Skip to content

Single sign-on options

Zero Touch PKI requires SSO authentication through an identity provider (IdP). It supports Microsoft Entra, Okta Single Sign-On, and PingFederate through OpenID Connect (OIDC) and other IdPs through Security Assertion Markup Language (SAML).

To configure an IdP, you register Zero Touch PKI as an application and send CyberArk the credentials (for OIDC) or metadata (for SAML). We add the IdP to your instance and provide the URL where users will sign in.

Sign-in URLs

Your sign-in URL is based on your instance location:

  • Americas: https://ztpki.venafi.com/login/<your-login-alias>
  • Europe: https://ztpki.eu.venafi.com/login/<your-login-alias>
  • Australia: https://ztpki.au.venafi.com/login/<your-login-alias>

How authentication works

Zero Touch PKI initiates authentication with your IdP as a service provider using this flow:

  1. A user visits your instance URL.
  2. Zero Touch PKI redirects the user to your IdP, where they enter email credentials.
  3. The IdP returns the user to Zero Touch PKI, which maps them to an account and grants access.

Prerequisites

  • An understanding of how to configure a web application in your IdP.

  • The redirect URI for your instance location. Your IdP returns authenticated users to Zero Touch PKI at one of these addresses:

    • Americas: https://zerotouchpki.us.auth0.com/login/callback
    • Europe: https://zerotouchpki.eu.auth0.com/login/callback
    • Australia: https://zerotouchpki.au.auth0.com/login/callback

  • For OIDC IdPs, the ability to securely send CyberArk the application secret. Use a secure file sharing service such as 1ty.me instead of direct email.

Microsoft Entra

To configure Microsoft Entra using OIDC:

  1. Register Zero Touch PKI as an application: Create a web application in Microsoft Entra. See Register an application.

  2. Create a secret: Add credentials to the application. See Add credentials to an app.

  3. Grant permissions: Grant the appropriate permissions for your organization. See Add permissions.

    To enable extended attributes such as Extended Profile or Security Groups, add these permissions for the Microsoft Graph API:

    • Users > User.Read : Your app can sign in users and read their profiles.
    • Directory > Directory.Read.All : Your app can read directory data on a user's behalf.

  4. Send credentials to CyberArk: Email the following to ztpki-onboarding@cyberark.com:

    • Azure AD Domain Name: The application name (for example, <your-tenant-name>.onmicrosoft.com).
    • Application (client) ID: The application's unique ID.
    • Directory (tenant) ID: The Microsoft Entra directory containing the application.
    • Client secret: The application secret, sent with a secure one-time service.

    After you send this information, CyberArk integrates the IdP and sends your Zero Touch PKI instance URL.

Okta Single Sign-On

To configure Okta Single Sign On using OIDC:

  1. Register Zero Touch PKI as an application: Create a web application in Okta, which includes choosing client-secret authentication and adding the Zero Touch PKI callback URI as a Sign-in redirect URI. See Create OpenID Connect app integrations.

  2. Send credentials to CyberArk: Email application credentials to ztpki-onboarding@cyberark.com:

    • Client ID: The public identifier for the application.
    • Issuer URL: The URL of your Okta application, for example https:/your-app.example.com/.well-known/openid-configuration.
    • Client secret: The application secret, sent with a secure one-time service.

    After you send this information, CyberArk integrates the IdP and sends your Zero Touch PKI instance URL.

PingFederate

To configure PingFederate using OIDC:

  1. Register Zero Touch PKI as an application: Add a new client in PingFederate, which includes choosing client-secret authentication and providing the Zero Touch PKI callback URI. See Setting up an OIDC application in PingFederate.

  2. Send credentials to CyberArk: Email application credentials to ztpki-onboarding@cyberark.com:

    • Client ID: The public identifier for the application.
    • Issuer URL: The URL of your PingFederate client, for example https:/your-app.example.com/.well-known/openid-configuration.
    • Client secret: The application secret, sent with a secure one-time service.

    After you send the credentials, CyberArk integrates the IdP and sends your Zero Touch PKI instance URL.

SAML IdPs

To configure any IdP using SAML:

  1. Register Zero Touch PKI as an application: Add Zero Touch PKI to your SAML IdP. For an example of SAML setup, see Configuring a SAML application in PingFederate.

  2. Send credentials to CyberArk: Email a link to your SAML metadata file to ztpki-onboarding@cyberark.com.

    CyberArk replies with your sign-in and sign-out URLs and your Signing Certificate.

  3. In your SAML IdP, use this information to complete setup.