Add a Trusted Realm

You create a trust relationship by adding an external realm as a trusted realm. A trust relationship allows users to authenticate between two RSA Authentication Manager 8.7 SP1 realms or an RSA Authentication Manager 8.7 SP1 realm and an RSA Authentication Manager 8.0 or later realm. Trust is not inherited or transferred from other realms, but instead, you must explicitly establish trust relationships as needed.

Note: You can create a Cloud Authentication Service trusted realm to allow users who are not in an Authentication Manager identity source or the internal database to use SecurID Authenticate Tokencodes on RSA authentication agents. For more information, see SecurID Authenticate Tokencodes.

Before you begin

  • You and the administrator of the realm you are adding as a trusted realm need to perform this procedure at the same time.

  • You and the administrator of the realm you are adding as a trusted realm need to be able to communicate while you perform this procedure.


  1. In the Security Console, click Administration > Trusted Realms > Add New.

  2. Under Generate Trust Package, click Generate & Download.

  3. After the trust package is generated, use a secure method to exchange your trust package with the trust package from the trusted realm administrator. Wait until you receive the trust package before you continue.

    Note: The trust package is not compatible with RSA Authentication Manager 7.1. Do not import the trust package into a version 7.1 system.

  4. In the Trust Package from Trusted Realm field, enter the path to the trust package that you just received by browsing to the package file, and click Open.

  5. Click Next.

  6. Verify the trust package confirmation codes with the trusted realm administrator. Go to the next step only after verifying the confirmation codes.

  7. Click Confirm and Next.

  8. In the Trusted Realm Name field, enter a unique, user-friendly name that identifies the trusted realm, for example, London office.

  9. For Authentication Status, select Authenticate Trusted Users if you want your realm to authenticate users from the trusted realm.

  10. For Trusted Realm Status, select Enable Trusted Realm. When enabled, your realm can send authentication requests to the trusted realm.

  11. For Create Trusted Users in Security Domain, select the security domain that will own users from the trusted realm.

    After your realm authenticates users from the trusted realm, the users must belong to a security domain in your realm. The security domain that you select must be configured to use the internal database as an identity source.

  12. In the Trusted User Name Identifier field, enter a unique identifier that your realm can recognize for the trusted user, and click Add. The unique identifier could be the user's domain name or e-mail address, such as The value must be unique among trusted realms.

    For example, suppose John Smith from Realm A is jsmith in his local realm. Your realm does not know the identity of jsmith. If you enter in this field, John Smith will be identified within your realm as

  13. Click Save.

  14. In the Security Console, click Administration > Trusted Realms > Manage Existing.

  15. Test the network connection between the trusted realms. Click the name of the trusted realm, and from the context menu, select Test Trusted Realm.

After you finish

Before trusted realm authentication can take place, you must enable an agent to process authentication requests from trusted users.

For more information, see Configure an Agent for Trusted Realm Authentication.

Related Concepts

Trusted Realms