You create a trust relationship by adding an external realm as a trusted realm. A trust relationship allows users to authenticate between two RSA Authentication Manager 8.3 realms or an RSA Authentication Manager 8.3 realm and an RSA Authentication Manager 8.0 or later realm. Trust is not inherited or transferred from other realms, but instead, you must explicitly establish trust relationships as needed.
Note: You can create a Cloud Authentication Service trusted realm to allow users who are not in an Authentication Manager identity source or the internal database to use RSA SecurID Authenticate Tokencodes on RSA authentication agents. For more information, see RSA SecurID Authenticate Tokencodes.
Before you begin
You and the administrator of the realm you are adding as a trusted realm need to perform this procedure at the same time.
You and the administrator of the realm you are adding as a trusted realm need to be able to communicate while you perform this procedure.
In the Security Console, click Administration > Trusted Realms > Add New.
Under Generate Trust Package, click Generate & Download.
After the trust package is generated, use a secure method to exchange your trust package with the trust package from the trusted realm administrator. Wait until you receive the trust package before you continue.
Note: The trust package is not compatible with RSA Authentication Manager 7.1. Do not import the trust package into a version 7.1 system.
In the Trust Package from Trusted Realm field, enter the path to the trust package that you just received by browsing to the package file, and click Open.
Verify the trust package confirmation codes with the trusted realm administrator. Go to the next step only after verifying the confirmation codes.
Click Confirm and Next.
In the Trusted Realm Name field, enter a unique, user-friendly name that identifies the trusted realm, for example, London office.
For Authentication Status, select Authenticate Trusted Users if you want your realm to authenticate users from the trusted realm.
For Trusted Realm Status, select Enable Trusted Realm. When enabled, your realm can send authentication requests to the trusted realm.
For Create Trusted Users in Security Domain, select the security domain that will own users from the trusted realm.
After your realm authenticates users from the trusted realm, the users must belong to a security domain in your realm. The security domain that you select must be configured to use the internal database as an identity source.
In the Trusted User Name Identifier field, enter a unique identifier that your realm can recognize for the trusted user, and click Add. The unique identifier could be the user's domain name or e-mail address, such as firstname.lastname@example.org. The value must be unique among trusted realms.
For example, suppose John Smith from Realm A is jsmith in his local realm. Your realm does not know the identity of jsmith. If you enter yourcompany.com in this field, John Smith will be identified within your realm as email@example.com.
In the Security Console, click Administration > Trusted Realms > Manage Existing.
Test the network connection between the trusted realms. Click the name of the trusted realm, and from the context menu, select Test Trusted Realm.
After you finish
Before trusted realm authentication can take place, you must enable an agent to process authentication requests from trusted users.
For more information, see Configure an Agent for Trusted Realm Authentication.