The following document details the requirements of DNS records used for Appliance instances.
Important: DNS records must be finalized for all of the tenants prior to Appliance deployment. They cannot be changed afterwards.
Sample DNS Naming Scheme
|Root Tenant Authority||rta-project.yourdomain.com|
For a dev/test non-production Appliance a common practice is to append “-dev” to the hostname component in the domain name:
|Management Dashboard (Dev)||manage-dev-project.yourdomain.com|
|Root Tenant Authority (Dev)||rta-dev-project.yourdomain.com|
|App Tenant(s) (Dev)||app1-dev-project.yourdomain.com;
Definitions of Terms Used in the DNS Naming Scheme
- Root Tenant Authority (RTA): highly-privileged tenant used to do the Appliance baseline configuration and for managing the security of other tenants;
- App: the name of your application;
- Project: the name of the overarching project or department;
- yourdomain.com: your organization's domain name.
The Auth0 Appliance is capable of supporting multi-tenancy (that is, each tenant may have one or more associated apps). Auth0 may recommend this deployment model when multiple groups within your company share the Appliance for different projects. If a customer decides to create multiple app tenants, each app tenant must have its own DNS entry.
DNS Configuration Requirements
IP Addresses and DNS Records
In a standard multi-node cluster deployment, the DNS records will point to the IP address of the load balancer in front of the cluster.
For a single-node Appliance instance, the DNS record(s) will point to the IP address of the virtual machine itself (this is often the case for the development/test node).
Auth0 does not recommend using the same wildcard certificate(s) for Production and non-Production (Test/Development) environments or mapping the DNS for both environments to the same servers.
The hostname (e.g. manage-project.yourdomain.com) must be at least three characters long and must not contain any underscores(_).
The following are reserved tenant names and may not be used for the app tenant.
The Management Dashboard, Configuration Tenant, and App Tenant(s) must all be a part of the same parent domain (e.g. yourdomain.com).
Three- or four-part domain names are supported (e.g. manage.project.yourdomain.com).
In the Appliance, you may map any arbitrary domain name to a tenant using the Custom Domains feature. You may also map multiple custom domains to a single tenant.
Suppose these were your standard domains:
|Root Tenant Authority||Sample Tenant||Custom Domain for the Sample Tenant|
Please note that all tenant names are derived from the base RTA. However, you may set your custom domain to point toward any of your tenants (in the example above,
new-name.not-example.com maps to
auth.example.com, and the latter may be used by your clients).