> ## Documentation Index
> Fetch the complete documentation index at: https://docs.serval.com/llms.txt
> Use this file to discover all available pages before exploring further.
# RSA SecurID
> Connect Serval to the RSA SecurID Authentication API (RSA ID Plus / Cloud Authentication Service) so workflows can run multi-factor authentication flows - starting, verifying, checking, and canceling MFA attempts on demand.
## About RSA SecurID
The RSA SecurID integration connects Serval to the RSA SecurID Authentication API, the MFA service provided by RSA ID Plus / Cloud Authentication Service. An admin supplies an API URL, Access ID, and Client Key; Serval stores the Client Key encrypted and attaches it automatically to every call it makes on your behalf. Workflows then use a single "RSA SecurID API request" action to drive the full MFA flow. This connector is currently marked **Beta** in Serval's integrations UI, and the connection is identified by the host of your API URL (for example, your-tenant.securid.com).
**Authentication:** API key - the Client Key is sent as an authentication header on every request.
**Data sync:** None. The integration is on-demand only - no background sync, webhooks, or polling. Outside your workflow runs, the only traffic is the connection health check, which runs when you trigger it and after you save configuration changes.
## What the RSA SecurID integration enables
| Capability | Description |
| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| RSA SecurID API request | A single workflow action that calls the RSA Authentication API with your credentials attached automatically. |
| Initialize an authentication attempt | Start an MFA attempt for a user and get back the attempt ID and the challenge methods the user can complete. Supports assurance levels (ALLOW / LOW / MEDIUM / HIGH / DENY), policy selection, and pre-collected credentials for single-step auth. |
| Verify authentication credentials | Submit collected credentials (password, OTP, and so on) for an attempt. Responses report SUCCESS, FAIL, ERROR, CHALLENGE (more input needed), or IN\_PROCESS (poll again, for example while a push approval is pending). |
| Check authentication status | Look up or confirm the result of a previous authentication attempt from another session using its attempt ID. |
| Cancel an authentication attempt | Explicitly cancel a pending attempt (for user action or timeout). |
| Fetch localized prompt resources | Retrieve translated prompt text for rendering authentication prompts in the user's language. |
| AI context | Serval's AI knows the RSA SecurID Authentication API endpoint catalog and can help you build workflows against it. |
Anything defined in the [RSA SecurID Authentication API](https://community.securid.com/s/rsa-id-plus-documentation/mfa-authentication-api) can be accessed through Serval.
## Get your credentials
You need three values from RSA: the Authentication API base URL, an Access ID, and a Client Key (RSA also calls it the Access Key). For RSA ID Plus / Cloud Authentication Service, all three come from the Cloud Administration Console. RSA's official guide is [Manage the RSA Authentication API Keys](https://community.securid.com/s/article/Manage-the-RSA-Authentication-API-Keys-Legacy-Clients-09a51852).
Sign in as an administrator.
Navigate to **Platform > API Access Management**. (Older console versions list these keys under My Account > Company Settings instead.)
This tab lists your Authentication API keys (up to 10 can exist).
Add a new key and copy the key value - this is the **Client Key** you will paste into Serval. RSA also calls it the Access Key.
Record the **Access ID** associated with the key configuration.
On the same tab, use **Copy URL** under the RSA SecurID Authentication API REST URL - this is the **API URL** for the Serval connect form.
Serval only sends credentials to cloud-hosted RSA endpoints on a subdomain of securid.com. Self-hosted RSA Authentication Manager (where the equivalent values live under Security Console > Setup > System Settings > RSA SecurID Authentication API) uses custom hostnames that Serval will not authenticate to - cloud-hosted endpoints are the supported path.
RSA Authentication API keys do not expire. Store the key securely and plan manual rotation - RSA recommends rotating roughly every 90 days.
## Connect in Serval
Find **RSA SecurID** in Serval's integrations list (it is labeled Beta) and open the connect form.
Paste your tenant's Authentication API base URL, for example [https://your-tenant.securid.com](https://your-tenant.securid.com). The helper text reads "The RSA SecurID Authentication API base URL (e.g., [https://your-tenant.securid.com](https://your-tenant.securid.com))". Leaving it empty shows "This field is required". The https\:// requirement is only checked when you submit: a plain http\:// URL is rejected with "Failed to install integration: Invalid RSA SecurID configuration: API URL must start with https\://".
The helper text reads "The Access ID from the RSA REST configuration interface". Leaving it empty shows "This field is required".
A masked password field. The helper text reads "The client-key (Access Key) from the RSA REST configuration interface". This field has no inline emptiness check - submitting without it fails with "Failed to install integration: Invalid RSA SecurID configuration: client key is required".
Click **Submit**. Serval stores the Client Key encrypted and names the connection after the host of your API URL.
When editing an existing connection, the Client Key shows as a masked value (bullets plus its last 4 characters) - use the **Replace** button, or the pencil icon on the connection's settings page, to enter a new one. An untouched or blank Client Key keeps the current value, and the same applies to a cleared API URL or Access ID: blank means keep existing. Only paste a complete new Client Key when you are rotating credentials. If an update is rejected (for example a non-https API URL), the settings page shows "Failed to update configuration".
## Verifying the connection
The integration runs one health check, **Validate RSA SecurID API Connection**. It makes a lightweight, read-only call to RSA's language-resources endpoint using your stored credentials, which confirms both that the API URL is reachable and that the Client Key is accepted.
* On success: "Successfully connected to RSA SecurID API."
* On failure: "Unable to connect to RSA SecurID API. Please verify your API URL and client key are correct."
If the health check is green but an authentication workflow seems stuck, it is usually waiting on the end user rather than a broken connection: a pending push approval returns an in-process status that the workflow must poll, and attempts expire after a timeout (180 seconds by default).
## Gotchas and troubleshooting
Serval attaches credentials only when the request host is a subdomain of securid.com (for example, [https://your-tenant.securid.com](https://your-tenant.securid.com)). Self-hosted RSA Authentication Manager at a custom hostname will not receive credentials, so every call fails. The bare apex securid.com (no subdomain) also does not qualify.
Outbound calls authenticate with the Client Key alone. The Access ID is required by the form and saved with the connection, but it is never included in API requests - HMAC request signing (which uses the Access ID) is not supported. If your RSA deployment is configured to require HMAC mode, requests will be rejected.
The form's only inline checks are that the API URL and Access ID are filled in. The https\:// requirement is enforced by Serval when you click Submit: on first connect the failure reads "Failed to install integration: Invalid RSA SecurID configuration: API URL must start with https\://", while a rejected update on the connection's settings page shows "Failed to update configuration".
On edit, the Client Key appears as bullets plus its last 4 characters, with a Replace button (or pencil icon) to enter a new value. Leaving it untouched or blank preserves the current key, and the same applies to the API URL and Access ID - blank means keep existing. Paste a complete new key only when rotating credentials; never retype the masked placeholder as if it were the key (Serval's form discards placeholder-shaped values before submitting, so they cannot overwrite the stored key through the UI).
Initializing an attempt returns an attempt ID and the user's available challenge methods; verifying may come back with CHALLENGE (more input needed) or IN\_PROCESS (poll again, for example while a push approval is pending) before reaching SUCCESS, FAIL, or ERROR. Initialize and verify calls carry a message context - the attempt ID, a new message ID, and a reply-to echoing the server's previous message ID - while status checks and cancellation reference just the attempt ID. Workflows that drive authentication need to implement this loop, and attempts time out (180 seconds by default).
RSA SecurID is marked Beta in the connect UI. Behavior and coverage may evolve faster than mature connectors - report anything unexpected to support.
***
Need help? Contact **[support@serval.com](mailto:support@serval.com)** for assistance with your RSA SecurID integration.