Trusted Tenant Relationships¶
Overview¶
The Trusted Tenant feature enables cross-tenant resource management without requiring separate authentication tokens or admin group membership for each tenant. Tenant administrators can delegate management privileges to other tenants through configurable trust relationships.
Use Cases¶
Trusted tenant relationships are useful when:
- Centralized Administration: A central IT team needs to manage multiple organizational tenants from a single admin account
- Managed Service Providers: External administrators manage client tenants without needing separate credentials
- Hierarchical Organizations: Parent organizations oversee subsidiary tenants while maintaining separation
- Shared Services: A shared services tenant manages resources across multiple business unit tenants
How It Works¶
When a trust relationship is established:
- Tenant B trusts Tenant A: Administrators of Tenant A can manage Tenant B's resources
- Single Authentication: Admins use their Tenant A credentials—no re-authentication needed
- Full Access: Trusted admins have the same capabilities as native tenant admins
Trust Relationship Direction¶
Trust relationships are unidirectional:
- If Tenant B trusts Tenant A, then Tenant A admins can manage Tenant B
- This does NOT mean Tenant B admins can manage Tenant A
- To enable bidirectional management, create trust relationships in both directions
Managing Trust Relationships¶
API Endpoints¶
All endpoints require tenant admin privileges and are under /auth/admin/tenants/{tenantId}:
| Method | Endpoint | Description |
|---|---|---|
PUT |
/trust-tenant/{trustedTenantId} |
Establish trust relationship |
DELETE |
/trust-tenant/{trustedTenantId} |
Remove trust relationship |
GET |
/manages-tenants |
List tenants managed by this tenant |
GET |
/managed-by-tenants |
List tenants that manage this tenant |
Examples¶
Establish trust (allow Tenant A admins to manage Tenant B):
Remove trust relationship:
List all tenants that Tenant A can manage:
List all tenants that can manage Tenant B:
Using the Authifi Admin UI¶
- Log in to the Authifi Admin UI as a tenant administrator
- Navigate to the target tenant's settings
- Select Trusted Tenants from the menu
- Add or remove trusted tenant relationships as needed
Security Considerations¶
Access Requirements¶
- Admin Privileges Required: Only tenant administrators can establish or remove trust relationships
- Identity Provider Validation: Users must authenticate via trusted identity providers
- Audit Logging: All cross-tenant access is logged with full context for compliance
Best Practices¶
- Principle of Least Privilege: Only grant trust to tenants that require cross-tenant management
- Regular Review: Periodically audit trust relationships and remove those no longer needed
- Document Relationships: Maintain records of why each trust relationship exists
- Monitor Access: Use audit logs to track cross-tenant administrative actions
Limitations¶
- Client Credentials Exclusion: Service-to-service authentication (client credentials flow) cannot use trusted tenant features—only user-based authentication is supported
- Admin-Only Access: The feature is limited to users with tenant administrator privileges
- Unidirectional Trust: Each trust relationship is one-way; bidirectional access requires two separate relationships
- Partial Endpoint Coverage: Some Authifi endpoints may not recognize trusted tenant relationships
Configuration¶
The Trusted Tenant feature requires no additional configuration:
- Enabled by default in all Authifi deployments
- No environment variables or settings changes needed
- Works with existing authentication infrastructure
Related Documentation¶
- Delegating Tenant Management to a Shared Tenant - Step-by-step guide for setting up delegation
- Authorization - General authorization concepts
- Admin Roles - Understanding administrator privileges