Set up organization via directory trust

You can use directory trust to authenticate your users against a domain already claimed by another organization.

Directory trusting

Only one organization at a time can claim a domain's ownership. Thus, consider the following scenario:

A company, Geometrixx, has multiple departments, each of which has its own unique Admin Console. Also, each department wants to use Federated user IDs, all using the geometrixx.com domain.  Each department's system administrator would want to claim this domain for authentication.

The Admin Console prevents a domain from being added to multiple organizations' Admin Console. However, once added by a single department, other departments can request access to the directory to which that domain is linked on behalf of their organization's Admin Console.

Directory trusting allows a directory owner organization to trust other requesting organizations (trustees). After this, trustee organizations in the Admin Console can add users to any domain within the trusted directory.

To summarize, you must add a domain if you plan to use Enterprise ID or Federated ID on your Admin Console. If another organization has already added this domain, you must request trustee access to the directory containing this domain. However, when the trustee organization adds users to the trusted domains, they are authenticated based on the owning organization's identity management.

To request access to a directory, follow the steps in Add domains to directories.

Výstraha:
  • As an owner of a directory, if you approve an access request for a directory, the trustee organization will have access to all domains linked to the directory, as well as any domains linked to that directory in the future. So planning the domain-to-directory linking is essential as you set up the identity system in your organization.
  • Before adding, requesting, revoking, or withdrawing a trust request, we strongly recommend that you export a user list from the Admin Console or Consoles involved prior to making changes. This list will provide a snapshot of all user data, including name, email, assigned product profiles, and assigned admin roles in case you need to roll back.
  • There are specific steps to migrating a domain that includes a trust relationship. You should not revoke a trust relationship when migrating a trusted domain to prevent the loss of user account and product access in the trustee’s organization.

Domain trustee (Requesting organization)

Follow the process below if you want to request access to a directory owning your desired domain:

Domain owner (Owning organization)

When you get an email request for access to a directory you own, you can accept or reject the request from the email itself. Or, navigate to the Access request tab in the Admin Console to manage claim requests.

Directory trusting - Common questions

Získajte pomoc rýchlejšie a ľahšie

Nový užívateľ?