PingAM 8.0.0

Secure realms

The AM installation process creates the Top Level Realm (/), which contains AM default configuration data. This realm can’t be deleted or renamed, because it is the root of the realm hierarchy in AM.

Consider the following list of security best practices related to realms:

Create strong authentication trees

Make sure your users log in to AM using sensible authentication trees, such as trees that enforce MFA.

Configure sensible default authentication services

By default, non-administrative users log into AM using the tree configured in the Organization Authentication Configuration property for the realm. To locate this property, go to Realms > Realm Name > Authentication > Settings > Core.

Be extra careful when setting your default authentication tree.

If you leave the default authentication service as the ldapService tree, users can still post their username and password to the authentication endpoint to retrieve a session, regardless of the services configured for authentication.

For example, consider a deployment where you retain the default authentication tree, ldapService. If you set up two-factor authentication, your users can still access their accounts without performing the correct two-factor authentication login sequence by using the default ldapService tree.

When you are ready to go to production, set the default authentication tree to your most secure tree. Don’t leave it set to ldapService unless you have strengthened that tree with additional authentication requirements such as MFA.

Make sure you change the default for all realms, including the Top Level Realm.

Prevent access to the Top Level Realm

If most of your privileged accounts reside in the Top Level Realm, consider blocking authentication endpoints that allow access to the Top Level Realm.

Learn more in Best practice for blocking the top level realm in a proxy for PingAM.