Guide: Enabling Tide Backup and Offboarding
(Codename: Ragnarök)
Preparing the fan before its hit.
Tide Backup manages the safekeep and offboarding process for Tide-enabled realms in a secure, decentralized manner within TideCloak. When a realm is Tide-enabled, by using a Tide-IdP or Tide's Quorum-Enforced-Authorization, TideCloak is utilizing Tide Cybersecurity Fabric as its ultra-secure key vault, for all the users' and the realm's main keys. This backup allows the option to at any time offboard Tide and revert to the standard-security of local, centralized key management on TideCloak.
There are three key states to Tide Backup:
- Backup ON/OFF — Backups must be enabled for Tide Ineffable keys to be stored (encrypted) locally to allow the future option of triggering an offboarding.
- Triggered — The offboarding process has been requested and awaits admin approval.
- Offboarded — Once the quorum of admins approves, Tide Ineffable key fragments are decrypted locally on TideCloak, as all key action switch to local, centralized mode. The realm, at that point, is now detached and independant from Tide.
TL;DR
| Step | Action | Description |
|---|---|---|
| 1 | Enable Tide Backup | Ensure backup is ON before offboarding |
| 2 | Trigger Offboard | Initiate the offboarding request |
| 3 | Approve Change | Admin quorum required for finalization |
| 4 | Confirm Offboard | Complete process; realm authority moves to TideCloak |
| 5 | Re-login | Access restored using TideCloak credentials |
Pre-Requisites
Before proceeding with this feature it's important to understand the end state of the offboarding process. In particular ensure you have a method to automatically or manually contant affected users, as well as a suitable non-Tide TideCloak admin user who will inherit authority over the offboarded realm.
Consider this in the context of this pop-up window, which will appear at the very last step of the process:
-
Affected Users: The number of users to be impacted by offboarding realm.
-
SMTP Server:
- If not configured, you may manually email affected users to set a password to their de-Tidified account.
- If configured, TideCloak will automatically email affected users and request they set their password.
-
TideCloak Master Password:
- You must have a non-Tide TideCloak password set up to log back in to TideCloak once the offboarding process finalized. Unless changed or removed, it's the account used to set up TideCloak in the first place.
Without a master password, you may lose access to the realm with no way to recover it.
1. Enabling Tide Backup
Tide backup is enabled by default when a new Tide IdP is created. When it's disabled, you can turn it on manually:
- Navigate to Identity Providers
- Select Tide
- Toggle Backup Users ON
2. Triggering Offboarding
To initiate the Tide offboarding process:
- Go to Identity Providers → Tide
- Open the Actions dropdown
- Select Offboard
- Confirm by typing “CONFIRM OFFBOARDING”, then click Offboard
This only starts the offboarding process. A notification that a change request has been created will follow:
Review and approve the offboarding request:
- Go to Change Requests menu item:
- Under the Settings tab, locate the relevant request and proceed as per quorum approval process:
3. Finalizing the Tide offboarding process
To complete the offboarding process:
- The realm's quorum of admins must approve the change request.
- Once approved, the request can be committed to finalize the process.
4. Post-Offboarding
After offboarding is confirmed:
- A notification will confirm that the realm has been offboarded from Tide.
- The current session to the Admin Console will be terminated.
- Simply sign out and sign back in using your TideCloak Master credentials mentioned earlier.
