DPoD IDP Migration FAQ
This document contains frequently asked questions and answers about the DPoD IDP migration and additional details about impacts to DPoD users.
The following document refers to single tenant users and multi tenant users. Single tenant users refer to a user whose email address is registered to a single DPoD tenant. Multi tenant users refer to users whose email address is registered to multiple DPoD tenants.
Questions - General
What is changing?
Thales is changing the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome Identity Platform. This update enables the platform to provide modern authentication options as well as simplifying logins for users that manage multiple tenants on the platform.
As a result of this IDP change, tenant vanity URLs will no longer exist and all users will log in to their DPoD tenant from a common login portal. The new login portal will be available at welcome.dpondemand.io.
Will this migration be deployed to the two regions separately?
Thales will migrate the two regions separately as per the schedule below:
- North America: February 22, 2025
- Europe: March 8, 2025
We recommend subscribing to the DPoD status page and Changelog to receive emails with the latest updates.
When is the migration happening?
Thales will migrate each region as per the schedule below:
- North America: February 22, 2025
- Europe: March 8, 2025
We recommend subscribing to the DPoD status page and Changelog to receive emails with the latest updates.
Will there be a maintenance window for the migration?
Yes, a maintenance window for the migration will be announced through the DPoD status page. We recommend subscribing to the status page to be alerted of this and any other maintenance events on the DPoD platform and services.
What is the overlap period between the old UAA IDP and the new OneWelcome Identity Platform?
On the changeover date the old UAA IDP will be disabled effective immediately and authentication requests will be directed to the new Thales OneWelcome Identity Platform.
How do I identify my tenant moving forward?
You can identify your tenant using the tenant id. The tenant id is available from a logged in tenant under the user email address in the top right corner of the DPoD tenant user interface.
Questions - Authentication
Will my login credentials change?
Single tenant users - You can continue to log in to the new Thales portal using the same credentials as before. You will need to register a new MFA OTP on your device.
Multi tenant users - With the new authentication system users will use a single login to authenticate to any of the tenant accounts they are a member of. This is a significant improvement for managed service providers that are today managing multiple tenants on behalf of their customers, as well as users that are maintaining tenant accounts in different HSM regions for data sovereignty requirements. You will need to register a new MFA OTP on your device.
If you have multiple tenants in one region your account password and account information will be registered based on the most recent tenant login of the region.
If you have multiple tenants in both regions your account password and account information will be registered based on the most recent tenant login of the first migrated region. When the second region is migrated your tenants from that region will be added to the account that was registered as part of the first regions migration. Your account password and account information will not be updated as part of the second region migration.
What do I need to do to migrate?
Thales will handle the IDP migration.
Single tenant users - You will receive an email to register a new MFA OTP on your device.
Multi tenant users - You will receive an email to register a new MFA OTP on your device.
How do I login after the migration?
After the migration to the new Thales OneWelcome Identity Platform you will log in through a common login portal. The new login portal will be available at welcome.dpondemand.io.
Single tenant users - On log in to the common login portal single tenant users will be redirected to their DPoD tenant.
Multi tenant users - On log in to the common login portal multi tenant users will view a list of DPoD tenants that the credentials are registered to. Multi tenant users will select a tenant from the list and be redirected to the selected DPoD tenant.
Following the migration we recommend you update any bookmarks to use the new login page as access to the previously used tenant login URLs will be removed.
What if I am a multi tenant user and I do not want this change?
If you require keeping the logins for different tenants separated it will require that each tenant uses a unique email address. Please contact Thales Customer Support for assistance in the creation and removal of user accounts.
Are there any changes to API credentials?
Platform and service API credentials are still required to authenticate to the API. Requests over the API no longer require inclusion of the hostname/vanity name. Requests to hostname/vanity URLs will be redirected to the common login and market.
We recommend updating any existing automation/scripting to use the common login portal URL and market URL when using the API.
Do I need to regenerate API Credentials?
No, all platform and service client credentials will be migrated to the new IDP.
Who do I contact for assistance logging in?
Single tenant users - Following the migration you will receive an email informing you that the migration has been completed and the email will direct you to login to the new portal and reset your MFA OTP.
Multi tenant users - Following the migration you will receive an email informing you that the migration has been completed and the email will direct you to login to the new portal and reset your MFA OTP.
If you have forgotten your password you can use the self service tools on the Thales DPoD login page to submit a forgot password request.
If you are a newly registered user, you will receive a registration email. If the registration email code expires you can use the self service tools on the DPoD$ login page to request a new registration email.
If problems with logging in persist please contact your tenant administrator. If your tenant administrator is unavailable to assist please contact Thales Support.
Can I log in to tenants in different regions using the same login?
Yes, for multi tenant users after the migration a single login can be used to access tenants in any DPoD region.
Questions - Administration
How do I reset other account passwords in my tenant?
This capability has been removed to prevent an administrator from handling a user's credentials. Users can use the forgot password functionality on the Thales DPoD$ login portal to reset their own password.
Are there changes to creating/registering new users?
When manually registering a new user, administrators no longer set an initial password. Registered users receive an email invitation to validate their email and create their user credentials.
The custom service provider sign up pages have been deprecated. New users can register at the https://market.dpondemand.io/signup.
Service provider administrators can create a custom registration page using the DPoD Platform API /tenants endpoint or can register users manually using the DPoD service provider tenant user interface.
If the registration email code expires users can use the self service tools on the Thales DPoD$ login page to request a new registration email.
Can I still add a Service Provider logo to my tenant?
Yes, service provider administrators can still add a logo to their tenant. Service provider logos will no longer display on the IDP login pages. Service provider logos will continue to display in the tenant user interface.
Questions - Luna Cloud HSM
Do I need to download a new Luna Cloud HSM client?
We recommend you upgrade your client following the migration.
For more information about supported clients see Universal Client Supported Versions with Luna Cloud HSM. Authentication requests will be automatically redirected to the new IDP. However, clients using the old configuration may experience performance delay issues due to the redirects required to continue operations.
Are there changes to the Luna Cloud HSM client configuration?
We recommend you upgrade your client following the migration.
The Luna Cloud HSM client will now authenticate to https://access.dpondemand.io/oauth/.well-known/openid-configuration. Authentication requests from old client configurations will automatically redirect to the new IDP. However, clients using the old configuration may experience performance delay issues due to the redirects required to continue operations.
Following the migration there will be new FQDNs, CRLs and OCSPs. You must use the fully qualified domain names (FQDNs) provided in the client package when configuring your connection. For more information about include listing DPoD Luna Cloud HSM FQDNs and more information about configuring the client connection see Client Network Connectivity.
If you are restricting network egress requests using domain names you will need to include list the Thales OneWelcome Identity Platform domain names. The Thales OneWelcome Identity Platform domain name used for machine to machine access is access.dpondemand.io.
Questions - Key Broker for Google Cloud EKM
Are there changes to how users access Key Broker for Google Cloud EKM?
Following the IDP migration users should clear the cookies in their browser or use private/incognito mode to log in to Key Broker for Google Cloud EKM.
