Single Sign-On for Regular Web Apps
The following document details the requirements of DNS records used for PSaaS Appliance instances.
You’ll need one certificate per environment (such as if you have a Dev/Test environment and a Prod environment, you’ll need two certs).
If you’d like to use a Webtask Dedicated Domain, you’ll need an additional DNS zone and certificate for each environment. If you have a Dev/Test environment and a Prod environment, you’ll need a two total of two certificates per environment.
Dedicated and non-dedicated host names must be unique.
Sample DNS Naming Scheme
|App Tenant(s)||identity.yourdomain.com (for example);
app-project.yourdomain.com (if you want more than 1 App tenant)
...and so on
For a dev/test non-production PSaaS Appliance a common practice is to include "dev” in the domain name:
|Management Dashboard (Dev)||manage.dev.yourdomain.com|
|App Tenant(s) (Dev)||identity.dev.yourdomain.com (for example);
app-name.dev.yourdomain.com (if you want more than 1 App tenant)
...and so on
Goals & Requirements
Definitions of Terms Used in the DNS Naming Scheme
- Configuration: highly-privileged tenant used to do the PSaaS Appliance baseline configuration and for managing the security of other tenants;
- App: the name of your application;
- yourdomain.com: your organization's domain name.
The Auth0 PSaaS Appliance is capable of supporting multi-tenancy (that is, each tenant may have one or more associated apps). Auth0 may recommend this deployment model when multiple groups within your company share the PSaaS Appliance for different projects. If a customer decides to create multiple app tenants, each app tenant must have its own DNS entry.
DNS Configuration Requirements
In a standard multi-node cluster deployment, the DNS records will point to the IP address of the load balancer in front of the cluster.
IP Addresses and DNS Records
For a single-node PSaaS Appliance instance, the DNS record(s) will point to the IP address of the virtual machine itself (this is often the case for the development/test node).
The hostname (such as manage-project.yourdomain.com) must be at least three characters long and must not contain any underscores(_).
The following are reserved tenant names and may not be used for the app tenant.
The Management Dashboard, Configuration Tenant, and App Tenant(s) must all be a part of the same parent domain (such as yourdomain.com).
Three- or four-part domain names are supported (such as manage.project.yourdomain.com).
In the PSaaS Appliance, you may map any arbitrary domain name to a tenant using the Custom Domains feature. You may also map multiple custom domains to a single tenant.
Suppose these were your standard domains:
|Root Tenant Authority||Sample Tenant||Custom Domain for the Sample Tenant|
Please note that all tenant names are derived from the base Configuration Tenant. However, you may set your custom domain to point toward any of your tenants (in the example above,
new-name.not-example.com maps to
auth.example.com, and the latter may be used by your applications).