An Introduction to Realms in Okta

IGA, OIG, Okta Identity Engine (OIE), Secure Partner Access, Universal Directory 5 Minutes

Okta recently added a new feature to the Universal Directory called Realms. This article provides an overview of the new feature.

Note that Realms is only available with the Okta Identity Governance and Secure Partner Access products. At the time of writing this article, Realms is in Early Access.

Background – Why do we need Realms?

It is common in many identity management products to need to manage discrete populations of users with some form of delegated administration. The most common example is where partners are defined in the IdM solution and you want someone from each partner to manage their users and the access they have. Another example is geographic or departmental dispersion where you want nominated administrators to manage only the people in their domain. Across all of this you still need system-wide administrators.

With Okta this has been possible via two patterns:

  1. Use of Groups and Admin Roles – in this pattern the different user populations are made members of groups and then administrative roles are created to restrict the functions an admin can perform on the users in those groups. This pattern allows overlap of administration as a user may be in multiple groups. As all users and apps are in the one org, management of app assignment is straightforward.
  2. A multi-org deployment – where different Okta tenants (orgs) are created for each user population and admins and roles are defined in each org. This does not need to use groups (but they could be). This model could allow a user to be in multiple orgs. Management of app assigment in more complex in a multi-org deployment as apps may be spread across different orgs.

The two patterns are shown (simplistically) below.

The challenge with both of these is the administrative overhead, particularly when you need to add or remove new user populations.

What Are Realms?

Realms are user containers with inherent administrative boundaries. A user belongs to a realm (and only one realm) and administrative roles are assigned to the realm (or realms). Assignment of administrators to collections of users is much simpler as you assign them to the realm.

This is shown in the following figure.

There is always a default realm, and if Realms is turned on in an existing org, then all the existing users are put in that default realm. You can then create additional realms for the different user communities and define the admin roles to manage the users in them.

Realms only contain users, the app and groups remain system-wide.

Realms are used by Secure Partner Access, and users’ realms can be used by some functions in Okta Identity Governance for scoping. Realms is only available with the Secure Partner Access or Okta Identity Governance products (SKUs).

A more detailed explanation can be found in Realms for Workforce Management – A New Flexible Way to Manage your Organization. There’s also an overview video on YouTube.

Working with Realms

In this section we will look at some of the capabilities of Realms.

Realm Administration

Realms can be managed in the Okta Admin Console under the Directory menu.

Users can be viewed by realm, but when managing users you’re still managing the user profile.

Realms administration can be found under the various Manage Realms help topics.

Automatic Onboarding of Users into Realms

Now that there are different containers for users, how do you assign users to these containers? You can select the realm when creating a user profile in the Admin Console. But this is not practical when bulk-loading users.

This is where Realm assignments come in. They allow creation of conditions (rules) to control how users are assigned to different realms.

These conditions can be prioritised and also toggled from active to inactive. The conditions can also leverage different IdPs, not just Okta. This is particularly useful for federated users.

Realm assignments will be evaluated on each user create. But you can also run all realm assignments to re-evaluate all users (which may result in users being moved).

See the Realm assignments help page for more details.

Delegating User Management

One of the drivers for the Realms feature was a simpler delegated administration model. To apply delegated administrators to realms, you need to:

  1. Create a custom admin role,
  2. Create a resource set for that realm, and
  3. Create an admin assignment

When these are configured, the assigned realm admins have a restricted user interface for managing the users (note that the Secure Partner Access product also has a Secure Partner Access portal for this).

See the Delegate realm management section for more details.

Okta Workflows and Realms APIs

Okta Workflows is great for building automation and user management can benefit from this, such as importing users from an external store.

There is a new Okta Realms connector in Workflows. There are action cards to:

  • Create a realm,
  • Create a realm user (create a user into a realm),
  • List realm users,
  • Read realm,
  • Search realms,
  • Update realm, and
  • Update realm for user

Note that there are no actions for managing the assignment rules (but there are APIs).

An example of using the Okta Realms connector to list all users in a realm is shown below.

There are Realms and Realm Assignments APIs available. You could combine the Workflows actions, these APIs and the Administrator Roles API to automate the creation of new realms.

Managing Partners

Okta has release the Secure Partner Access product to leverage Realms for partner management. We have a dedicated Secure Partner Access page for all the SPA- and Realms-related articles.

Applying Governance

Okta Identity Governance (OIG) also provides the Realms functionality. With OIG you are managing a users’ assignment to groups, applications and/or entitlements. You aren’t managing user profiles against realms or moving users between realms.

The two use cases supported with OIG involve scoping users by realm:

  • Certify users in your realms with Access Certifications – scope users or reviewers in a campaign by realm
  • Configure application entitlement policy with Entitlement Management – leverage the user.realmId profile attribute in an app entitlement policy.

See Realms with Okta Identity Governance for more details and examples.

Known Limitations and Workarounds

Please see the Requirements and Limitations section of the product documentation. We won’t copy them here as they are liable to change as the feature develops.

Conclusion

Realms represent an elegant solution to the challenge of managing disparate populations of users in a delegated administration model. It removes or reduces the need for complex admin groups or multi-org deployments. Realms are built into Universal Directory and leveraged by Secure Partner Access and Okta Identity Governance.

You may find the following links useful:

Published by David Edwards (IAmDavid)

I have been working in Identity Management for a quarter of a century, spending 22 years working on various IAM products at IBM and now three years at Okta. Over that time I have worked across pre- and post-sales, including stints in services, fly-in support and technical enablement. I have covered access management, single signon (desktop, web and federated), identity governance and administration (IGA), directories and directory integration, and privileged access management (PAM). I'm one of the few identity practitioners with experience with mainframes and legacy on-premise systems like SAP. And I love to write!

Published

One thought on “An Introduction to Realms in Okta

  1. Pingback: Automating Realm Creation in Okta with Workflows – IAMSE

Leave a Reply