Difference between Realm and RealmOID

book

Article ID: 211130

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Web Agent, and protecting applications, one might see
the parameters "REALMOID" or "REALM" which show different value, and
which get set in the URI of the request like :

  https://myhost.mydomain.com/siteminder/mylogin.fcc?TYPE=33554433&REALMOID=06-6eddcc7e-a445-5e5e-b836-6b76aeb998b3&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$5VYFXkCsUxr25G8lni1eZq3bN7JYP2PSADDsaDWDFdferf42sd2fesWZlXAGWox7cAgsS4WRuWmDYrtS2%2bTXZ5nk3kBR%2b&TARGET=$SM$https%3A%2F%2Fmywebserver.mydomain.com%2FmyPage.html

and

  https://mywebagent.mydomain.com/siteminderagent/login.fcc?TYPE=16777344&REALM=$SM$MyApp-1.0%20%5B10%3A34%3A09%3A139831250261873%5D&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$Ej1UsOWvZOEBPOOQm4LHh8gWmuiPEWFDD11fds44e4e1sfdRBqlnXkN81ZuuiHhskd4dasdass1kZbtRTqN8W806vXWsbrW&TARGET=$SM$https%3A%2F%2Fmyotherserver.mydomain.com%2F

 

Cause

 

REALMOID is the numeric part of the XID from the Policy Store realm
which is accessed :

If you run the following command on the Policy Server :

  XPSExport pstore.xml -xb -npass

and you search in pstore.xml for the number
"06-6eddcc7e-a445-5e5e-b836-6b76aeb998b3", you should fine something
like this :

  [...] Xid="CA.SM::[email protected]" [...]

and you will see the full configuration of the given realm. You will
see the same number if you run XPSExplorer and display the realm.

 

Resolution

 

Out of the box, REALM Name is used for Basic Authentication Scheme and
Cert Authentication Scheme or Cert + Forms Authentication Scheme
only. You probably be using "Cert or Forms Authentication
Scheme". This behavior is not configurable outside the fact to change
the Authentication Scheme type.

Whenever a credential pop comes up, the REALM Name, as well as time at
that point, is displayed.

Note that the REALM Name is URL encoded and URL encoding is allowed in
URL by internet standards.