VVirtualDojoTrust Center
Trust Center / Secure Configuration Guide

Secure Configuration Guide

VirtualDojo AI CRM — FR2615441197

Document Metadata
Document ID VDJ-SCG-001
Document Title Secure Configuration Guide
FedRAMP 20x Rules Satisfied SCG-CSO-RSC (Recommended Secure Configuration), SCG-CSO-AUP (Use Instructions), SCG-CSO-PUB (Public Secure Configuration Guidance), SCG-CSO-SDF (Secure Defaults)
Related Controls AC-1, AC-2, AC-3, AC-6, AC-6(5), AC-7, AC-11, AC-12, AC-17, AU-1, AU-2, AU-6, AU-11, IA-1, IA-2, IA-2(1), IA-5(1), IA-8, SC-7, SC-8
System Name VirtualDojo AI CRM
Authorization Level FedRAMP 20x Certification, Class C
Document Version 1.0
Effective Date July 1, 2026
Next Review Date July 1, 2027
Classification Public
Audience Agency tenant administrators, agency ISSOs, and any VirtualDojo AI CRM administrative/privileged account holder
Prepared By Devin Henderson, CEO / ISSO
Approved By Devin Henderson, CEO / ISSO

Front Matter: Scope and Rule Coverage

This guide is VirtualDojo's Secure Configuration Guide as required by the FedRAMP 20x Consolidated Rules Secure Configuration Guidance (SCG) ruleset. It is written for the people who will actually operate a VirtualDojo AI CRM tenant — agency tenant administrators, ISSOs, and anyone holding a top-level administrative or privileged account — not for FedRAMP assessors. It satisfies:

Rule Requirement How this guide satisfies it
SCG-CSO-RSC MUST create, maintain, and make available a Secure Configuration Guide covering top-level admin account setup/decommission, security-relevant settings only top-level admins can operate, and (recommended) settings privileged accounts can operate Sections 2–7 below cover initial admin provisioning and decommissioning, the security-relevant settings gated to the superadmin role, and the settings available to the admin role
SCG-CSO-AUP MUST include instructions in the Certification Package on how to obtain and use this guide Section 1.2
SCG-CSO-PUB SHOULD make the guide publicly available Section 1.3 — published at https://trust.virtualdojo.com/secure-configuration-guide, no login required
SCG-CSO-SDF SHOULD ship top-level admin and privileged accounts with secure defaults out of the box Section 7 documents what ships secure by default versus what a tenant admin must actively configure

The optional enhanced-capability items (SCG-ENH-*) are tracked in Section 9 (Enhanced Capabilities Roadmap), which states the current status of each — some are implemented today and others are on the roadmap.

1.1 Relationship to Other Package Documents

This guide is a distillation of controls that are documented in full elsewhere in the FedRAMP Certification Package. Where this guide says "configure X," the underlying control implementation, evidence, and verification procedure are documented in:

If any statement in this guide appears to conflict with those documents, the control implementation documents govern; this guide is the summarized, customer-facing operational version and is updated whenever the underlying configuration changes.

1.2 How to Obtain This Guide (SCG-CSO-AUP)

This guide is included as a named artifact in the VirtualDojo FedRAMP 20x Certification Package (this file, Secure Configuration Guide / its signed PDF rendering in the signed certification package) and is also published independently of the certification package at the public URL in Section 1.3. Agencies evaluating or onboarding to VirtualDojo AI CRM should:

  1. Read this guide before assigning the first top-level administrator account for their tenant.
  2. Complete the initial admin setup steps in Section 2 and record completion in the agency's own onboarding checklist.
  3. Re-read Section 7 (Secure Defaults) whenever VirtualDojo publishes a Significant Change Request (SCR) that touches authentication, session, or access-control behavior — SCRs are announced via the Trust Center (https://trust.virtualdojo.com) and to the tenant's registered admin contact.
  4. Direct configuration questions to security@virtualdojo.com.

1.3 Public Availability (SCG-CSO-PUB)

This guide is published at https://trust.virtualdojo.com/secure-configuration-guide, hosted on the VirtualDojo Trust Center. It does not require an account, a customer relationship, or an NDA to view — it is intended to be readable by prospective agency customers during procurement evaluation, not only by existing tenants. The Trust Center copy is kept in sync with the version in the signed Certification Package; the Certification Package version is authoritative in case of a discrepancy pending republication.


2. Top-Level Administrative Accounts

2.1 What a Top-Level Administrator Is

In VirtualDojo AI CRM, the top-level administrative role is superadmin. A superadmin account controls enterprise-wide access to the entire tenant: it can create and remove other admins, change tenant-wide security settings, configure SSO/federation trust, and read the full audit log. There is exactly one class of account with this scope per tenant; VirtualDojo strongly recommends limiting the number of live superadmin holders to the minimum needed for continuity (typically 2, so a single person's unavailability does not block emergency access changes).

superadmin is distinct from the admin role, which is a privileged-but-scoped role (see Section 3) — an admin manages users and day-to-day settings within the tenant but cannot alter the settings enumerated in Section 2.4.

2.2 Provisioning a New Top-Level Administrative Account

  1. The account must be created under the agency's own identity provider tenant (Entra ID, ADFS, or another SAML 2.0 / OIDC IdP), not as a VirtualDojo-local credential. VirtualDojo AI CRM authenticates agency users exclusively via federated SSO (SAML 2.0 Web Browser SSO, with OIDC also supported) — see Authentication and Federation Procedures Section 9 for the full federation architecture. There is no username/password login path for agency accounts.
  2. Complete federation onboarding once per agency tenant (VirtualDojo configures your IdP as a trusted issuer, exchanges SP/IdP metadata, and validates a test authentication). Federation onboarding is coordinated with security@virtualdojo.com and is documented in Authentication and Federation Procedures Section 9.6.1.
  3. Within your own IdP, ensure the intended superadmin user is a member of the SAML/OIDC group your agency has mapped to the superadmin role during onboarding (see the groups claim mapping in Authentication and Federation Procedures Section 9.4). Role assignment is driven by your IdP group membership, not by a separate VirtualDojo user-management step — this means your agency's own access-approval workflow for that group is what actually grants superadmin.
  4. Require your IdP to enforce phishing-resistant MFA (FIDO2 security key or PIV/CAC certificate-based authentication) for any account in the superadmin-mapped group. VirtualDojo cannot enforce a stronger authenticator than what your IdP asserts, so this step is the customer's responsibility — see Section 3 of this guide and Section 4 (Conditional Access baseline) for the specific policy to apply.
  5. On first successful federated sign-in, VirtualDojo provisions the account via Just-In-Time (JIT) provisioning and assigns the role indicated by the groups claim. If no group claim maps to superadmin, the account is provisioned at the most restrictive role (Read-Only) and must be manually elevated — VirtualDojo will not silently grant top-level access to an unmapped account.
  6. Verify the new superadmin account by having it sign in and confirm it can reach Tenant Settings → Administration in the application UI. Record the verification in your agency's onboarding checklist.

2.3 Decommissioning a Top-Level Administrative Account

  1. Remove the user from the superadmin-mapped group in your own IdP. This is the primary and immediate control — the next time VirtualDojo re-validates the SAML/OIDC session or the user's assertion is re-issued, the elevated role claim is gone.
  2. Revoke the user's active session at the IdP (e.g., Entra ID "Revoke Sessions") so any live token cannot continue to assert the old group membership until natural expiry.
  3. Notify security@virtualdojo.com so VirtualDojo can confirm the UserSSOConnection record's is_active flag is set to false if the user is leaving the agency entirely (as opposed to only losing superadmin scope).
  4. If the departure is involuntary or security-relevant, treat it as an incident per your agency's own process and notify VirtualDojo immediately rather than waiting for the next scheduled access review — VirtualDojo's quarterly non-organizational user access review (Authentication and Federation Procedures Section 9.6.2) is a backstop, not a substitute for prompt customer-side deprovisioning.
  5. Confirm decommissioning by reviewing the tenant's admin audit log (Section 6) for the role-removal event and confirming no further sign-ins occur from that account.

2.4 Security-Relevant Settings Gated to superadmin

The following settings can only be viewed or changed by a superadmin account. Each carries a security implication an agency should understand before changing it:

Setting Location Security Implication
SSO/federation trust configuration (IdP metadata, signing certificate, attribute mapping) Tenant Settings → Administration → Identity Federation Determines which IdP(s) can authenticate users into your tenant and how SAML/OIDC claims map to roles. A misconfigured or overly permissive attribute mapping (e.g., mapping too broad a group to superadmin) directly expands your privileged-account population.
Role-to-group mapping Tenant Settings → Administration → Identity Federation → Role Mapping Controls which IdP groups map to superadmin, admin, Manager, User, and Read-Only. This is the actual access-control boundary for your tenant since role assignment is claims-driven (Section 2.2, step 3).
Tenant-wide session and re-authentication policy (see Section 4.3) Tenant Settings → Administration → Security Sets the maximum session lifetime and inactivity timeout enforced by the application in addition to whatever your IdP enforces. Loosening this increases the window an unattended, authenticated session can be misused.
Network access restrictions (IP allow-listing, see Section 5) Tenant Settings → Administration → Network Security Restricts which source networks can reach your tenant's data at the application layer. Removing restrictions expands your externally reachable attack surface.
Audit log export and retention configuration (see Section 6) Tenant Settings → Administration → Audit & Compliance Controls where your tenant's audit trail is exported to and how long it is retained in application storage before rolling off (independent of VirtualDojo's own 400-day Cloud Logging retention). Reducing retention or disabling export reduces your agency's own forensic and compliance evidence.
API key issuance for tenant-wide integrations Tenant Settings → Administration → API Access Long-lived API keys with tenant scope are a standing credential. Only superadmin can mint or revoke them.
User and role deletion (bulk) Tenant Settings → Administration → Users Bulk deprovisioning actions are restricted to superadmin to prevent an admin account from mass-removing accounts, including other admins.

2.5 Security-Relevant Settings Available to Privileged (admin) Accounts

admin accounts are privileged but scoped: they manage day-to-day tenant operation without the tenant-wide authority described above.

Setting Location Security Implication
Individual user role assignment (within roles below superadmin) Users → [user] → Role Assigning admin to a user materially expands who can see and act on other users' records and settings below tenant-wide scope; least-privilege role assignment is a customer responsibility (see Customer Responsibility Matrix AC-6(5)).
Per-user MFA re-enrollment / session revocation Users → [user] → Security Lets an admin force a suspected-compromised user to re-authenticate and re-register MFA. Useful first-response action; also a capability that should itself be audit-logged and reviewed (it is — see Section 6).
Data export configuration for their own scope Reports / Data → Export Controls who can pull bulk data out of the tenant. Overly broad export permission granted to admin-managed users is a common data-exfiltration risk vector.
Audit log viewing (read-only) Audit Log admin can view but not delete or reconfigure retention; only superadmin can change retention/export settings (Section 2.4).

3. Required MFA for Administrative and Privileged Accounts

VirtualDojo AI CRM does not offer a local username/password login for agency users — every sign-in is federated through the agency's own IdP (Section 2.2), and MFA enforcement for superadmin and admin accounts is therefore primarily your IdP's responsibility, with VirtualDojo enforcing a floor:

Priority Method Why
1 (required for superadmin) FIDO2 security key, or PIV/CAC certificate-based authentication Phishing-resistant; PIV/CAC additionally satisfies HSPD-12 for federal personnel
2 (acceptable for admin) Authenticator app with number matching Mitigates MFA-fatigue push attacks; not phishing-resistant
Prohibited SMS OTP, voice call OTP, email OTP Restricted authenticators per NIST SP 800-63B; VirtualDojo's acceptance criteria explicitly reject agencies relying on these alone (Authentication and Federation Procedures Section 11.3)

If your agency cannot demonstrate AAL2-equivalent MFA enforcement during federation onboarding, VirtualDojo will not activate the federation trust until it is remediated (Authentication and Federation Procedures Section 11.5.2).


4. Entra Conditional Access Baseline (For Entra ID Customers)

Most current VirtualDojo AI CRM agency tenants federate from Microsoft Entra ID. If your agency uses Entra ID as its IdP, verify the following Conditional Access baseline is applied to the VirtualDojo AI CRM enterprise application before onboarding any superadmin or admin account. These are the same baseline settings VirtualDojo itself applies to its own Entra ID tenant for administering the platform (Identification and Authentication Policy, Access Control Policy), offered here as the recommended customer-side configuration:

4.1 Policy: Require MFA for All Users

4.2 Policy: Require Phishing-Resistant MFA for Privileged Roles

4.3 Policy: Device Compliance for Administrative Access

4.4 Application-Level Session Controls (VirtualDojo-Enforced)

Independent of whatever your IdP's session-frequency policy is set to, VirtualDojo AI CRM enforces its own session ceiling so that a long-lived IdP session cannot translate into an indefinitely long application session:

Setting Enforced Value Configurable by Customer?
Maximum session lifetime 8 hours No — platform-enforced floor; ships as the secure default
Inactivity/idle timeout 15 minutes (locks session, requires re-authentication) No — platform-enforced floor; ships as the secure default
Step-up MFA for privileged actions Required regardless of session age No — platform-enforced
Tenant-configurable stricter session policy superadmin may set a shorter max session or idle timeout than the platform default Yes — Tenant Settings → Administration → Security (Section 2.4); the platform default is a ceiling, not a customer-adjustable maximum

VirtualDojo recommends agencies leave the Entra ID sign-in-frequency setting at or below 12 hours for standard users and 1 hour for privileged roles even though the application enforces its own tighter ceiling — defense in depth means a compromised or misconfigured application session control should not be the only backstop.


5. Network Access Restrictions

VirtualDojo AI CRM is an internet-facing SaaS application (https://app.virtualdojo.com) — there is no customer-managed network perimeter in front of it in the traditional sense, but the following customer-configurable restrictions are available:

Control Where Configured Notes
Tenant IP allow-listing Tenant Settings → Administration → Network Security (superadmin only, Section 2.4) Restricts application-layer sign-in to a customer-specified list of source IP ranges (e.g., agency VPN egress ranges or Windows 365 Cloud PC egress ranges). Sign-ins from outside the allow-list are rejected before authentication is attempted. Recommended for agencies with a defined egress footprint.
IdP-side named-location Conditional Access Your Entra ID tenant Independent of the VirtualDojo-side allow-list, your agency can also restrict which named locations are permitted to complete authentication against your own IdP for the VirtualDojo enterprise application — this is the customer's own control and is enforced before VirtualDojo ever sees the sign-in attempt.
TLS enforcement Platform-enforced, not customer-configurable All traffic to app.virtualdojo.com requires TLS 1.2 minimum (TLS 1.3 preferred); TLS 1.0/1.1 and legacy cipher suites are not offered. See Authentication and Federation Procedures Section 8.3 for the exact cipher suite list.
API access network restriction Tenant Settings → Administration → API Access API keys can optionally be bound to a source IP allow-list at issuance time, limiting where a leaked key could be used from.

VirtualDojo does not offer customer-managed WAF rule authoring or a customer-facing firewall console — the application-layer allow-list above is the supported network restriction mechanism. Agencies requiring network-layer controls beyond this should implement them at their own egress point (e.g., forcing all agency traffic to VirtualDojo through an agency-managed proxy/VPN and then allow-listing only that egress range).


6. Audit Logging Configuration Available to Customers

VirtualDojo AI CRM logs authentication events, privileged actions, role changes, and data export/access events to an application-level audit log, which is layered on top of VirtualDojo's own GCP Cloud Logging pipeline (400-day retention at the platform level, per Customer Responsibility Matrix AC-2(12)). Customer-facing configuration options:

Option Location Description
In-app audit log viewer Audit Log (available to admin read-only, full control for superadmin) Searchable/filterable view of authentication events, role/permission changes, user provisioning/deprovisioning, and data export events for your tenant only (tenant-isolated; you cannot see other tenants' logs and they cannot see yours)
Export format Audit Log → Export CSV or JSON export of a selected date range, for import into your own SIEM or compliance reporting pipeline
Automated export / SIEM integration Tenant Settings → Administration → Audit & Compliance (superadmin only) Configure a recurring export destination (webhook or scheduled pull) so your agency does not depend on manual export
In-app retention window Tenant Settings → Administration → Audit & Compliance (superadmin only) Configure how long audit events remain queryable in the application UI before rolling off; this is independent of (and shorter than or equal to) VirtualDojo's own 400-day platform-level Cloud Logging retention, which is not customer-configurable and serves as the forensic backstop even if a tenant shortens its in-app window
Immutability Not customer-configurable Audit log records cannot be edited or deleted via any role, including superadmin — there is no update/delete API for audit records (Customer Responsibility Matrix AU-9)

VirtualDojo recommends weekly review of the audit log at minimum, and provides a standardized checklist your reviewer can adapt — see Audit Log Review Checklists for the schedule and check items VirtualDojo's own ISSO uses internally (daily/weekly/monthly cadence, specific things to look for such as new-IP logins, privilege escalation events, and bulk data export).


7. Secure Defaults (SCG-CSO-SDF)

This section states plainly what ships secure out of the box for a newly onboarded tenant, versus what requires active customer configuration. Nothing in the "customer must configure" column is unsafe left alone — it simply is not something VirtualDojo can set on the customer's behalf because it depends on the customer's own IdP or organizational policy.

7.1 Ships Secure by Default (No Customer Action Required)

Setting Default Rationale
Local username/password login Disabled — federation-only Eliminates an entire class of credential-stuffing and password-reuse risk for agency accounts
Application session maximum lifetime 8 hours Prevents indefinite sessions regardless of IdP session policy
Application inactivity timeout 15 minutes Limits exposure from an unattended, authenticated device
New non-organizational user default role (no group claim mapped) Read-Only (most restrictive) JIT-provisioned users are never silently granted elevated access; VirtualDojo notifies the tenant superadmin for manual review within 24 hours
TLS configuration TLS 1.2 minimum, FIPS-approved cipher suites only Not adjustable by any role — platform-enforced
Audit log immutability No update/delete path for audit records, at any role Guarantees a tamper-evident record regardless of tenant configuration
Assertion replay protection SAML/OIDC assertion IDs single-use, cached for the assertion lifetime Prevents replay of a captured assertion even if other controls are misconfigured
Password complexity, history, and breached-password blocking for any VirtualDojo-managed credential (e.g., break-glass accounts) 14-character minimum, 24-password history, global + custom banned-password list, 10-attempt/30-minute smart lockout Matches VirtualDojo's own internal Entra ID policy (Identification and Authentication Policy); applies to any VirtualDojo-side credential, not to federated agency accounts which have no VirtualDojo-managed password

7.2 Requires Active Customer Configuration

Setting Why VirtualDojo Cannot Default This
MFA enforcement and method Enforced at your IdP, which VirtualDojo does not control (Section 3)
Role-to-group mapping Depends entirely on your agency's own group structure (Section 2.2)
Device compliance requirement Depends on your agency's MDM/Intune enrollment (Section 4.3)
Network/IP allow-listing Depends on your agency's egress topology (Section 5)
Audit log export destination and in-app retention window Depends on your agency's SIEM/compliance requirements (Section 6)
API key issuance and scoping Depends on what integrations your agency actually needs

7.3 Verifying Secure Defaults Are in Place

Use this checklist during onboarding and at each annual access review:

  1. Confirm no local username/password authentication path exists for your tenant (attempt to reach a non-federated login form for app.virtualdojo.com — none should be reachable).
  2. As superadmin, navigate to Tenant Settings → Administration → Security and confirm the session lifetime and idle timeout fields show 8 hours / 15 minutes or a customer-tightened value — never a value greater than the platform ceiling (the UI will not accept a looser value).
  3. Review the Users list and confirm no account holds superadmin or admin that is not mapped through your IdP's group claims (Section 2.2, step 3) — every privileged account should trace back to an entry in your own IdP's group membership, not a VirtualDojo-local grant.
  4. Pull a sample of recent JIT-provisioned users from the Audit Log and confirm each was provisioned at Read-Only pending review, not at an elevated role.
  5. Confirm TLS 1.0/1.1 are not negotiable against app.virtualdojo.com (e.g., nmap --script ssl-enum-ciphers or an equivalent external scanner) — this should always fail to downgrade regardless of tenant configuration.
  6. Document the verification results in your agency's own onboarding or annual review record.

8. Getting Help

Need Contact
Federation onboarding, role-mapping setup security@virtualdojo.com
Suspected security incident involving your tenant security@virtualdojo.com (immediate)
General configuration questions about this guide security@virtualdojo.com
Trust Center / authorization package access https://trust.virtualdojo.com

9. Enhanced Capabilities Roadmap (SCG-ENH-*, Not Yet Implemented)

The FedRAMP 20x Consolidated Rules define a set of optional, enhanced-capability SHOULD items beyond the baseline Secure Configuration Guide requirements. VirtualDojo does not currently implement any of the following. They are listed here for transparency and roadmap visibility only — none of the capabilities below exist in the product today, and this guide will be updated (with a version bump, see the document metadata table) if and when any of them ship.

Rule Capability Status
SCG-ENH-CMP Compare all current top-level admin/privileged settings against the recommended secure defaults, in-app Not implemented. Today, verification of secure defaults is manual (Section 7.3 checklist).
SCG-ENH-EXP Export all security settings in a machine-readable format Implemented. Security settings are retrievable in machine-readable (JSON) form via VirtualDojo's administrative API and the VirtualDojo CLI (see SCG-ENH-API), in addition to the audit-log export in Section 6.
SCG-ENH-API View and adjust security settings via an API Implemented. Security settings can be viewed and adjusted programmatically via VirtualDojo's administrative API and the VirtualDojo CLI, in addition to the application UI (Sections 2–6). API documentation is available in the admin console after signing in at app.virtualdojo.com.
SCG-ENH-MRG Provide this Secure Configuration Guide itself in a machine-readable format for automated comparison against current settings Not implemented. This guide is published only as human-readable Markdown/PDF.
SCG-ENH-VRH Versioning and release history for recommended secure defaults as they change over time Partially addressed structurally (this document carries a version and effective date in its metadata table, and changes to defaults are announced via Trust Center SCR notices per Section 1.2), but there is no dedicated, queryable release-history log of default-setting changes distinct from the general SCR process. Treated as not implemented until a purpose-built history view exists.

Questions or feature requests related to this roadmap can be sent to security@virtualdojo.com.


Document Revision History

Version Date Author Description
1.0 July 1, 2026 Devin Henderson Initial release, satisfying SCG-CSO-RSC, SCG-CSO-AUP, SCG-CSO-PUB, and SCG-CSO-SDF for the FedRAMP 20x Certification Package