Trust plane and data plane are separable
Federated Trust is designed to coordinate identity, application registration, policy, and delegation while protected business data remains in a deployment selected for that organization. These profiles are not generally available yet.
Provider-hosted
The designed managed profile reduces operational burden while retaining tenant boundaries, scoped support, and export responsibilities.
Customer-controlled
The designed connected profile places the data store and key services in infrastructure controlled by that customer, with typed service interfaces rather than unrestricted database coupling.
Isolated and sovereign
A sovereign or offline profile requires a validated deployment package, local key custody, bounded offline policy and revocation, rollback protection, secure time, recovery drills, and explicit update, observability, and support responsibilities.
Managed, customer-controlled connected, and sovereign/offline profiles are designed target shapes, not generally available offerings. Each requires a validated package and explicit infrastructure, custody, update, recovery, observability, and support responsibilities.
Support access is a grant, not an operator privilege
Explicit appointment
The designed model lets a customer appoint a service provider or partner to administer a defined resource set without granting platform-wide authority.
Least privilege
Support access should be scoped, time-bound where practical, attributable to a named actor or workload, reviewable, and revocable.
Local final deny
Every conforming customer-controlled service or vault must retain the final policy check before protected data is returned or changed.
Explicit, scoped, expiring, reviewable support authority is implemented as a reference contract and test substrate, but general Federated Trust service enforcement is still designed work.
Local audience, tenant, revision, revocation, and resource-policy enforcement is a required design contract; conformance must be proven for each relying service.
Enterprise connections need named protocol profiles
Federation and lifecycle standards are configured per connection; a platform name alone does not prove every flow or provisioning behavior.
OIDC connections
OpenID Connect-oriented enterprise connection and issuer surfaces have limited implementation evidence; tenant pinning, assignment, claims, recovery, and lifecycle remain connection-specific.
SAML
SAML 2.0 is a planned enterprise federation profile and is not represented as generally available.
SCIM
SCIM 2.0 user and group provisioning is planned, including explicit ownership, reconciliation, deprovisioning, and evidence responsibilities.
Issuer metadata, ID-token, JWKS, and UserInfo-oriented surfaces have focused implementation evidence. No OpenID certification or universal flow/profile claim is made.
SAML 2.0SAML enterprise federation is a planned connection profile. No generally available SAML service-provider or identity-provider conformance is claimed.
SCIM 2.0 (RFC 7643 and RFC 7644)SCIM user and group lifecycle provisioning is planned. No generally available SCIM schema or protocol conformance is claimed.
Business recovery must be chosen and disclosed
An organization may need authorized custodians to recover business-owned vault items created by employees. That requires encryption-key custody—not password peppering—and should be visible to every affected user.
Named custodians
Recovery authority belongs to a defined organization role or approval quorum, never every administrator by implication.
BYOK is customer-managed, not automatically provider-blind
In a BYOK profile, the customer manages the key, but the service runtime may still be authorized to invoke unwrap. BYOK alone is not a zero-knowledge claim.
HYOK keeps unwrap authority with the customer
A validated HYOK profile keeps unwrap authority in the customer-controlled key service and gives the provider runtime no unwrap path. Sovereign profiles use a local KMS or HSM under the same rule.
No universal provider key
The target custody model does not depend on one provider-wide key that can decrypt every tenant’s vault.
Explicit organization-custodian and multi-party recovery workflows are planned. They never turn an authentication password into recoverable data.
Managed, customer-controlled connected, and sovereign/offline profiles are designed target shapes, not generally available offerings. Each requires a validated package and explicit infrastructure, custody, update, recovery, observability, and support responsibilities.