Skip to content
Claresia Docs

Onboarding runbook (IT admin)

This is the canonical runbook the Onboarding Portal walks you through. It’s also reproducible end-to-end via the Claresia API for customers who prefer programmatic onboarding (CI/CD, Terraform, Ansible).

Audience: IT admin (Persona P2) Time: 30–90 minutes (Mode A/B); spans days for Mode C BYOC. Pre-reqs: signed contract; access to your IdP admin; access to your LLM platform admin.

The 10 steps

Section titled “The 10 steps”

  1. Click the welcome-email link. You arrive at onboarding.claresia.com/{tenant_slug}?token=... with a 10-step progress bar.

  2. Sign in via your corporate SSO. WorkOS handles the IdP redirect. ~30s.

  3. Confirm tenant details — display name, region, deployment mode, billing contact, support tier. Click Confirm. ~2 min.

  4. Configure SSO — paste SAML metadata URL or upload SAML XML or enter OIDC discovery URL. Click Test login. See:

  5. Configure SCIM — copy the SCIM endpoint URL + bearer token from the portal. Paste into your IdP’s SCIM provisioning panel. Click Sync now. See SCIM 2.0 reference. ~5 min.

  6. Connect LLM platform — pick from:

    For each, paste the credential + click Test connection. ~10–15 min total.

  7. Provision Hub. Mode A: 1-click (~30s). Mode B: choose region, generate CMEK key, click Provision (~3–5 min). Mode C: paste mTLS endpoint URL + customer cert from your Terraform output (~5 min). See Storage backends. ~5–15 min.

  8. Map roster to archetypes — auto from SCIM (recommended) or upload CSV. cc-061 archetype classifier achieves >99% on most rosters. Review unmatched rows. ~10–30 min depending on size.

  9. Confirm skill entitlements — per-archetype defaults are pre-generated from the Cowork pack you chose (or auto-selected). Toggle off any policy-blocked skills. Click Publish. See Skill catalog. ~10–20 min.

  10. Run smoke test — portal opens an in-app guide:

    Now go to your LLM and type @claresia.gatespic.pipeline-hygiene.

    Portal listens for the telemetry event. When it lands: green check + congratulations + links to Command Center, Hub, CSM Slack/Teams Connect channel. ~5 min.

What happens at each step

Section titled “What happens at each step”
StepLayer touchedgovernance_event emitted
1 — link clickIdentityauth.login (token-grant)
2 — SSOIdentityauth.login
3 — confirmCommand Centertenant.config_changed
4 — SSO configIdentityconnector.added(scim_idp)
5 — SCIM syncIdentityroster.scim_sync_completed
6 — LLM connectDistribution Planeconnector.added(llm)
7 — Hub provisionHubhub.provisioned, cmek.key_created (Mode B)
8 — roster mapRosterrbac.archetype_assigned per user
9 — entitlementSkill entitlementskill.entitlement_changed
10 — smoke testAll 6tenant.live

Every event is co-signed and queryable via the Hub API — the IT admin’s audit trail starts the moment they click the welcome link.

Programmatic onboarding (advanced)

Section titled “Programmatic onboarding (advanced)”

If you prefer Terraform / CI / scripts:

Terminal window
# 1. Authenticate as a service account (after Step 1-3 in portal)
export CLARESIA_TOKEN=$(curl -X POST ...)


# 2. Configure SSO via API
curl -X POST https://api.claresia.com/api/v1/identity/sso/configure ...


# 3. Configure SCIM
curl -X POST https://api.claresia.com/api/v1/identity/scim/configure ...


# 4. Connect LLM
curl -X POST https://api.claresia.com/api/v1/llm/connectors ...


# 5. Provision Hub
curl -X POST https://api.claresia.com/api/v1/hub/provision ...


# 6. Sync roster
curl -X POST https://api.claresia.com/api/v1/roster/scim:sync ...


# 7. Apply Cowork
curl -X POST https://api.claresia.com/api/v1/skill-entitlement/coworks/.../apply ...


# 8. Trigger republish
curl -X POST https://api.claresia.com/api/v1/skill-entitlement/distribution:republish ...


# 9. Validate
curl https://api.claresia.com/api/v1/observability/tenant-health

Full Terraform module: terraform-claresia-tenant. Pinned to your subscription config in the Onboarding Portal Step 3.

Verifying the tenant is live

Section titled “Verifying the tenant is live”

Open Command Center and check:

  • Identity tab — SSO connection green, SCIM last-sync within last hour
  • Distribution tab — at least one platform connected, last publish within last 60s
  • Hub tab — provisioned, CMEK key shown (Mode B), tenant_id shown
  • Roster tab — user count > 0, unmatched count = 0
  • Skills tab — skills in published state, archetype grants set
  • Telemetry tab — at least one event from the smoke test
  • Audit logtenant.live event present

If any of these are red, do not proceed to pilot launch. Talk to your CSM.

Common gotchas (across all 10 steps)

Section titled “Common gotchas (across all 10 steps)”
SymptomCauseFix
Portal magic link expired24h TTL exceededRequest fresh link from CSM (Slack/Teams Connect)
SSO test failsIdP attribute mapping missing emailSee Identity → Overview
SCIM sync 0 usersUsers not assigned to Claresia appAssign in IdP, retry
LLM connect failsAPI key scope insufficientRe-mint with admin scopes (per-platform docs)
Smoke test event never landsLLM platform audit ingest delayWait 5 min p95; check status page

Post-onboarding checklist

Section titled “Post-onboarding checklist”

After Step 10 completes:

  • Forward End-user guides to your pilot users
  • Bookmark status.claresia.com for proactive alerts
  • Subscribe to Trust Center email digest
  • Schedule the pilot mid-check-in with your CSM
  • If Mode C, confirm your customer-side backup/restore runbooks (see Backup + restore)