Skip to main content

1E 23.7 (SaaS)


To follow this guide you will need the following:

  • A tenant in one of the following IdP:

    • Azure Active Directory (AAD)

    • Okta


      1E is only supported on the Workforce Identity version. The Customer Identity version - which is Auth0 under the hood - is not supported.

  • To create new App Registrations and assign and grant permissions in your IdP. This can be done as a Global Administrator in AAD or a Company Administrator in Okta.

  • An IdP account that will be set as the Principal 1E user (the first user of the 1E platform, assigned the Full Administrator role, and a System principal - which means that they cannot be deleted or modified). You should create this user specifically for this purpose, treat it like a service account, and disable it after first use.

    • A user who can log on using the principal user account will need to be available at a certain stage of the upgrade or new instance provisioning to test the 1E instance.

For new 1E instances, you will need to request from your certificate administrator:

  • A Base-64 encoded certificate (.PEM) file which contains the whole chain of trust including the Root CA(s) and any intermediate CA(s) that provide certificates to the clients you want to manage.

  • The provided PEM has Certificate Revocation List Distribution Point(s) referenced

  • The Certificate Revocation List Distribution Point(s) are reachable from the Internet.

For both new instances and upgrades from non-IdP versions of the platform, you will be configuring:

  • 3 new App Registrations in your IdP.

You will then need to provide to 1E:

  • The application IDs for the new applications you will create

  • The OpenID Connect (OIDC) metadata document for your IdP

  • Your Tenant ID

  • The name of the IdP account that will be used as the Principal 1E user

  • The name for your new instance (upgrades will keep the previous name).


    Due to restrictions in Azure, the name for your new instance cannot start with a number. The actual pattern definition used for names is:


Post-provisioning 1E will provide you with a URL that contains the DNS name for your 1E portal. You will need to whitelist this portal so that it is accessible from your network.