Cross-Domain Users & Authentication
In Vault, user accounts exist within a single domain. By setting up cross-domain users, Admins can grant a user access to vaults on a different domain without creating a new user account. For example, Admins in VeePharm’s vault could set up CTMS users as cross-domain users. These users would exist in their CTMS vault, which would be on their “home” domain, but would also be able to access the CDMS vault on the VeePharm domain in order to view casebooks. For groups that work with many different companies, this saves users from having to manage several different Vault login accounts.
Cross-domain users can log in to any vault they have access to using their existing home domain login credentials or using SSO with their corporate IdP. Cross-domain users navigate to any vault they have access to via the vault selector drop-down menu or the My Vaults page.
How to Create Cross-Domain Users
To create a cross-domain user:
- In the Add Existing User dialog, enter the user’s full user name in the User name field.
- Select the License Type and Security Profile. Vault auto-fills the remaining required profile fields based on the existing user information from the home domain. Note that Vault automatically assigns the Cross Domain Security Policy for the new user.
Cross-Domain User Authentication
The login authentication process differs based on if the cross-domain user utilizes a password or SSO security policy in their home domain.
Password User Authentication
Cross-domain users with a password security policy in their home domain can access a cross-domain vault through their existing home domain using their login credentials. If the user logs in through the default login page, they can access vaults in a cross or home domain from the vault selector drop-down menu or the My Vaults page. During an active login session, cross domain users can navigate between cross and home domain vaults without having to re-enter their login credentials.
SSO User Authentication
Cross-domain users with an SSO security policy on their home domain can access a cross-domain vault through their existing home domain using their corporate IdP credentials. If a user logs into a cross-domain for the first time, Vault prompts them to enter their user name before redirecting to their corporate IdP. Once the user logs in successfully through their IdP, the user can access the specified cross-domain vault.
If a cross-domain user logs in through the default login page, they can access vaults in a cross or home domain from the vault selector drop-down menu or the My Vaults page. During an active session, cross-domain users can navigate between cross-domain and home-domain vaults without having to re-enter their login credentials.
Admins with the Admin: Users permissions can access user management options and create cross-domain users.
Does a trust need to be set up between a home domain and a cross-domain before cross-domain users can be created?
No. The ability to create cross-domain users is enabled by default on all domains.
Do cross-domain users login through a specific vault, a domain, or Vault platform?
Cross-domain users log into their home domain, but the session is Vault specific. The My Vaults page, if enabled, is served from the cross-domain user’s Vault on their home domain.