Conceptual overview of Realm Administration

Realm implementation

Realms are implemented using a context data item of the end-user and a context data item of a realm administrator. When both context data items have the identical realm value, the realm administrator and end-user are considered to be in the same realm. This enables the realm administrator to administer the end-user.

Realms are fully dynamic. A superadmin creates a new realm simply by creating a realm administrator for this realm.

With IAM 7.4 and later, the data attribute named realm has been added to the database schema context for both administrators and end-users to support Realm Administration. However, any string typed context data field may be used for realms.

Optional Realm Prefix in usernames

Enforcing a Realm Prefix in usernames is an optional feature.

Advantages

Disadvantages

  • A Realm Prefix prevents username duplicates across realms.
  • A Realm Prefix reduces the risk of enumeration attacks.
  • The user must provide the username including the Realm Prefix on the login screen.
  • A Realm Prefix is not required with usernames that are unique by design (e.g. e-mail address)

To enable this feature, Username Prefill and Username Validator must be configured.

Realm administrator vs. superadministrator

Superadministrator

Realm-administrator

Superadministrators are not members of a realm.

  • The realm attribute must be empty.

Realm administrators belong to exactly one Realm.

  • The realm attribute must be set.

Superadministratorss can create:

  • other superadministrators,
  • realm administrators
  • users in all realms (requires proper authorization).

Realm administrators can create:

  • end-users in his own realm (requires proper authorization).

Realm Prefill as convenience feature

The realm feature will enforce the realm value regardless of what data a realm administrator provides in a create user dialog. For convenience, a Realm Prefill can be configured so that the realm administrator does not have to provide the realm value.

This feature was added to permit superadmins to also create users with realms in one step. If this is not required, the realm attribute can be omitted from the create user dialog by making the realm attribute optional in the User List/Search Page.

Known limitations

  • To enable the flexibility required for this feature, some limitations have to be accepted:
  • Usernames must be unique across all realms. It is therefore possible that a realm administrator may try to enumerate users from another realm.
  • Hardware tokens are shared across all realms. It is therefore possible that the same token is managed by realm administrators from different realms.