Skip to main content

1E 23.11 (SaaS)


This article outlines the prerequisites for successfully provisioning 1E platform.

To follow this guide you will need the following:

  • A tenant in one of the following IdP:

    • Azure Active Directory (AAD)

    • Okta


      1E is only supported on the Workforce Identity version. The Customer Identity version - which is Auth0 under the hood - is not supported.

  • To create new App Registrations and assign and grant permissions in your IdP. This can be done as a Global Administrator in AAD or a Company Administrator in Okta.

  • An IdP account that will be set as the Principal 1E user (the first user of the 1E platform, assigned the Full Administrator role, and a System principal - which means that they cannot be deleted or modified). You should create this user specifically for this purpose, treat it like a service account, and disable it after first use.

    • A user who can log on using the principal user account will need to be available at a certain stage of the upgrade or new instance provisioning to test the 1E instance.

For new 1E instances, you will need to request from your certificate administrator:

  • A Base-64 encoded certificate (.PEM) file which contains the whole chain of trust including the Root CA(s) and any intermediate CA(s) that provide certificates to the clients you want to manage.

  • The provided PEM has Certificate Revocation List Distribution Point(s) referenced

  • The Certificate Revocation List Distribution Point(s) are reachable from the Internet.

For both new instances and upgrades from non-IdP versions of the platform, you will be configuring:

  • 3 new App Registrations in your IdP.

You will then need to provide to 1E:

  • The application IDs for the new applications you will create

  • The OpenID Connect (OIDC) metadata document for your IdP

  • Your Tenant ID

  • The name of the IdP account that will be used as the Principal 1E user

  • The name for your new instance (upgrades will keep the previous name).


    Due to restrictions in Azure, the name for your new instance cannot start with a number. The actual pattern definition used for names is:


Post-provisioning 1E will provide you with a URL that contains the DNS name for your 1E portal. You will need to whitelist this portal so that it is accessible from your network.

Once you have the prerequisites in place you can request a 1E instance, to do this you must contact your 1E Account Team. They will then start the process of provisioning a new instance for you.