Prerequisites
This article outlines the prerequisites for successfully provisioning 1E platform.
To follow this guide you will need the following:
A tenant in one of the following IdP:
Azure Active Directory (AAD)
Okta
Note
1E is only supported on the Workforce Identity version. The Customer Identity version - which is Auth0 under the hood - is not supported.
To create new App Registrations, and assign and grant permissions in your IdP. This should be completed by someone in your organization who has sufficient admin rights, such as a Global Administrator in AAD, or a Company Administrator in Okta.
An IdP account that will be set as the Principal 1E user (the first user of the 1E platform, assigned the Full Administrator role, and a System principal, which means that they cannot be deleted or modified).
Important
You should create this user specifically for this purpose, treat it like a service account, and disable it after first use.
A user who can log on using the principal user account will need to be available at a certain stage of the upgrade or new instance provisioning to test the 1E instance.
For new 1E instances, you will need to request from your certificate administrator:
A Base-64 encoded certificate (.PEM) file which contains the whole chain of trust including the Root CA(s) and any intermediate CA(s) that provide certificates to the clients you want to manage.
The provided PEM has Certificate Revocation List Distribution Point(s) referenced
The Certificate Revocation List Distribution Point(s) are reachable from the Internet.
For both new instances and upgrades from non-IdP versions of the platform, you will be configuring:
3 new App Registrations in your IdP.
You will then need to provide to 1E:
The application IDs for the new applications you will create
The OpenID Connect (OIDC) metadata document for your IdP
Your Tenant ID
The name of the IdP account that will be used as the Principal 1E user
The name for your new instance (upgrades will keep the previous name).
Note
Due to restrictions in Azure, the name for your new instance cannot start with a number. The actual pattern definition used for names is:
^[a-z][a-z0-9-]{1,58}[a-z0-9]$
Post-provisioning 1E will provide you with a URL that contains the DNS name for your 1E portal. You will need to whitelist this portal so that it is accessible from your network.
Once you have the prerequisites in place you can request a 1E instance, to do this you must contact your 1E Account Team. They will then start the process of provisioning a new instance for you.