About single sign-on¶

Zero Touch PKI supports single sign-on authentication through an identity provider (IdP) of your choice. It supports both OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) providers.

To configure single sign-on, you register Zero Touch PKI as an application in your identity provider and enter the credentials in Zero Touch PKI.

How authentication works¶

Zero Touch PKI initiates authentication with your IdP as a service provider using this flow:

1. A user visits your instance URL.
2. Zero Touch PKI redirects the user to your IdP, where they enter credentials such as an email address.
3. The IdP returns the user to Zero Touch PKI, which maps them to their assigned role and grants access.

OIDC and SAML¶

OIDC and SAML have different configuration processes. With OIDC, you create a web application in your IdP and enter its client ID, client secret, and issuer URL in Zero Touch PKI. With SAML, you provide the IdP metadata file and Zero Touch PKI uses it to configure the connection.

Next steps¶

To configure an identity provider, see the following:

• Configuring OIDC
• Configuring SAML
• Configuring Microsoft Entra