Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Platform Resources

DPoD IDP Migration FAQ

search

DPoD IDP Migration FAQ

This document contains frequently asked questions and answers about the DPoD IDP migration and additional details about impacts to DPoD users.

The following document refers to single tenant users and multi tenant users. Single tenant users refer to a user whose email address is registered to a single DPoD tenant. Multi tenant users refer to users whose email address is registered to multiple DPoD tenants.

Questions - General

What is changing?

Thales is changing the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome. This update enables the platform to provide modern authentication options as well as simplifying logins for users that manage multiple tenants on the platform.

As a result of this IDP change, tenant vanity URLs will no longer exist and all users will log in to their DPoD tenant from a common login portal. The new login portal will be available at welcome.dpondemand.io.

Will this migration be deployed to the two regions separately?

Thales will migrate one region and then will migrate the remaining region at a later date.

The migration date for the two regions will be shared through the DPoD status page, Changelog, and this document when available. We recommend subscribing to the status page and changelog to receive emails with the latest updates.

When is the migration happening?

The migration will occur early in 2025. No migration date has been announced.

The migration date will be shared through the DPoD status page, Changelog, and this document when available. We recommend subscribing to the status page and changelog to receive emails with the latest updates.

Will there be a maintenance window for the migration?

Yes, a maintenance window for the migration will be announced through the DPoD status page. We recommend subscribing to the status page to be alerted of this and any other maintenance events on the DPoD platform and services.

What is the overlap period between the old UAA IDP and the new OneWelcome IDP?

On the changeover date the old UAA IDP will be disabled effective immediately and authentication requests will be directed to the new Thales OneWelcome IDP.

How do I identify my tenant moving forward?

You can identify your tenant using the tenant id. The tenant id is available from a logged in tenant under the user email address in the top right corner of the DPoD tenant user interface.

Questions - Authentication

Will my login credentials change?

Single tenant users - You can continue to log in to the new Thales OneWelcome portal using the same credentials as before. You will need to register a new MFA OTP on your device.

Multi tenant users - With the new authentication system users will use a single login to authenticate to any of the tenant accounts they are a member of. This is a significant improvement for managed service providers that are today managing multiple tenants on behalf of their customers, as well as users that are maintaining tenant accounts in different HSM regions for data sovereignty requirements. More information on impacts to multi tenant users will be shared at a future date. You will need to register a new MFA OTP on your device.

If you have multiple tenants in one region your account password and account information will be registered based on the most recent tenant login of the region.

If you have multiple tenants in both regions your account password and account information will be registered based on the most recent tenant login of the first migrated region. When the second region is migrated your tenants from that region will be added to the account that was registered as part of the first regions migration. Your account password and account information will not be updated as part of the second region migration.

What do I need to do to migrate?

Thales will handle the IDP migration.

Single tenant users - You will receive an email to register a new MFA OTP on your device.

Multi tenant users - You will receive an email to register a new MFA OTP on your device.

How do I login after the migration?

After the migration to the new Thales OneWelcome IDP you will log in through a common login portal. The new login portal will be available at welcome.dpondemand.io.

Single tenant users - On log in to the common login portal single tenant users will be redirected to their DPoD tenant.

Multi tenant users - On log in to the common login portal multi tenant users will view a list of DPoD tenants that the credentials are registered to. Multi tenant users will select a tenant from the list and be redirected to the selected DPoD tenant.

Following the migration we recommend you update any bookmarks to use the new login page as access to the previously used tenant login URLs will be removed.

What if I am a multi tenant user and I do not want this change?

If you require keeping the logins for different tenants separated it will require that each tenant uses a unique email address. Please contact Thales Customer Support for assistance in the creation and removal of user accounts.

Are there any changes to API credentials?

Platform and service API credentials are still required to authenticate to the API. Requests over the API no longer require inclusion of the hostname/vanity name. Requests to hostname/vanity URLs will be redirected to the common login and market.

We recommend updating any existing automation/scripting to use the common login portal URL and market URL when using the API.

Do I need to regenerate API Credentials?

No, all platform and service client credentials will be migrated to the new IDP.

Who do I contact for assistance logging in?

Single tenant users - Following the migration you will receive an email informing you that the migration has been completed and the email will direct you to login to the new portal and reset your MFA OTP.

Multi tenant users - Following the migration you will receive an email informing you that the migration has been completed and the email will direct you to login to the new portal and reset your MFA OTP.

If you have forgotten your password you can use the self service tools on the Thales OneWelcome login page to submit a forgot password request.

If you are a newly registered user, you will receive a registration email. If the registration email code expires you can use the self service tools on the OneWelcome login page to request a new registration email.

If problems with logging in persist please contact your tenant administrator. If your tenant administrator is unavailable to assist please contact Thales Support.

Can I log in to tenants in different regions using the same login?

Yes, for multi tenant users after the migration a single login can be used to access tenants in any DPoD region.

Questions - Administration

How do I reset other account passwords in my tenant?

This capability has been removed to prevent an administrator from handling a user's credentials. Users can use the forgot password functionality on the Thales OneWelcome login portal to reset their own password.

Are there changes to creating/registering new users?

When manually registering a new user, administrators no longer set an initial password. Registered users receive an email invitation to validate their email and create their user credentials.

The custom service provider sign up pages have been deprecated. New users can register at the https://market.dpondemand.io/signup.

Service provider administrators can create a custom registration page using the DPoD Platform API /tenants endpoint or can register users manually using the DPoD service provider tenant user interface.

If the registration email code expires users can use the self service tools on the Thales OneWelcome login page to request a new registration email.

Can I still add a Service Provider logo to my tenant?

Yes, service provider administrators can still add a logo to their tenant. Service provider logos will no longer display on the IDP login pages. Service provider logos will continue to display in the tenant user interface.

Questions - Luna Cloud HSM

Do I need to download a new Luna Cloud HSM client?

No, you do not need to download a new Luna Cloud HSM client as long as you are using a client that is supported by the Luna Cloud HSM service. For more information about supported clients see Universal Client Supported Versions with Luna Cloud HSM. Authentication requests will be automatically redirected to the new IDP. However, clients using the old configuration may experience performance delay issues due to the redirects required to continue operations.

Are there changes to the Luna Cloud HSM client configuration?

The Luna Cloud HSM client will now authenticate to https://access.dpondemand.io/oauth/.well-known/openid-configuration. Authentication requests from old client configurations will automatically redirect to the new IDP.

Following the migration there will be new FQDNs, CRLs and OCSPs. You must use the fully qualified domain names (FQDNs) provided in the client package when configuring your connection. For more information about include listing DPoD Luna Cloud HSM FQDNs and more information about configuring the client connection see Client Network Connectivity.

If you are restricting network egress requests using domain names you will need to include list the Thales OneWelcome domain names. The Thales OneWelcome domain name used for machine to machine access is access.dpondemand.io.

On this page