RapidIdentity Product Guides - 2019 Rolling Release

Authentication Methods

Administrators can drag each authentication method to prioritize them.


There are eleven authentication methods described below. Use the links for more detailed information on each method.

Each of the hyperlinked methods in the table below direct to a RapidIdentity Product Guide page describing configuration details.

Authentication Method


FIDOFIDO Authentication Policy

When enabled, users authenticate with a licensed FIDO U2F security key. Administrators can allow users to defer the FIDO challenge for 30 days. If a user defers with this setting, they will not be prompted for FIDO authentication again for 30 days when using the same browser.

KerberosKerberos Configuration

Users authenticate with licensed, browser-provided Kerberos tickets automatically.


Users authenticate with their directory password.


Users can authenticate against the default image pool of 36 images or a custom image pool. Administrators can configure the number of images to choose and the number of images to challenge the user. This is a licensed method.

When configuring the custom image pool, click Manage Images . The total image pool resides on the left pane, and the user challenge images reside on the right pane. Administrators can select an image and use the arrows to move images. The Pictograph Image Manager supports drag-and-drop.


Users authenticate using the RapidIdentity mobile client application. It is necessary to be licensed for the PingMe authentication method to use this authentication method and necessary to configure users on the RapidIdentity Server.

Server Hostname: The RapidIdentity Server hostname.

Server Port: The server port. The default value is 443 if left blank.

API Key: The RapidIdentity Server API key.

Username attribute: The LDAP attribute that contains the user's RapidIdentity Server username(s).

Domain: Optional. If left blank, the default value is the RapidIdentity Server authentication domain if the username attribute value does not contain one.

Service Description: Optional. A friendly description that will display on the user's authentication device with the authentication request. If left blank, the default description is 'RapidIdentity Federation'.

Portal Challenge (Questions)Portal Challenge Setup

Users authenticate with their RapidIdentity Portal Challenge Questions.

QR CodeQR Code

When enabled, a valid, secure QR code must be scanned. This is a licensed method.


Users authenticate with a code sent to their mobile device through SMS. This is a licensed method.


Social authentication allows users to authenticate to RapidIdentity through their Facebook, Google+, LinkedIn, or Twitter account. Authenticating against any of the enabled social networks is sufficient. This is a licensed method.

Social authentication is enabled by clicking the Enabled box, selecting the desired social network, and completing the ID and Secret fields. The ID and Secret field values are both obtained through each of the social network's developers pages.


Users enter a Time-Based One-Time Password (TOTP) code generated by a device or app (e.g. Google Authenticator).

Window Size: governs the number of valid codes. A value of 1 indicates only the current code is valid. A value of 3 indicates the current, the two previous, and two future codes are all valid.

Issuer: The name displayed alongside the token in the user's device. If blank, the default Issuer will be used.

Allow Challenge Deferral: When checked, users can defer challenges for 30 days, meaning they will not be prompted for TOTP authentication when authenticating with the same browser within that time period.

Setup Instructions: Necessary instructions for users to view when setting up their device.

FederationFederation Authentication Method

The Federation Authentication Method causes RapidIdentity Federation to act as a SAML Relying Party to a remote instance of RapidIdentity Federation.

The account in the remote system must be able to be uniquely mapped to a local RapidIdentity account by one or more attributes released by the remote IdP, such as email.