My company “A”, recently bought another company of almost equal size. Company A has a SecurID primary authentication manager appliances and 3 replicas, running 8.2SP1 Patch 7, on a single realm. The second company has two realms, a larger one “B” and a small one “C”, with a two-way trust between them, each running 8.2 original release, as in the diagram BeforeTrustedRealm.PNG:
If we configure a single two-way trust between A and B, is that sufficient for tokens in C to be trusted by A and vice-versa? In other words, are trusted realms transitive? As in the left diagram AfterTrustedRealmOpt1.PNG:
Or must we also configure a two-way trust between A and C? As in the above right diagram AfterTrustedRealmOpt2.PNG?
This topic is not covered in the articles “Add a Trusted Realm” https://community.rsa.com/docs/DOC-77096 and "Trusted Realms" https://community.rsa.com/docs/DOC-76711.
Trusts are not transitive. Just because entity A trusts entity B, does not mean that A should necessarily trust all entities that B has decided to trust. You must also configure a two-way trust between A and C.