Realm Trust Relationships
Realms may choose to trust authentication credentials from other realms. Suppose that realm pete trusts realm purdue. If user mary authenticates to purdue, her credentials would also be accepted by pete.
Characteristics of Trust Relationships:
-
Trust relationships are established in the
realm configuration file.
-
Trust relationships are one-way. The fact that realm pete trusts realm purdue does not imply that
purdue trusts pete. Two-way trust relationships must be established explicitly if they are desired.
-
Trust relationships do not determine realm membership. Suppose that mary is joined to the pete realm
but not the purdue realm, and purdue trusts pete. Can mary authenticate to pete and have
her credentials accepted by purdue? No. Even though purdue trusts pete, mary isn't joined to
purdue. Trusting another realm does not join its members to your realm.
-
What are the implications of trusting another realm? Mainly, that you trust that realm's security policies. In other
words, you think their chosen
encryption type is as strong or stronger than yours, and that their
authentication security policies are a good match for
yours.
- Not all trust relationships make sense! For example, a realm that uses a weak encryption type might choose to trust a realm that uses a strong one, but the opposite case wouldn't make sense. Realms that have few members in common do not benefit from trust relationships.