Skip to main content

1E 23.11 (SaaS)

1E instance new provisioning

The process for provisioning new instances of 1E is outlined in the following table.

The table shows two columns: the left one shows all the actions expected of customers and the right one all the actions expected of 1E. All the information that needs to be passed from customers to 1E and vice versa is highlighted in each cell. The timeline is shown from top-to-bottom.

Table 1. 1E upgrade provisioning process

Customer

1E

Following on from the initial provisioning conversation, your 1E Account Team will generate a new license for your 1E instance and notify internal teams about the new provisioning request.

The chain of trust for your PKI environment must be provided to your 1E Account Team, you will need to talk to your certificate administrator to do this. This needs to be provided as a .PEM file:

  • You will need to request this from your certificate administrator

  • This should be a Base-64 encoded certificate, containing the whole chain of trust including the Root CA(s) and any intermediate CA(s) that provide certificates to the clients you want to manage.

1E provides you with two items that you will need to configure the two provisioning applications that have to be created in your IdP:

  1. A Client Assertion certificate .PEM file - this is needed for the 1E Client Assertion App Registration.

  2. A Redirect URI - this is needed for the 1E PKCE App Registration.

You will need to create two provisioning App Registrations in your IdP:

  1. 1E Client Assertion application - used by1Eto perform directory searches in your IdP.  It will allow your 1E Administrator to add users in the platform and give them assignments for roles and management groups.

    This is where you upload the .PEM file provided to you by 1E.

    For information on how to register this application when using AAD, please refer to AAD Applications.

    For information on how to register this application when using Okta, please refer to Okta Applications

  2. 1E PKCE application - used to read the credentials for each account that logs into the 1E platform.

    This is where you need the Redirect URI provided to you by 1E.

    For more information on how to register this application when using AAD, please refer to AAD Applications.

    For more information on how to register this application when using Okta, please refer to Okta Applications.

Once the applications have been created you will need to send the following information to 1E:

  • Application (client) ID for the 1E Client Assertion application - allows 1E read-only, certificated access in order to perform IdP searches on users and groups

  • Application (client) ID for the 1E PKCE application - allows 1E read-only access to the user that is logging on to the 1E portal

  • Application (client) ID for the 1E PKCE Non-Interactive application - used for non-interactive login access to 1E.

  • Tenant ID, which can be copied from your IdP page - used by 1E to identify your organization.

  • OpenID Connect metadata document - tells 1E which API calls it can make in your IdP to support the above functions

  • IdP User Account - The initial account that will be set up as your Principal 1E user account who will be a full administrator in 1E. This account will need to populate all other users and groups in 1E.

More information on how to gather this information for AAD can be found here: AAD Applications and for Okta here: Okta Applications.

Using this information 1E will test that your IdP is correctly configured for your 1E SaaS and create your 1E instance.

When the provisioning completes, 1E will provide you with:

  1. Your 1E Portal URL.

  2. A command-line for your 1E Client installations.

The Principal 1E user should now be used to confirm you can access your 1E instance using the URL provided. If there are any issues you should contact your 1E Account Team.

The Principal 1E user will now be able to access 1E to:

  1. Add a Full Administrator user from your IdP to your 1E instance.

Subsequently the Full Administrator user should access 1E to add the following:

  1. Assign roles and define permissions.

  2. Create management groups.

You will also need to deploy the 1E Client to all the devices on your network you want to manage with 1E. This can be done using the installation command-line provided by 1E.

At the same time you will need to confirm for any non-domain joined clients where you want to install the 1E Client that they have the appropriate certificates for your domain.