Realms

Overview

Realms let you to manage different sets of identities and applications within the same Identity Cloud tenant. Each realm is fully self-contained and operates independently of other realms within a tenant.

The identities and applications in one realm cannot by default access those in another realm. However, you can grant conditional access across realms.

A typical example of realm management is when a company divides its identities into two realms: one for employees, and one for customers, each with a distinct set of identities and registered applications. The realms provide the means to keep customers from accessing employee information, while allowing employees conditional access to customer information.

For more information on managing realms, see Realm settings.

Administrator management

The tenant provisioning process initially creates a single administrator, known as the tenant administrator. A tenant administrator is authorized to configure realm and tenant settings, and to invite others to become administrators. All administrator identities get the same top-level realm permissions, and these are not configurable.

You can invite, view or edit administrators by opening the account menu in the top right of the Identity Cloud Admin UI, then navigating to Tenant Settings > Admins.

Administrator sign-in

Administrators access their sign-in page using a URL that specifies the top-level realm, which is represented as a forward slash:

  • https://<tenant-name>.forgeblocks.com/login/?realm=/#/

Upon successful authentication, an administrator is automatically switched from the top-level realm to the Alpha realm (the Alpha realm is explained next).

For more information on administrators, see Administrator settings.

Alpha and Bravo realms

The Alpha and Bravo realms are the two default realms that are included as part of an Identity Cloud tenant. These realms are configurable, unlike the top-level realm that Identity Cloud configures for administrator identities.

Identity Cloud currently does not support more than two realms in the same tenant.

The Alpha and Bravo realms are nearly identical, with the exception of delegated administration.

idcloudui identities manage alpha bravo

End-user sign-in

End users access their sign-in page using a URL that specifies the realm they belong to. For example:

  • Alpha realm members use https://<tenant-name>.forgeblocks.com/login/?realm=alpha/#/

  • Bravo realm members use https://<tenant-name>.forgeblocks.com/login/?realm=bravo/#/

Administrators cannot authenticate using these realm-specific login URLs because administrators belong to the top-level realm.

For more information on realms, see Realm settings.

Delegated administration

The Bravo Realm does not support delegated administration.

In the Alpha realm you can set up internal roles for delegated administration using a custom set of privilege attributes. You can then assign those internal roles to users, so that Alpha realm users can act as delegated administrators and perform actions on the custom set of attributes specified by the role.

You can assign the internal roles in two different ways using the Identity Cloud Admin UI:

  • To add an internal role to a user, go to Identities > Manage > Realm - Users. Select a user, then select the Authorization Roles tab, then click the Add Authorization Roles button:

    idcloudui identities user authorization roles tab

  • To add a user to an internal role, go to Identities > Manage > Internal Roles. Select a role, then select the Members tab, then click the Add Members button:

    idcloudui identities internal role members tab

However, in the Bravo realm, while you can also set up internal roles for delegated administration, you cannot use them. You cannot add a user to an internal role, and even though it appears possible to add an internal role to a user, this will not correctly link the user to the role. If you attempt this, the user will not be listed in the internal role Members tab.

The following table summarizes these differences:

Action Alpha Realm Bravo Realm

Create internal role for the purposes of delegated administration

Yes

Yes

Add user to internal role

Yes

No

Add internal role to user

Yes

⚠️ ️
appears possible but will not work