1E instance new provisioning

Learn how to provision a new 1E instance with step-by-step guidance on prerequisites, certificate setup, IdP application registration, and required information exchange. Ideal for IT admins and enterprise teams using 1E. To request a 1E instance, you will need to contact your 1E Account Team. They will then start the process of upgrading or provisioning a new instance for you.

Provisioning process

The table shows two columns: the left one shows all the actions expected of customers and the right one all the actions expected of 1E. All the information that needs to be passed from customers to 1E and vice versa is highlighted in each cell. The time line is shown from top-to-bottom.

Customer actions

1E actions

 

Following on from the initial provisioning conversation, your 1E Account Team will generate a new license for your 1E instance and notify internal teams about the new provisioning request.

The chain of trust for your PKI environment must be provided to your 1E Account Team, you will need to talk to your certificate administrator to do this. This needs to be provided as a .PEM file:

  • You will need to request this from your certificate administrator
  • This should be a Base-64 encoded certificate, containing the whole chain of trust including the Root CA(s) and any intermediate CA(s) that provide certificates to the clients you want to manage.

 

 

1E provides you with two items that you will need to configure the two provisioning applications that have to be created in your IdP:

  1. A Client Assertion certificate .PEM file - this is needed for the 1E Client Assertion App Registration.

  2. A Redirect URI - this is needed for the 1E PKCE App Registration.

You will need to create two provisioning App Registrations in your IdP:

  1. 1E Client Assertion application: Used by 1E to perform directory searches in your IdP.  It will allow your 1E Administrator to add users in the platform and give them assignments for roles and management groups.

    • This is where you upload the .PEM file provided to you by 1E.

  1. 1E PKCE application: Used to read the credentials for each account that logs into the 1E Platform.

    • This is where you need the Redirect URI provided to you by 1E.

For information about registering the application, refer to AAD Applications or Okta Applications.

 

Once the applications have been created you will need to send the following information to 1E:

  • Application (client) ID for the 1E Client Assertion application: Allows 1E read-only, certificated access in order to perform IdP searches on users and groups
  • Application (client) ID for the 1E PKCE application: Allows 1E read-only access to the user that is logging on to the 1E portal
  • Application (client) ID for the 1E PKCE Non-Interactive application: Used for non-interactive login access to 1E.
  • Tenant ID, which can be copied from your IdP page: Used by 1E to identify your organization.
  • OpenID Connect metadata document: Tells 1E which API calls it can make in your IdP to support the above functions
  • IdP User Account: The initial account that will be set up as your Principal 1E user account who will be a full administrator in 1E. This account will need to populate all other users and groups in 1E.

For information about gathering this information refer to AAD Applications or Okta Applications.

  

 

Using this information 1E will test that your IdP is correctly configured for your 1E SaaS and create your 1E instance.

 

When the provisioning completes, 1E will provide you with:

  1. Your 1E Portal URL.

  2. A command-line for your 1E Client installations.

The Principal 1E user should now be used to confirm you can access your 1E instance using the URL provided. If there are any issues you should contact your 1E Account Team.

 

The Principal 1E user will now be able to access 1E to:

  1. Add a Full Administrator user from your IdP to your 1E instance.

Subsequently the Full Administrator user should access 1E to add the following:

  1. Assign roles and define permissions.

  2. Create management groups.

You will also need to deploy the 1E Client to all the devices on your network you want to manage with 1E. This can be done using the installation command-line provided by 1E.

At the same time you will need to confirm for any non-domain joined clients where you want to install the 1E Client that they have the appropriate certificates for your domain.

 

Provisioning checklist

This checklist is designed to assist you through the essential steps required to provision a new 1E instance. You can download an Excel version of this checklist using this link Provisioning Checklist.

Tenant Information - Customer Input

Value - [Customer Input]

Instance Name

 

Elastic SaaS Region

 

1E Instance Contact

 

Tenant Information - SRE Input

Value - [SRE Input]

Tenant Stage

 

Quantity of Endpoints

 

IDP Hoster

 

Cloud Engineering Info

Value - [Cloud Eng Input]

IDP Client Cert Thumbprint

 

IDP Client Cert Text

 

Redirect URL

 

Background Channel URL

 

Switch URL

 

SaaS Platform URL

 

Customer Setup Info

Value - [Customer Input]

Who fills in customer section

 

IDP Type

 

IDP Metadata URL

 

IDP Client Cert uploaded to IDP?

 

Redirect URL set?

 

Instruction Signing Certificates

 

Client Assertion AppID

 

PKCE Grant Flow AppID

 

Non-Interactive AppID

 

IDP Setup UPN

 

Trust Chain PEM (CA Certs - ES)