Skip to content
FedTrustFederated TrustDocs

Enter at least two characters.

Type to search all documentation pages and sections. Use ↑ ↓ to move, Enter to open, and Esc to close.

Platform statuses are part of the claim

Organizations and custody

Keep organizational authority with the organization.

Organizations define who may administer their business context, which applications may be installed, where protected data is held, and how business-owned secrets can be recovered. Operating the platform does not itself grant tenant data authority.

Businesses04 chapters
01

Trust plane and data plane are separable

Federated Trust is designed to coordinate identity, application registration, policy, and delegation while protected business data remains in a deployment selected for that organization. These profiles are not generally available yet.

Provider-hosted

The designed managed profile reduces operational burden while retaining tenant boundaries, scoped support, and export responsibilities.

Customer-controlled

The designed connected profile places the data store and key services in infrastructure controlled by that customer, with typed service interfaces rather than unrestricted database coupling.

Isolated and sovereign

A sovereign or offline profile requires a validated deployment package, local key custody, bounded offline policy and revocation, rollback protection, secure time, recovery drills, and explicit update, observability, and support responsibilities.

Customer-controlled and sovereign data planes

Managed, customer-controlled connected, and sovereign/offline profiles are designed target shapes, not generally available offerings. Each requires a validated package and explicit infrastructure, custody, update, recovery, observability, and support responsibilities.

02

Support access is a grant, not an operator privilege

Explicit appointment

The designed model lets a customer appoint a service provider or partner to administer a defined resource set without granting platform-wide authority.

Least privilege

Support access should be scoped, time-bound where practical, attributable to a named actor or workload, reviewable, and revocable.

Local final deny

Every conforming customer-controlled service or vault must retain the final policy check before protected data is returned or changed.

Scoped tenant support delegation

Explicit, scoped, expiring, reviewable support authority is implemented as a reference contract and test substrate, but general Federated Trust service enforcement is still designed work.

Resource-service final deny

Local audience, tenant, revision, revocation, and resource-policy enforcement is a required design contract; conformance must be proven for each relying service.

03

Enterprise connections need named protocol profiles

Federation and lifecycle standards are configured per connection; a platform name alone does not prove every flow or provisioning behavior.

OIDC connections

OpenID Connect-oriented enterprise connection and issuer surfaces have limited implementation evidence; tenant pinning, assignment, claims, recovery, and lifecycle remain connection-specific.

SAML

SAML 2.0 is a planned enterprise federation profile and is not represented as generally available.

SCIM

SCIM 2.0 user and group provisioning is planned, including explicit ownership, reconciliation, deprovisioning, and evidence responsibilities.

04

Business recovery must be chosen and disclosed

An organization may need authorized custodians to recover business-owned vault items created by employees. That requires encryption-key custody—not password peppering—and should be visible to every affected user.

Named custodians

Recovery authority belongs to a defined organization role or approval quorum, never every administrator by implication.

BYOK is customer-managed, not automatically provider-blind

In a BYOK profile, the customer manages the key, but the service runtime may still be authorized to invoke unwrap. BYOK alone is not a zero-knowledge claim.

HYOK keeps unwrap authority with the customer

A validated HYOK profile keeps unwrap authority in the customer-controlled key service and gives the provider runtime no unwrap path. Sovereign profiles use a local KMS or HSM under the same rule.

No universal provider key

The target custody model does not depend on one provider-wide key that can decrypt every tenant’s vault.

Organization custody and quorum recovery

Explicit organization-custodian and multi-party recovery workflows are planned. They never turn an authentication password into recoverable data.

Customer-controlled and sovereign data planes

Managed, customer-controlled connected, and sovereign/offline profiles are designed target shapes, not generally available offerings. Each requires a validated package and explicit infrastructure, custody, update, recovery, observability, and support responsibilities.