PSaaS Appliance Infrastructure Requirements: Security and Access
This document details the security and access requirements for your PSaaS Appliance instances.
Each PSaaS Appliance (e.g. your production cluster PSaaS Appliance instance(s) and your development/test node PSaaS Appliance instance) requires a unique SSL certificate to be created and installed. If you'd like additional DNS zones, you'll need an additional certificate for each DNS zone you create.
The SSL Certificate:
- must be created by a public certificate authority. They cannot be self-signed.
- may be a wildcard or a multi-domain (SAN) certificate;
- must contain all required DNS/domain names, including those for the:
- Management Dashboard;
- Configuration Tenant;
- App Tenant(s) (current and future) specific to that particular PSaaS Appliance instance.
Auth0 accepts the following certificate format:
If you are using CER / PEM format, you should convert to PFX format.
-----BEGIN CERTIFICATE----- MY-PUBLIC-KEY -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- PARENT -----END CERTIFICATE-----
If you are behind a transparent proxy, you will need to:
- obtain certificate(s) for your proxy created by a public certificate authority.
- add an exception so that the PSaaS Appliance instance(s) may get through the proxy unauthenticated.
Please ensure that your network is configured such that the PSaaS Appliance exposes HTTPS to end users only.
You must configure an SMTP server in order for the PSaaS Appliance to send emails. The PSaaS Appliance requires an authentication SMTP server that has been configured with SMTP PLAIN authentication.
AWS SES Users: If your domain is not validated, you will not be able to send email with AWS SES.
Optionally, you may use a Transactional Email Provider (e.g. SendGrid, Amazon SES, Mandrill).
The PSaaS Appliance supports STARTTLS, but it is not required.
Auth0 Remote Access
Auth0 requires remote access to your PSaaS Appliance instances to perform updates, maintenance, or troubleshooting.
Auth0's remote access method for initial configuration requires SSH access via Jumphost (the preferred method) or via VPN. After the initial configuration, please feel free to disable this connection.
Updates, Maintenance, and Troubleshooting
Typically, updates are performed via the Auth0 Dashboard. In the event that Auth0 needs to remote in to identify and troubleshoot issues, an Auth0 Customer Success Engineer will need access to the PSaaS Appliance through SSH access via Jumphost (the preferred method) or over VPN. This connection may be enabled for and disabled after the agreed-upon time frames for work.
Around-the-Clock Accessibility for Custom SLAs
Auth0's remote access method requires SSH access via Jumphost (the preferred method) or via VPN. For those customers requesting a Custom SLA tied to the PSaaS Appliance, remote access must be granted through this method 24 hours per day, 7 days per week.