Add a Trusted Realm

You can connect two or more realms through a trust relationship to enable users within one realm to authenticate in another realm within a network environment. Trust is not inherited or transferred from other realms; instead, you must explicitly establish it as needed.

Note:  In an example where a New York realm is being joined to a London realm, it is important to note that the New York realm cannot be a cloned system of the London realm because the Authentication Manager database contains unique database identifiers. Trying to establish a trusted realm between two deployments with the same database identifiers will result in an error.

You can create a Cloud Authentication Service trusted realm to allow users who are not in an AM identity source or the internal database to use SecurID Authenticate Tokencodes on RSA authentication agents. For more information, see SecurID Authenticate Tokencodes.

Before you begin 

• You and the administrator of the realm you are adding as a trusted realm need to perform this procedure at the same time.

• You and the administrator of the realm you are adding as a trusted realm need to be able to communicate while you perform this procedure.

Procedure 

1. In the Security Console, click Administration > Trusted Realms > Add New.

2. Under Generate Trust Package, click Generate & Download.

3. After the trust package is generated, use a secure method to exchange your trust package with the trust package from the trusted realm administrator. Wait until you receive the trust package before you continue.

   Note:  The trust package is not compatible with RSA Authentication Manager 7.1. Do not import the trust package into a version 7.1 system.

4. In the Trust Package from Trusted Realm field, enter the path to the trust package that you just received by browsing to the package file, and click Open.

5. Click Next.

6. Verify the trust package confirmation codes with the trusted realm administrator. Go to the next step only after verifying the confirmation codes.

7. Click Confirm and Next.

8. In the Trusted Realm Name field, enter a unique, user-friendly name that identifies the trusted realm, for example, London office.

9. For Authentication Status, select Authenticate Trusted Users if you want your realm to authenticate users from the trusted realm.

10. For Trusted Realm Status, select Enable Trusted Realm. When enabled, your realm can send authentication requests to the trusted realm.

11. For Create Trusted Users in Security Domain, select the security domain that will own users from the trusted realm.

    After your realm authenticates users from the trusted realm, the users must belong to a security domain in your realm. The security domain that you select must be configured to use the internal database as an identity source.

12. In the Trusted User Name Identifier field, enter a unique identifier that your realm can recognize for the trusted user, and click Add. The unique identifier could be the user's domain name or e-mail address, such as jsmith@company.com. The value must be unique among trusted realms.

    For example, suppose John Smith from Realm A is jsmith in his local realm. Your realm does not know the identity of jsmith. If you enter yourcompany.com in this field, John Smith will be identified within your realm as jsmith@yourcompany.com.

13. Click Save.

14. In the Security Console, click Administration > Trusted Realms > Manage Existing.

15. Test the network connection between the trusted realms. Click the name of the trusted realm, and from the context menu, select Test Trusted Realm.

After you finish 

Before trusted realm authentication can take place, you must enable an agent to process authentication requests from trusted users.

For more information, see Configure an Agent for Trusted Realm Authentication.