Realm Dialog Reference
The Realm Dialog is where you configure realms. This dialog contains the following sections:
The Realm Dialog is where you configure realms. This dialog contains the following sections:
Realm Dialog-General Section
The General section identifies the realm. The settings are:
- NameDefines the realm name.
- DescriptionDescribes the realm.
Realm Dialog-Resource Section
The Resource section is where you specify resource information for the realm.
Do not create a realm whose Agent and resource filter are the same as the specified Agent and resource filter in an existing realm. Typically, the UI prevents you from doing this, but the combination of two Agent or two resource filters that look different as strings but resolve identically can circumvent Policy Server validation algorithms.
The settings are as follows:
- AgentSpecifies the name of the agent or agent group that will protect the resources in the realm.
- Elipses ButtonOpens the Set Agent/Group Dialog from which you pick an agent or agent group from a list of all such existing objects or search for one by name.
- Resource FilterSpecifies the path for the resource filter. This field functions as a root for locating resources.Every resource on the server protected by the Agent that matches the Resource Filter is included in the realm to which you are connecting. For example,/marketing/indicates that the new realm will include only those resources located in the /marketing/ directory of the server protected by the Agent or Agent group.Asterisk (*) and question mark (?) characters are treated as literal characters in resource filters (not wildcards).
- Effective Resource(Informational) Displays the Agent and resource protected by the realm.
- Default Resource Protection
- ProtectedIndicates the resources in the realm are protected byCA Single Sign-On. To allow access to this resource, create a rule and bind it to a policy that allows access by users or groups. The Protected radio button is selected by default.There may be a short delay between the time when you create a realm and the time when the Policy Server begins protecting the realm. Web Agents poll the Policy Server for changes at a fixed interval (30 seconds by default). By default, the Policy Server can take up to one minute to recognize the realm. Instead of waiting, you can restart the Policy Server so it recognizes the new realm immediately.
- UnprotectedIndicates the resources in the realm are not protected by default. The resources in the realm can be protected if you create a rule and bind the rule to a policy.
- Authentication SchemeSpecifies the authentication scheme that protects the realm.
Realm Dialog-Rules Section
The Rules section lets you lists existing rules bound to the realm and lets you create new rules.
- NameIdentifies the rule.
- DescriptionDescribes the rule
- CreateOpens the rules dialog.
Realm Dialog-Sub-Realms Section
The Sub-Realms section lets you configure nested realms.
- NameIdentifies the nested realm.
- Resource FilterDisplays the resource filter.
- Create Sub-RealmOpens the Create Realm pane from where you can create a realm. A realm you create in this manner is nested under the realm.
Realm Dialog-Session Section
The Session section is where you set session timeouts, choose non-persistent or persistent sessions, and enable or disable synchronous auditing for the realm.
A session timeout is based on the session that is established when a user authenticates in a realm. If a user accesses a resource in another realm, the Policy Server maintains the user session. For example, if a user authenticates in RealmA, which has a session timeout of 30 minutes, then the user accesses a resource in RealmB 15 minutes later, regardless of the session timeout for RealmB, the user’s session expires in another 15 minutes. If you want to change this default behavior, you can create responses to replace session timeout values.
- Maximum TimeoutIf enabled, determines the maximum amount of time a user session can be active before the Agent challenges the user to re-authenticate.You can override this setting by using the WebAgent-OnAuthAccept-Session-Max-Timeout response attribute.This setting is enabled by default. To specify no maximum session length, clear the checkbox. The default maximum session length is two hours.
- HoursSpecifies the hours value for the maximum session length.
- MinutesSpecifies the minutes value for the maximum session length.To use this feature with the Basic authentication scheme, your Web Agent must be configured to Require Cookies.
- Idle TimeoutIf enabled, determines the amount of time that an authorized user session can remain inactive before the Agent terminates the session. If you are concerned about users leaving their workstations after accessing a protected resource, set the idle timeout to a shorter period of time. If the session times out, users must re-authenticate before accessing the resources in the realm.This setting is enabled by default. To specify no session idle timeout, clear the checkbox.The default session idle timeout is one hour.The session actually expires within a certain maintenance time period after the specified idle timeout value. The extra time period is determined by the number of seconds specified in the following registry key:HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\SessionServer\MaintenancePeriodDefault: 60 seconds.For example, if the you set the idle timeout at 10 minutes, and you use the default value of the MaintenancePeriod registry setting, the longest time period before a session will timeout due to inactivity is 11 minutes (specified timeout + maintenance period).To use this feature with the Basic authentication scheme, your Web Agent must be configured to Require Cookies.: Be aware of the following:
- For persistent sessions, the Idle Timeout must be enabled and set to a value higher than that specified for the Validation Period.
- You can override this global setting by using the WebAgent-OnAuthAccept-Session-Idle-Timeout response attribute. A value of zero indicates that the session will not end because of inactivity.
- HoursSpecifies the hours value for the idle timeout period.
- MinutesSpecifies the minutes value for the idle timeout period.
- Persistent Session: To see this setting, enable the Session Server using the Policy Server Management Console.
- Non-PersistentSpecifies that sessions in this realm are non-persistent. User sessions are tracked using cookies.
- PersistentSpecifies that sessions in this realm are persistent. User sessions are tracked in the session store and optional cookies.If you select this option, the Idle Timeout Enabled optionmustbe set. Additionally, you can specify a validation period.If you configure one or more realms to use persistent sessions, you must ensure that the Session Server is enabled and configured.
- Validation Period: To see this setting, enable the Session Server using the Policy Server Management Console and enable the Persistent Session option (above).If enabled, determines the period that the Agent caches the result of a session validation call to the Policy Server. Session validation calls perform two functions: informing the Policy Server that a user is still active and checking that the user session is still valid.Session validation calls inform the Policy Server that a user is active and confirm that the user session is valid. If disabled, the agent always tries to validate the session from its cache and only calls the Policy Server if the session is not available in its cache.To specify the validation period, enter values in the Hours, Minutes, and Seconds fields. If you are configuring the system to provide a Windows user security context, set this value high, for example, 15-30 minutes.The Validation Period is dependent on the DRIFT value that is set by Policy Server and Web Agent functions as per the following DRIFT values:
- DRIFT == -1 : Implies that the Validation Period is disabled and that the session is always served from Agent cache and only goes to Policy Server when session is not available in the cache.
- DRIFT == 0 : Indicates the default value of the Validation Period and implies that Agent always validates the session from its cache and only goes to Policy Server when session is not available in the cache.
- DRIFT > 0 : Caches the session for duration DRIFT.The session validation period must be less than the specified Idle Timeout value.
- Synchronous AuditingSpecifies that the Policy Server and Web Agent must log related actions before users are allowed access to resources. Access is also prevented until the activity is recorded in the audit logs.casso127Ehanced Session AssuranceProtects the resources that are specified in the realm (of the Policy domain model) or the component (of the application model). You can also protect the authentication requests of certain federation partnerships. The session assurance end point collects the DeviceDNA™ from the user and validates the session.Value: Specify session assurance end points.casso127Session AssuranceSpecifies the name of an Enhanced Session Assurance with DeviceDNA™ end point that you previously defined in the Administrative UI. The sessions of users who access this realm (for policy domains) or component (for applications) are validated using this end point.
Realm Dialog-Advanced Section
The Advanced section is where you can configure registration schemes, enhanced directory mappings (authorization and validation), and legacy directory mappings. In addition, you can configure the types of events that are processed for the realm, which enable you to associate rules with the indicated types of events, and a minimum confidence level.
- Authorization Identity MappingThe Authorization Identity Mapping section is where you specify an authorization directory in which users access resources in the realm. Authorization identity mappings allow users who are authenticated in one directory to be authorized in another directory.
- Authorization MappingSpecifies the authorization directory for the realm. Only directory mappings that have already been configured using the Directory Mapping: Identity Mapping Dialog appear in the list.
- Create Authorization MappingOpens the Identity Mapping dialog to create an authorization identity mapping object.
- Validation Identity MappingThe Validation Identity Mapping section is where you specify a validation directory in which users access resources in the realm. Validation identity mappings allow users who are authenticated in one directory to be validated in another directory.
- Validation MappingSpecifies the validation directory for the realm. Only directory mappings that have already been configured using the Directory Mapping: Identity Mapping Dialog appear in the list.
- Create Validation MappingOpens the Identity Mapping dialog to create a validation identity mapping object.
- Legacy Authorization Directory MappingThe Directory Mapping section is where you specify an authorization directory in which users that access resources in the realm. Directory mappings allow users who are authenticated in one directory to be authorized in another directory.
- Directory MappingSpecifies the authorization directory for the realm. Only directory mappings that have already been configured using the Directory Mapping: Auth/AZ Mapping Dialog appear in the list. You can only select mappings to authorization directories that are included in the policy domain in which the realm is located.
- Create Legacy Authorization MappingOpens the Directory Mapping dialog for authentication and authorization directory mapping.
- EventsThe Events section is where you enable event processing for authentication and authorization events to support rules that are triggered by these events.
- Process Authentication EventsSupports rules triggered by authentication attempts.
- Process Authorization EventsSupports rules triggered by authorization attempts.If the resources in the realm are associated with global rules in a global policy, authentication and authorization events must be enabled. The Policy Server processes global policies only if authentication and authorization events are enabled.
- Risk Factor SupportIf the Policy Server is integrated with a supported risk analysis engine, the Risk Factor Support section is where you enter a minimum confidence level. A confidence level represents credential assurance, which is the likelihood that the user requesting the protected resource is legitimate.This section is available only if confidence level support is enabled.
Realm Dialog-Flush Resources in Realm Section
The Flush Resources in Realm section appears when you modify an existing realm. It contains the following item:
- FlushEmpties the realm's information from the resource cache.