language-resources endpoint using your stored credentials, which confirms both that the API URL is reachable and that the Client Key is accepted.- On success: “Successfully connected to RSA SecurID API.”
- On failure: “Unable to connect to RSA SecurID API. Please verify your API URL and client key are correct.”
Gotchas and troubleshooting
Cloud (securid.com) endpoints only
Cloud (securid.com) endpoints only
Serval attaches credentials only when the request host is a subdomain of securid.com (for example, https://your-tenant.securid.com). Self-hosted RSA Authentication Manager at a custom hostname will not receive credentials, so every call fails. The bare apex securid.com (no subdomain) also does not qualify.
Only the Client Key is sent on requests
Only the Client Key is sent on requests
Outbound calls authenticate with the Client Key alone. The Access ID is required by the form and saved with the connection, but it is never included in API requests - HMAC request signing (which uses the Access ID) is not supported. If your RSA deployment is configured to require HMAC mode, requests will be rejected.
HTTPS is enforced when you submit, not as you type
HTTPS is enforced when you submit, not as you type
The form’s only inline checks are that the API URL and Access ID are filled in. The https:// requirement is enforced by Serval when you click Submit: on first connect the failure reads “Failed to install integration: Invalid RSA SecurID configuration: API URL must start with https://”, while a rejected update on the connection’s settings page shows “Failed to update configuration”.
Editing the connection keeps existing values for blank fields
Editing the connection keeps existing values for blank fields
On edit, the Client Key appears as bullets plus its last 4 characters, with a Replace button (or pencil icon) to enter a new value. Leaving it untouched or blank preserves the current key, and the same applies to the API URL and Access ID - blank means keep existing. Paste a complete new key only when rotating credentials; never retype the masked placeholder as if it were the key (Serval’s form discards placeholder-shaped values before submitting, so they cannot overwrite the stored key through the UI).
The MFA flow is stateful and multi-step
The MFA flow is stateful and multi-step
Initializing an attempt returns an attempt ID and the user’s available challenge methods; verifying may come back with CHALLENGE (more input needed) or IN_PROCESS (poll again, for example while a push approval is pending) before reaching SUCCESS, FAIL, or ERROR. Initialize and verify calls carry a message context - the attempt ID, a new message ID, and a reply-to echoing the server’s previous message ID - while status checks and cancellation reference just the attempt ID. Workflows that drive authentication need to implement this loop, and attempts time out (180 seconds by default).
Beta connector
Beta connector
RSA SecurID is marked Beta in the connect UI. Behavior and coverage may evolve faster than mature connectors - report anything unexpected to support.
Need help? Contact support@serval.com for assistance with your RSA SecurID integration.