What's RealMe RCMS?


CMS iconRealMe® RESTful Context Mapping Service (RCMS) provides the ability for an agency to extend the user's current authentication session to allow seamless user interaction with RealMe services or provide joined up services with one or more other agencies.

The key use cases supported by RCMS are:

  • Assert then log in - when the first time user opts to use verified identity to register with the agency, the assertion service authentication can be extended to the agency session to complete the enrolment process.
  • Extended login - when the logged in user is transacting with the agency, the authentication can be extended to a subsequent agency to retrieve or forward customer data via a cross-agency web service.
  • Delayed extended login - after transacting with the agency, a later process milestone can trigger a web service exchange with a subesquent agency without needing reauthentication.
  • Seamless authentication - when the logged in user is transacting with the agency, the user can be redirected to a subsequent agency to complete a cross-agency business process without reauthenticating.

 At this stage, the potential use of RCMS applies to organisations in the wider government sector that are already using the RealMe login service. Context mapping service is a set of building blocks - how it's used is very dependant on the business context and specific use cases. If your agency is considering a customer-centric joined up business process with another agency, then contact us to discuss what's possible.

Key characteristics of RCMS

Privacy protection

The RealMe RESTful Context Mapping Service provides support for government to deliver joined up agency services online in a citizen-centric, privacy-protective way.

Login attributes token (LAT) - when opting to use RCMS, the initiating agency is configured to receive the LAT as part of the SAML authentication response; it essentially contains the same authentication details in an easily accessible format.

Opaque token (OT) - the initiating agency makes an Issue request to RCMS and includes the LAT, the entityID of the target agency and the required use case. In response, RCMS returns the OT which encrypts the FLT in a way that cannot be read by the target agency.

Target agency FLT - the receiving agency makes a Redeem request to the RCMS and includes the OT. In response, RCMS returns the target agency FLT which may already exist or can be newly created.

Redeem token (RT) - the receiving agency also receives the redeem token which can be used in the same way as the LAT with a subsequent agency.


The context mapping service has been implemented using a RESTful web service. This replaces the earlier and more complex WS-* based iCMS that has been deprecated but still supported for existing clients. The API uses JSON web tokens (JWT) and HTTP-POST requests. RCMS Authorisation uses an API token and the web service requires a TLS certificate.

RCMS process flow

Assert then log in sequence diagram


Note that the Assert then log in is a specific instance of the RCMS extended log in use case - in this instance, the RealMe assertion service is the initiating service provider (for context mapping) and the agency making the SAML verification request is the target agency. The lifetime of the opaque token is 60 minutes from the time when the user authenticated.