Virtual Trust Relationships
Overview
Xiid Virtual Trust Relationships provide a way to securely share resources between distinct domains.
Traditional Trust Relationships in Windows domains are lengthy, complicated, and require opening inbound ports and additional communication between the separate domains.
Virtual Trust Relationships eliminate complexity and risk by allowing a system administrator to share an SSO Portal (and specific resources within) with another domain without making any modifications to either domain.
Prerequisites
To set up a Virtual Trust Relationship, you must have:
- Two separate domains
- Two Xiid Management accounts
- An IM Agent deployed within each respective domain with each connected to a separate Xiid Management account (the two referenced above)
In addition, The IM Agents on both domains must use the same Request Collector.
Throughout this guide, we will use the following terminology:
| Term | Definition |
|---|---|
| Owner Domain | The source domain that is sharing resources to another domain |
| Trust Domain | The recipient domain that resources should be shared with |
Configuring Virtual Trust
Adding a Trust Relationship
- Sign in to the Agent Configuration Portal for the Owner Domain.
- Switch "Advanced Mode" on and click the Trusts tab on the left side.
- On the Trusts page, a list of all current Trust Relationships are shown. These indicate Trusts that the Owner Domain has established with other Trust Domains.
- Click the purple + Add Trust button in the top right corner.
- On the Add Trust screen, provide a
Descriptionfor the Trust Relationship. We recommend that you include what domain or group of users you are trusting and what access you are granting. - Provide the
Trusted Emailfor the Trust Domain's account, which is the email address used as the username during sign-in to the Management Portal for the Trust Domain's's account. - The
Trusted URLrequested is must be filled out in two sections:- On the left side, enter the
nicknametied to the Trust Domain's account. This nickname is set during onboarding. The account nickname can also be found in the SSO URL of the Trust Domain. It is the first part of the URL before the Zone (see image below). - On the right side, enter the
Zonetied to the Trust Domain. Similar to an Availability Zone in many cloud solutions, theZoneindicates what region the service is tied to. For most US customers, this will beus.xiid.im.
- On the left side, enter the
Here is a diagram outlining the construction of the SSO Portal URL. You can find your default SSO Portal URL on the Dashboard tab in the Management Portal.
- Click the
Portaldropdown and select the Owner Domain SSO Portal that you would like to share with the Trust Domain. - Review the information above and click the purple SAVE button. You will then be taken back to the Trusts screen and see your new Virtual Trust shown in the table.
- To enable the Trust Relationship from the Owner Domain side, click the purple + (plus) sign to the left of the new Trust Relationship, click the purple Edit Trust button, and change the
Enableddropdown toEnabledand then click the purple Save button.
Authorizing the Relationship
In order to allow the Trust Relationship, the System Administrator from the Trust Domain must also authorize the relationship in their environment.
- Click on the Trusts tab in the Agent Configuration Portal of the Owner Domain.
- Find the Trust Relationship you set up on the Trust Domain and click the purple + (plus) sign button on the left side.
- On the Trust Data screen, there are two purple buttons in the top right, Send Email and Copy to Clipboard.
- If you click the Send Email button, an email will be sent to the Trusted Email provided in the previous step while setting up the Virtual Trust Relationship. The email will contain a
Virtual Trust Codewhich will be used later. - If you click the Copy to Clipboard button, the
Virtual Trust Codewill be copied directly into your clipboard.
- If you click the Send Email button, an email will be sent to the Trusted Email provided in the previous step while setting up the Virtual Trust Relationship. The email will contain a
- Back on the Trust Domain, sign in to the Agent Configuration Portal and click the Applications tab on the left side.
- Find the Trust application card and click the purple Choose button.
- From the Trust Application List screen, click the purple + Add Application button in the top right.
- Provide a
Descriptionfor the Trust Application.- The Trust Application will be usable as a card in a Trust Domain SSO portal that opens up the shared SSO Portal with authorized applications from the Owner Domain SSO Portal.
- In the
Portaldropdown, select the SSO Portal that you would like to include the Trust Application card in. - In the
Importtext field, paste theVirtual Trust Codeprovided by the Owner Domain in the above step. - To fill the
Passwordfield, go back to the Owner Domain's Agent Configuration Portal, and obtain theTransport Passwordon the Trust Data screen above the Enabled property as shown below.
- Click the Save button at the bottom after reviewing the information.
- From the Trust Application List screen, you will now see your new Virtual Trust application and its associated SSO Portal in the table.
- Click the purple Edit button to the left of the new Virtual Trust application.
- On the Edit Trust Application screen, there is a black Confirm button available near the bottom.
- Click the Confirm button and a new browser tab will open to a very long Virtual Trust URL.
- You should the following json message:
{"msgInfo": "OK"}. This means your Virtual Trust relationship is verified and working.
- You should the following json message:
Granting Access to Virtual Trust Applications
At this point, end-users in the Trust Domain with relevant access may use a Virtual Trust card in their SSO portal that points to an SSO Portal of the Owner Domain.
If the user clicks that card, a new tab will be opened to the shared SSO Portal allowed by the Owner Domain.
Resources can be added for shared access by following these steps:
- Sign in to the Agent Configuration Portal in the Owner Domain and click the Trusts tab on the left side.
- Find the Virtual Trust Relationship you set up to the Trust Domain in the previous steps and click the purple + (plus) button on the left.
- From the Trust Data screen, click the purple + Add Application button in the top right.
- On the Add Application screen, you will see a list of the available applications from that SSO Portal.
- Check the boxes next to the Applications you would like to share with the Trust Domain and click the purple Save button on the left side.
You will be taken back to the Trust Data screen where you will see the Applications you selected on the right side under Applications Enabled.
You can click the red X to the left of any application to remove access to it.