Loading

Security Center: Error "We couldn't connect to your child tenant. Failed to add trust relationship in child tenant" When Disconnecting Parent and Child Orgs

게시 일자: Apr 16, 2026
상세 설명

Security Center allows organizations to manage relationships between a parent (master) org and one or more child orgs through Security Hub. When these relationships need to be removed, the Salesforce REST API provides dedicated endpoints to disconnect orgs programmatically. For example, an administrator may need to remove a child org from a Security Center tenant or detach a child org from its parent org entirely. Each disconnect operation must be executed from the correct org either the parent or the child — depending on which side of the relationship you are acting on.

Available Editions:
Enterprise, Unlimited, and Developer
Terminology:
  • Parent org and master org are the same role. The REST API uses master in URLs and parameter names (e.g., master-org, masterOrgId). This document uses parent in explanations and master where it matches the API.
  • Child org is named child in the API (child-org, childOrgId).
Where Each Call Must Be Executed:
Calls use the authenticated user's org (the org whose session or OAuth token you use). Each operation must be run from the correct org:
 
What you want to do
Run the API from this org
Remove a child from the relationship (disconnect a specific child from the parent)
Parent org
Remove the parent from the relationship (disconnect this org from its parent)
Child org
 
If the call is executed from the wrong org, it will not apply to the relationship you intend.
Prerequisites:
 
The signed-in user must have permissions to manage Security Center / Security Hub and org relationships. Use a valid OAuth access token or session for the org you are acting as (parent or child).
솔루션

The following REST API calls can be used to manage Security Hub org relationships. All calls require API version 224 or newer.

Get Org Relationships (Call from the Org You Want to Inspect):

Use this to read which Security Hub org relationships exist for the currently authenticated org. The response lists relationship records from that org's perspective (for example, links to a parent or to children), so you can confirm who is connected before making any changes.
HTTP method: GET
Path (after your instance base URL): /services/data/v{apiVersion}/connect/securityhub/org-relationships
Query Parameters: None
Example:
GET https://{yourInstance}/services/data/v62.0/connect/securityhub/org-relationships
Requires API version 224 or newer (for example, v62.0 is valid).

 

Disconnect a Child Org (Call from the Parent Org):

Use this when you are logged into or authenticated as the parent org and want to stop that parent's relationship to a given child org.
HTTP method: DELETE
Path (after your instance base URL): /services/data/v66.0/connect/securityhub/master-org?masterOrgId=<ParentOrgId>
Query Parameters:

ParameterDescription
childOrgIdThe Salesforce org ID of the child org you are disconnecting from this parent.
bidirectionaltrue — also update the child org so it no longer lists this org as its parent (coordinated disconnect). false — only perform the disconnect from the parent side; the child org is not updated in that coordinated step.

Examples:
Coordinated disconnect (parent and child both updated when possible):
DELETE https://{yourInstance}/services/data/v65.0/connect/securityhub/child-org?childOrgId=00Dxxxxxxxxxxxxxxx&bidirectional=true
Parent-side only:
DELETE https://{yourInstance}/services/data/v65.0/connect/securityhub/child-org?childOrgId=00Dxxxxxxxxxxxxxxx&bidirectional=false
Use API version 224 or newer (replace v65.0 with the version your integration uses).

 

Disconnect the Parent Org (Call from the Child Org):

Use this when you are logged into or authenticated as the child org and want to remove its link to the parent org.
HTTP method: DELETE
Path (after your instance base URL): /services/data/v{apiVersion}/connect/securityhub/master-org
Query Parameters:

ParameterDescription
masterOrgIdThe Salesforce org ID of the parent (master) org you are disconnecting from.

Example:
DELETE https://{yourInstance}/services/data/v65.0/connect/securityhub/master-org?masterOrgId=00Dxxxxxxxxxxxxxxx
This operation does not use a bidirectional parameter. Use API version 224 or newer.

 

Base URL Structure:

REST calls use your org's Salesforce instance and the standard REST API prefix, for example:
https://{instance}/services/data/v{apiVersion}/connect/securityhub/...

The org in the URL and token must match the org from which you are making the call (parent or child, as described above).

Knowledge 기사 번호

005318666

 
로드 중
Salesforce Help | Article