Realm Dialog Reference

The Realm Dialog is where you configure realms. This dialog contains the following sections:
casso127
HID_realm
The Realm Dialog is where you configure realms. This dialog contains the following sections:
Realm Dialog-General Section
The General section identifies the realm. The settings are:
  • Name
    Defines the realm name.
  • Description
    Describes the realm.
Realm Dialog-Resource Section
The Resource section is where you specify resource information for the realm.
Do not create a realm whose Agent and resource filter are the same as the specified Agent and resource filter in an existing realm. Typically, the UI prevents you from doing this, but the combination of two Agent or two resource filters that look different as strings but resolve identically can circumvent Policy Server validation algorithms.
The settings are as follows:
  • Agent
    Specifies the name of the agent or agent group that will protect the resources in the realm.
  • Elipses Button
    Opens the Set Agent/Group Dialog from which you pick an agent or agent group from a list of all such existing objects or search for one by name.
  • Resource Filter
    Specifies the path for the resource filter. This field functions as a root for locating resources.
    Every resource on the server protected by the Agent that matches the Resource Filter is included in the realm to which you are connecting. For example,
    /marketing/
    indicates that the new realm will include only those resources located in the /marketing/ directory of the server protected by the Agent or Agent group.
    Asterisk (*) and question mark (?) characters are treated as literal characters in resource filters (not wildcards).
  • Effective Resource
    (Informational) Displays the Agent and resource protected by the realm.
  • Default Resource Protection
    • Protected
      Indicates the resources in the realm are protected by
      CA Single Sign-On
      . To allow access to this resource, create a rule and bind it to a policy that allows access by users or groups. The Protected radio button is selected by default.
      There may be a short delay between the time when you create a realm and the time when the Policy Server begins protecting the realm. Web Agents poll the Policy Server for changes at a fixed interval (30 seconds by default). By default, the Policy Server can take up to one minute to recognize the realm. Instead of waiting, you can restart the Policy Server so it recognizes the new realm immediately. 
    • Unprotected
      Indicates the resources in the realm are not protected by default. The resources in the realm can be protected if you create a rule and bind the rule to a policy.
  • Authentication Scheme
    Specifies the authentication scheme that protects the realm.
Realm Dialog-Rules Section
The Rules section lets you lists existing rules bound to the realm and lets you create new rules.
  • Name
    Identifies the rule.
  • Description
    Describes the rule
  • Create
    Opens the rules dialog.
Realm Dialog-Sub-Realms Section
The Sub-Realms section lets you configure nested realms.
  • Name
    Identifies the nested realm.
  • Resource Filter
    Displays the resource filter.
  • Create Sub-Realm
    Opens the Create Realm pane from where you can create a realm. A realm you create in this manner is nested under the realm.
Realm Dialog-Session Section
The Session section is where you set session timeouts, choose non-persistent or persistent sessions, and enable or disable synchronous auditing for the realm.
A session timeout is based on the session that is established when a user authenticates in a realm. If a user accesses a resource in another realm, the Policy Server maintains the user session. For example, if a user authenticates in RealmA, which has a session timeout of 30 minutes, then the user accesses a resource in RealmB 15 minutes later, regardless of the session timeout for RealmB, the user’s session expires in another 15 minutes. If you want to change this default behavior, you can create responses to replace session timeout values.
  • Maximum Timeout
    If enabled, determines the maximum amount of time a user session can be active before the Agent challenges the user to re-authenticate.
    You can override this setting by using the WebAgent-OnAuthAccept-Session-Max-Timeout response attribute.
    This setting is enabled by default. To specify no maximum session length, clear the checkbox. The default maximum session length is two hours.
    • Hours
      Specifies the hours value for the maximum session length.
    • Minutes
      Specifies the minutes value for the maximum session length.
      To use this feature with the Basic authentication scheme, your Web Agent must be configured to Require Cookies.
  • Idle Timeout
    If enabled, determines the amount of time that an authorized user session can remain inactive before the Agent terminates the session. If you are concerned about users leaving their workstations after accessing a protected resource, set the idle timeout to a shorter period of time. If the session times out, users must re-authenticate before accessing the resources in the realm.
    This setting is enabled by default. To specify no session idle timeout, clear the checkbox.The default session idle timeout is one hour.
    The session actually expires within a certain maintenance time period after the specified idle timeout value. The extra time period is determined by the number of seconds specified in the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\SessionServer\MaintenancePeriod
    Default
    : 60 seconds.
    For example, if the you set the idle timeout at 10 minutes, and you use the default value of the MaintenancePeriod registry setting, the longest time period before a session will timeout due to inactivity is 11 minutes (specified timeout + maintenance period).
    To use this feature with the Basic authentication scheme, your Web Agent must be configured to Require Cookies.
    : Be aware of the following:
    • For persistent sessions, the Idle Timeout must be enabled and set to a value higher than that specified for the Validation Period.
    • You can override this global setting by using the WebAgent-OnAuthAccept-Session-Idle-Timeout response attribute. A value of zero indicates that the session will not end because of inactivity.
    • Hours
      Specifies the hours value for the idle timeout period.
    • Minutes
      Specifies the minutes value for the idle timeout period.
  • Persistent Session
    : To see this setting, enable the Session Server using the Policy Server Management Console.
    • Non-Persistent
      Specifies that sessions in this realm are non-persistent. User sessions are tracked using cookies.
    • Persistent
      Specifies that sessions in this realm are persistent. User sessions are tracked in the session store and optional cookies.
      If you select this option, the Idle Timeout Enabled option
      must
      be set. Additionally, you can specify a validation period.
      If you configure one or more realms to use persistent sessions, you must ensure that the Session Server is enabled and configured.
  • Validation Period
    : To see this setting, enable the Session Server using the Policy Server Management Console and enable the Persistent Session option (above).
    If enabled, determines the period that the Agent caches the result of a session validation call to the Policy Server. Session validation calls perform two functions: informing the Policy Server that a user is still active and checking that the user session is still valid.Session validation calls inform the Policy Server that a user is active and confirm that the user session is valid. If disabled, the agent always tries to validate the session from its cache and only calls the Policy Server if the session is not available in its cache.
    To specify the validation period, enter values in the Hours, Minutes, and Seconds fields. If you are configuring the system to provide a Windows user security context, set this value high, for example, 15-30 minutes.
    The Validation Period is dependent on the DRIFT value that is set by Policy Server and Web Agent functions as per the following DRIFT values:
    • DRIFT == -1 : Implies that the Validation Period is disabled and that the session is always served from Agent cache and only goes to Policy Server when session is not available in the cache.
    • DRIFT == 0 : Indicates the default value of the Validation Period and implies that Agent always validates the session from its cache and only goes to Policy Server when session is not available in the cache. 
    • DRIFT > 0 : Caches the session for duration DRIFT.
      The session validation period must be less than the specified Idle Timeout value.
  • Synchronous Auditing
    Specifies that the Policy Server and Web Agent must log related actions before users are allowed access to resources. Access is also prevented until  the activity is recorded in the audit logs. 
    casso127
    Ehanced Session Assurance
    Protects the resources that are specified in the realm (of the Policy domain model) or the component (of the application model). You can also protect the authentication requests of certain federation partnerships. The session assurance end point collects the DeviceDNA™ from the user and validates the session.
    Value
    : Specify session assurance end points.
    casso127
    Session Assurance
    Specifies the name of an Enhanced Session Assurance with DeviceDNA™ end point that you previously defined in the Administrative UI. The sessions of users who access this realm (for policy domains) or component (for applications) are validated using this end point.
Realm Dialog-Advanced Section
The Advanced section is where you can configure registration schemes, enhanced directory mappings (authorization and validation), and legacy directory mappings. In addition, you can configure the types of events that are processed for the realm, which enable you to associate rules with the indicated types of events, and a minimum confidence level.
  • Authorization Identity Mapping
    The Authorization Identity Mapping section is where you specify an authorization directory in which users access resources in the realm. Authorization identity mappings allow users who are authenticated in one directory to be authorized in another directory.
    • Authorization Mapping
      Specifies the authorization directory for the realm. Only directory mappings that have already been configured using the Directory Mapping: Identity Mapping Dialog appear in the list.
    • Create Authorization Mapping
      Opens the Identity Mapping dialog to create an authorization identity mapping object.
  • Validation Identity Mapping
    The Validation Identity Mapping section is where you specify a validation directory in which users access resources in the realm. Validation identity mappings allow users who are authenticated in one directory to be validated in another directory.
    • Validation Mapping
      Specifies the validation directory for the realm. Only directory mappings that have already been configured using the Directory Mapping: Identity Mapping Dialog appear in the list.
    • Create Validation Mapping
      Opens the Identity Mapping dialog to create a validation identity mapping object.
  • Legacy Authorization Directory Mapping
    The Directory Mapping section is where you specify an authorization directory in which users that access resources in the realm. Directory mappings allow users who are authenticated in one directory to be authorized in another directory.
    • Directory Mapping
      Specifies the authorization directory for the realm. Only directory mappings that have already been configured using the Directory Mapping: Auth/AZ Mapping Dialog appear in the list. You can only select mappings to authorization directories that are included in the policy domain in which the realm is located.
    • Create Legacy Authorization Mapping
      Opens the Directory Mapping dialog for authentication and authorization directory mapping.
  • Events
    The Events section is where you enable event processing for authentication and authorization events to support rules that are triggered by these events.
    • Process Authentication Events
      Supports rules triggered by authentication attempts.
    • Process Authorization Events
      Supports rules triggered by authorization attempts.
      If the resources in the realm are associated with global rules in a global policy, authentication and authorization events must be enabled. The Policy Server processes global policies only if authentication and authorization events are enabled.
  • Risk Factor Support
    If the Policy Server is integrated with a supported risk analysis engine, the Risk Factor Support section is where you enter a minimum confidence level. A confidence level represents credential assurance, which is the likelihood that the user requesting the protected resource is legitimate.
    This section is available only if confidence level support is enabled. 
Realm Dialog-Flush Resources in Realm Section
The Flush Resources in Realm section appears when you modify an existing realm. It contains the following item:
  • Flush
    Empties the realm's information from the resource cache.