With TF Platform, you can manage Organizations that serve as top-level entities, allowing the creation and management of multiple projects. You can easily register an organization using your TF Platform account.

Services

Fundamentals

What is TF Platform?

TF Platform (The Future Platform) simplifies the management of security infrastructure for your digital identities. It makes it easy to integrate and manage digital identities across multiple applications and systems, all within a unified ecosystem. This enables you to build and scale your services securely and efficiently. Our goal is to help teams rapidly create secure, enterprise-grade applications so they can focus on scaling and innovating their products and services.

Why Choose TF Platform?

• Simple & Efficient: We manage the complexities of digital identity, allowing you to focus on your core business features.

• Scalable: Whether you're a startup or an enterprise, our platform grows with your needs, supporting millions of users.

• Quick Setup: Get started in just 5 minutes, reducing time-to-market and keeping you ahead of the competition.

• Easy Compliance: Built-in tools make it simple to meet industry regulations like GDPR, CCPA, ISO, and HIPAA.

• Developer-Friendly: With clear documentation and easy integrations, your developers can start quickly.

• Free Tier: Build and test your ideas with no upfront costs.

When setting up a tenant, you can select a geographic location based on data residency, processing, compliance, and performance requirements. We currently support four data regions, providing flexibility and control over your data storage needs:

• European Economic Area (EEA) Ideal for compliance with the General Data Protection Regulation (GDPR), ensuring data residency within the region and optimal performance for use cases in the EEA.

  Available on:

  • Google Cloud Platform (GCP)

  • Microsoft Azure

• India (Google Cloud Platform, Microsoft Azure): Ideal for compliance with the Personal Data Protection Bill (PDPB), ensuring data residency within the country and optimal performance for use cases in India.

  Available on:

  • Google Cloud Platform (GCP)

  • Microsoft Azure

Failover Support

• Intra-Regional Failover: Failover support is available within each data region to enhance reliability while keeping data within the selected region.

• Cross-Regional Failover: Currently, we do not support cross-regional failover, ensuring that data does not leave the selected region.

On the Roadmap

We are developing a global data residency option to better serve tenants with worldwide needs. This feature will:

• Automatically select optimal data storage locations across regions.

• Ensure compliance with international regulations.

• Provide optimal performance for global operations.

Deleting an organization from the TF Platform permanently removes it, including all associated data such as projects, users, and settings. While this action is irreversible, you can recover the organization within 30 days.

Key Considerations

• Organizations can be recovered within 30 days post-deletion. After this timeframe, all data will be permanently lost.

• Ensure you have the necessary administrative permissions to perform this action.

• It is advisable to notify all organization members before deletion to ensure they are aware of the impending changes.

• A confirmation prompt will appear to verify the deletion request and ensure that the action is intentional.

Steps to Modify Your Organization:

1. Sign In Log in to your TF Platform account.

2. Access Organizations Select Organizations from the menu.

3. Locate Your Organization

   • Find the organization you want to modify.

   • Click on the organization name to access its settings.

4. Edit Organization Details Modify the necessary details such as:

   • Organization Name

   • Registration Number

   • Country & Address

5. eKYC Re-verification Note that changes may require a new eKYC process to verify the updated information. Complete the eKYC to ensure compliance and security.

6. Save Changes After updating the details and completing eKYC, ensure you save the changes.

Steps to Modify a Project:

1. Sign In Log into the TF Platform Portal and choose your organization.

2. Access Projects Navigate to Projects from the sidebar.

3. Locate and Modify

   • Select View Project to access project settings and find the project ID.

   • Expand the menu next to the project and choose:

     • Edit the project to modify the project name or description.

     • Delete to remove the project.

What is a Tenant?

A tenant on TF Platform is a logically isolated environment where you can manage your own data, applications, resources, and configurations.

How Are Tenants Identified?

Each tenant has its own domain. When end-users make requests to a configured domain, the platform routes them to the correct tenant environment. This setup ensures secure and independent operations for each tenant. For more information see Configure custom domain.

Examples:

• Default Domain: [subdomain].tfplatform.com

• Custom Domain: yourdomain.com

Organizations can use projects to group access based on teams, use cases, or environments (like development, staging, and production). Each organization starts with one project and can create up to ten projects. Projects within the same organization can share billing accounts.

Here are the essential characteristics of projects within TF Platform:

• TF Platform service quotas remain at the organization level, and are not enforced per project.

• An organization can have up to 10 projects.

• All tenants under the project must be deleted first to delete a project.

Steps to Create a Project:

1. Sign In Log into the TF Platform Portal and choose your organization.

2. Access Projects Navigate to Projects from the sidebar.

3. Create a New Project Click on the "Create a Project" option.

4. Enter Project Details Fill in the project display name and description.

5. Confirm Creation Click + Create project.

Key Considerations

• All tenants under the project must be deleted first to delete a project.

• Projects can be recovered within 30 days post-deletion. After this timeframe, all data will be permanently lost.

• Ensure you have the necessary administrative permissions to perform this action.

  It is advisable to notify all project members before deletion to ensure they are aware of the impending changes.

• A confirmation prompt will appear to verify the deletion request and ensure that the action is intentional.

Steps to Delete a Project:

1. Sign In Log into the TF Platform Portal and choose your organization.

2. Access Projects Navigate to Projects from the sidebar.

3. Locate Your Project

   • Select View Project to access project settings and find the project ID.

   • Expand the menu next to the project.

4. Select Delete Option Look for the Delete option within the project settings.

5. Confirm Deletion A confirmation prompt will appear. Review the warning and confirm that you want to delete the project.

6. Final Confirmation Once confirmed, the project will be marked for deletion, and you will have 30 days to recover it if needed.

Steps to create a tenant

Create a new tenant

1. Log into the TF Platform Portal and choose your organization.

2. Select Projects in the sidebar and select a project.

3. Click + Create tenant.

4. Enter the Tenant Display name and description.

5. Click + Create tenant.

Configuring CORS

1. Go to Projects: Access the "Projects" section within the platform.

2. Select the Tenant: Choose the tenant you wish to configure.

3. Access CORS Settings: Navigate to the CORS settings in the tenant's "Domains" section.

4. Allowed Origins: Specify up to 10 origins allowed to make cross-origin requests.

Configuration Examples:

• Subdomain Wildcard: https://*.example.com

• Environments:

  • Production: https://myapp.com

  • Local Development: http://localhost:4200

What is CORS?

Cross-Origin Resource Sharing (CORS) is a mechanism that allows web applications to make requests to resources hosted on different domains.

The platform lets you configure CORS at the tenant level, enabling precise control over cross-origin access for improved security and flexibility.

Best Practices

• Regularly review and update your CORS settings to align with security requirements.

• Always use HTTPS in production for secure communication.

• Avoid using the wildcard * in production; explicitly specify allowed origins.

Removing a Custom Domain

Step 1: Remove the Domain

• Select the custom domain you wish to remove.

• Click Delete. A confirmation dialog will appear.

Step 2: Confirm Deletion

• Review the warning, fill in the confirmation prompt, then click Delete again to confirm and finalize the removal.

Step 3: Update DNS Records

• Access your DNS provider's console after the domain is removed from the platform.

• Remove or unpoint the CNAME record linked to the deleted domain.

Steps to Configure a Custom Domain

1. Add Your Domain

• Navigate to Add New Domain.

• In the dialog, enter the domain name.

• Click Save to generate the required CNAME record for DNS setup.

2. Update DNS Settings

• Log in to your DNS provider’s management console.

• Add the generated CNAME record to your DNS zone.

• Ensure the CNAME value points to the target subdomain.tfplatform.com.

• Save the updated DNS configuration.

3. Domain Verification

• Return to the Domains page.

• Click Verify to confirm the DNS changes.

• When the domain is verified, a success message will indicate this. The status will update to “Verified” under the Domain tab.

DNS Configuration Tips and Troubleshooting

DNS Configuration Tips

• Ensure the CNAME or A record is accurately entered in your DNS settings.

• Confirm that the domain points to the generated CNAME provided by the TF Platform.

Verification Issues

If verification fails, the platform will provide troubleshooting steps. Common issues include:

• Propagation Delays: DNS changes may take time to propagate. Wait up to 5 minutes for verification and 48 hours for full propagation before retrying.

• Incorrect DNS Settings: Double-check that the records were entered correctly.

For persistent issues, consult your DNS provider’s documentation or our support team for further assistance. Following these steps will help ensure the successful configuration of your custom domain.

By default, your tenant will be assigned a platform subdomain ([subdomain].tfplatform.com).

However, we recommend setting up your own domain for an improved user experience. A custom domain can enhance your brand identity, build trust, and provide a more personalized experience for your end users.

Choose a subdomain

Here are some examples of domains you can set in the Platform.

Steps to Renew a Self-Managed Certificate

1. Monitor Expiration Date

   • Regularly check the expiration date of your certificate in the Certificates section.

2. Obtain a New Certificate

   • Before the expiration date, request a new SSL certificate from your Certificate Authority (CA).

3. Upload the New Certificate

   • Follow the steps above to upload the new SSL certificate and private key.

4. Verify and Save

   • Ensure the new certificate is valid, then click Save to apply the changes.

5. Confirm Successful Update

   • Review the Certificates section to verify that the new certificate is active and that the expiration date has been updated.

When configuring a custom domain, Automatic Certificate Management is enabled by default. You can also opt for Self-Managed Certificates. If you disable the active self-managed certificate, the system will automatically revert to Automatic Certificate Management to maintain security.

Automatic Certificate Management

By default, SSL/TLS certificates are automatically issued, renewed, and deployed. This guarantees that your domains remain secure without any manual effort.

Self-Managed Certificates

Self-managed certificates are suitable for:

• Origin Servers: Configuring SSL/TLS for secure communication between our service and your DNS provider.

• Custom Certificates: Providing your own certificates to meet specific requirements.

When setting up a reverse proxy with self-managed certificates to connect to the TF Platform, it's crucial to ensure that you use a supported TLS version and cipher suite. The TLS handshake, which is the communication between the server and client, specifies the TLS version and cipher suite. Using an unsupported version could lead to failure.

Supported TLS 1.3 Cipher Suites

• TLS_AES_128_GCM_SHA256

• TLS_AES_256_GCM_SHA384

• TLS_CHACHA20_POLY1305_SHA256

Steps to Configure Cloudflare

1. Sign Up for Cloudflare

   • Create a Cloudflare Account: If you don’t already have an account, sign up on Cloudflare's website.

   • Add Your Domain: Follow the prompts to add your domain to your account.

2. Update DNS Settings

   • Verify Domain Ownership: Follow the instructions to verify ownership, typically by adding a TXT record at your domain registrar.

   • Change DNS Records:

     • Go to the DNS tab in your Cloudflare dashboard.

     • Add or modify DNS records to point to your origin server using the following settings:

       • Type: A or CNAME

       • Name: Your subdomain (e.g., platform or www)

       • Value: Your origin server’s IP address or hostname

       • Proxy Status: Set to Proxied (indicated by the orange cloud icon).

3. Configure SSL/TLS Settings

   • Set SSL/TLS Mode: Navigate to the SSL/TLS tab and choose an appropriate mode (e.g., Full or Full (strict)). If you have added the origin server certificate as a custom certificate in the platform, use Full (strict).

   • Enable Always Use HTTPS: Turn on the Always Use HTTPS option to ensure secure connections.

4. Test Your Setup

   • Access Your Tenant: Ensure your tenant is accessible through the Cloudflare proxy. Verify that SSL/TLS functionality works and that requests are routing correctly to your origin server.

Steps to Add a Self-Managed Certificate

1. Access the Certificates Section

   • Navigate to the Domains page.

   • Locate and select the Certificates section.

2. Upload the Certificate

   • Click on the Upload Certificate option.

3. Input Certificate and Key

   • Enter SSL Certificate and Private Key:

     • Ensure your SSL certificate file is in PEM format (typically a .crt or .pem file).

     • Ensure your private key file is in PEM format (usually a .key file).

   • Copy and Paste Contents:

     • Copy the contents of your SSL certificate and paste them into the Certificate field.

     • Copy the contents of your private key and paste them into the Private Key field.

4. Save the Certificate

   • Click the Save button to upload the certificate

5. Review Certificate details

   • Common Name: A name for easy identification.

   • Issuer: The organization that issued the certificate.

   • Valid From: The start date of the certificate's validity.

   • Valid to: The certificate's expiration date.

   • Covered Domains: Domains secured by the certificate.

   • Thumbprint: A unique identifier for quick reference.

6. Activate the Certificate

   • After saving, ensure the certificate is activated by clicking the Activate button (if applicable) in the Certificates section. This step is essential for enabling secure connections using the newly uploaded certificate.

The users to which the organization will provide access through Public OAuth2 Clients.

The applications that the organization will provide access to through OAuth2 Clients.

The roles will be a mapping between the APIs of the organization, projects, billing, tenants, services & the permission required in sets.

Financial Reporter - Billing Read

The Platform Organization Event Feed displays select events for a given TF Platform organization, such as billing or organization events.

Categories

• Organization

• Projects

• Billing

• Tenants

• Domains

Implementation Help

Need help with implementing the TF Platform? Our team of experts is available to assist you. Simply email support@simptel.com with the subject line "TF Platform Implementation Help." Please include details about your implementation challenges, and we'll provide guidance, best practices, and solutions to address your technical needs.

General Support

For general inquiries, troubleshooting, or other support needs, please email us at support@simptel.com. Our support team is ready to assist with any questions or concerns.

Request Additional Service Quota

By default, each tenant is limited to 3000 requests per minute (RPM). An HTTP 429 status code will be returned if this tenant-wide rate limit is exceeded.

If you require a higher service quota to accommodate your business needs, our TF Platform Support team can assist. To request an increase in resources:

1. Prepare your tenant ID.

2. Send an email to support@simptel.com with the subject line "TF Platform Quota Request."

3. In the email body, include your Tenant ID and specify the details of the quota increase you are requesting.

How Rate Limiting Works

By default, each tenant is limited to 3,000 requests per minute. This limit is set to balance high-demand usage with overall system performance. The API will return an HTTP 429 Too Many Requests status code if a tenant exceeds this limit.

Rate Limit Headers

To manage your API usage effectively, the response headers include the following rate limit information:

• X-RateLimit-Limit: This indicates the maximum number of requests your tenant is allowed per minute (3,000 by default).

• X-RateLimit-Remaining: Shows the number of requests remaining within the current time window.

• X-RateLimit-Reset: Provides the time (in Unix epoch format) when the rate limit will reset, allowing you to resume making requests.

Example Response Headers:

X-RateLimit-Limit: 3000
X-RateLimit-Remaining: 450
X-RateLimit-Reset: 1632425760

Exceeding the Limit

If your tenant exceeds the allowed request limit, the API will respond with an HTTP 429 Too Many Requests status code. The response will include the rate limit headers, helping you understand when the limit will reset and when you can resume making requests.

Example Response:

HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 3000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1632425760

Best Practices for Managing Rate Limits

To avoid hitting the rate limit and ensure smooth API usage, follow these best practices:

• Implement Retry Logic: If you encounter an HTTP 429 response, use the X-RateLimit-Reset Header to determine when you can safely retry your requests. Based on the reset time, implement a retry mechanism with an appropriate delay.

For information on requesting a higher service quota, please refer to our Request Additional Service Quota section.

Steps to Create a Prepaid Billing Account

1. Sign In: Log in to your account with your credentials.

2. Select Organization: Choose the appropriate organization from the list if you belong to multiple.

3. Access Billing Settings: Navigate to the settings menu and select Billing Accounts under Billing.

4. Choose Self-service (Prepaid): Select the Self-service (Prepaid) option, which is the default.

5. Link Payment Method via Stripe: Add a payment method through Stripe by following the on-screen prompts.

6. Provide Account Details: Fill in any additional required information, such as your billing address.

7. Enable Auto Top-up (Optional): Set up auto top-up by choosing a threshold balance and payment method for automatic replenishment.

8. Review Your Information: Check that all provided information is accurate.

9. Submit Your Request: Click the Create Account button to finalize your prepaid billing account setup.

10. Check for Confirmation: Look for a confirmation message or email verifying successful account creation.

Overview

The Future Platform operates on a pay-as-you-go model, meaning you only pay for the resources and services your projects use. A billing account is required to activate and manage your projects.

Types of Billing Accounts

1. Prepaid (Default)

   • Overview: The default option, which allows you to pay in advance for services, gives you full control over your budget.

   • Key Features:

     • Auto top-up: Automatically replenishes your account when it reaches a specified balance, ensuring uninterrupted service.

2. Postpaid

   • Overview: This option is available only with a fixed-term contract and is designed for businesses with consistent usage.

   • Requirements:

     • A signed contract and an initial downpayment covering two months of service.

     • Invoices are issued at the end of each billing cycle.

   • Support: For assistance with postpaid accounts, don't hesitate to get in touch with our support team.

Pricing Information

For a detailed breakdown of platform usage costs, refer to the pricing sheet provided by your technical account manager. Key pricing components include:

• Monthly Active Users (MAU)

• Token Operations

• Audit Operations

• Rate Limits

• Data Transfer

• Data Storage

Consumption is tied to the projects associated with your billing account and will be invoiced accordingly.

Need Help?

If you have any questions or need assistance with prepaid or postpaid billing accounts, please contact our support team.

Header-Based Versioning

For our APIs, versioning is handled through header-based versioning. This approach lets you specify the API version you want to use without altering the URL structure.

To use a specific version, include the following header in your requests:

API-Version: 1.0.0

If you omit the version header, the latest stable version of the API will be used by default.

Semantic Versioning

We use semantic versioning (semver), which follows the format {major}.{minor}.{patch}. Each component of the version number indicates the nature of changes:

• Major (X.0.0): Introduces breaking changes that are not backward-compatible. You may need to update your implementation when the major version changes.

• Minor (X.Y.0): Adds new, backward-compatible features. Updating to a new minor version should not break existing functionality but testing is advised.

• Patch (X.Y.Z): Applies bug fixes or minor improvements that do not alter the API's core behavior. These are typically safe to apply without concern for compatibility issues.

Examples: 1.2.0, 2.0.3, 3.1.1.

API Request Example

To specify a version when making API requests, you use the TF-API-Version header:

GET https://your-domain.com/api/resource
Host: your-domain.com
API-Version: 1.2.3

Best Practices for Production

For production environments, we recommend specifying the full version (major.minor.patch) in the API-Version header. This ensures that unexpected updates do not affect your system and performs consistently with the version you have tested.

Version Tags

All TF Platform open-source components follow semantic versioning, and releases are tagged accordingly in repositories. Versions are prefixed with "v" (e.g., v2.3.1).

Steps to Disable a Billing Account

1. Sign In to Your Account: Log in to your account on the TF Platform.

2. Select Your Organization: If you belong to multiple organizations, choose the appropriate organization from the list.

3. Navigate to Billing Settings: Go to the settings menu and select Billing Accounts under the Billing section.

4. Select Your Billing Account: Choose the billing account you wish to disable.

5. Initiate Closure: Look for the option to Disable Billing Account and follow the on-screen prompts.

6. Confirm Closure: Review the consequences of closing your account and confirm your decision.

7. Check for Confirmation: Ensure you receive a confirmation message or email verifying that your billing account has been successfully closed.

TF Platform Billing accounts cannot be deleted. When you close your TF Platform Billing account, the account information is retained for reporting and auditing purposes.

To prevent your TF Platform Billing account from accruing charges, you can either:

• Disable the TF Platform account.

• Unlink the billing account from associated projects.

If you need to change the payment method linked to your TF Platform Billing account, you can manage your payment options in the Billing Accounts section.

Integrate with Microsoft Sentinel, Datadog, Splunk, and other SIEM platforms to stream and monitor security events across your organization's projects and tenants in real-time. Set up custom alerts and store detailed event logs for compliance.

How It Works:

1. Connect the platform to your SIEM using APIs or custom integrations.

2. Stream events and logs to your SIEM.

3. SIEM analyzes events for threats or anomalies.

4. Alerts and reports are generated based on event analysis.

Supported SIEMs:

• Microsoft Sentinel

• Datadog

• Splunk

• QRadar

• LogRhythm

Connections of third-party applications with TF Platform, which are templated or already pre- developed.

SCIM Workflow with OAuth2 Client Integration:

When implementing SCIM, the TF platform will create a confidential OAuth2 client to securely call the platform's APIs during synchronization.

Example Workflow for SCIM Integration Push strategy:

1. HR System Updates: The HR system updates an employee’s status (e.g., a new employee is added, or an existing employee is terminated).

2. Push to TF Platform: The HR system sends a SCIM API request to the TF platform with the updated user data, using the confidential OAuth2 client to authenticate and authorize the request.

3. TF Platform Receives Data: The TF platform processes the incoming data, ensuring the employee has the appropriate permissions or is immediately deactivated if terminated.

4. Real-time Synchronization: Any associated systems or applications that rely on user data are updated instantly through the exact push mechanism.

Setting Up SCIM

1. Create SCIM Push application.

2. Shows the under-the-hood points. It will automatically make OAuth2 client creation

3. wait for the first sync...

4. After successfully synced, it will show a green check (Reference Integration Health Status in Fleans his design)

To securely authenticate and authorize SCIM API requests, the OAuth2 Confidential client requires the following scopes:

• users:read – Read user data (e.g., profiles, attributes).

• users:write – Create, update, or delete user accounts.

• groups:read – Read group data.

• groups:write – Create, update, or manage groups.

• scim:read – Read SCIM resources (users and groups).

• scim:write – Update SCIM resources (users and groups).

• scim:admin (Optional) – Admin-level access for managing SCIM resources.

Push Model Workflow:

1. HR System Updates: The HR system updates user data (e.g., new hire, role change, termination).

2. HR System Pushes Data to TF Platform: The HR system sends SCIM API requests with updated data, authenticated via OAuth2 client with the necessary scopes.

3. TF Platform Receives Data: TF platform processes the update, applying changes to user profiles and group memberships.

4. Real-Time Synchronization: Associated systems are updated immediately.

When you map organizations to your Identity Provider, TF Platform grants users who authenticate through the Identity Provider membership in the selected organizations

To enable secure authentication and authorization using OpenID Connect to outsource User Authentication, the external OAuth2 client requires the following OIDC-specific scopes:

• openid – Grants permission for basic authentication (essential for OIDC).

• profile – Access to the user’s basic profile information (e.g., name, email).

• email – Access to the user’s email address.

• groups (optional) – Access to group membership information.

• offline_access (optional) – Allows the client to refresh the user’s session.

Interface to register this external OAuth2 client.]

This happens at the external Identity Provider (the above points)