Skip to content

Configuring OIDC identity providers

Zero Touch PKI supports single sign-on through OpenID Connect (OIDC) identity providers (IdPs) such as PingFederate and Okta. To use OIDC, you register Zero Touch PKI as an application in the IdP and add the application details to Zero Touch PKI. Then, you test the integration.

Prerequisites

  • An understanding of how to register web applications in your OIDC identity provider.
  • The sign-in URL for your Zero Touch PKI instance.
  • A Zero Touch PKI Account Admin role.
  • (Optional) Parent and child accounts in Zero Touch PKI. If creating separate applications for multiple accounts, complete this tutorial once for each account.

  • The redirect URI for your Zero Touch PKI instance based on its region:

    • Americas: https://zerotouchpki.us.auth0.com/login/callback
    • Europe: https://zerotouchpki.eu.auth0.com/login/callback
    • Asia-Pacific: https://zerotouchpki.au.auth0.com/login/callback

Step 1: Register Zero Touch PKI as an application

In your IdP, register a new OIDC web application. You'll need to configure client secret authentication and supply your Zero Touch PKI redirect URI to return authenticated users to Zero Touch PKI.

While registering the application, securely save the following for the next step:

  • Client ID: The public identifier for the application that Zero Touch PKI uses to initiate authentication.
  • Client secret: The application secret you get when you configure secret-based authentication.
  • Issuer URL: The application URL, which identifies the IdP's well known configuration file. For example, https:/your-app.example.com/.well-known/openid-configuration.

Configuring specific identity providers

OIDC configuration steps vary by identity provider. For specific steps, see the following third-party documentation:

Step 2: Configure single sign-on in Zero Touch PKI

  1. Sign in to Zero Touch PKI.

  2. Click Admin > Accounts.

  3. In Select an account to work on, select your Zero Touch PKI account.

  4. In SSO Config, click the pencil icon.

  5. (Optional) In Modify SSO Config, edit the Slug, which is based on your account name and appears at the end of your sign-in URL, for example https://ztpki.venafi.com/login/your-account-name.

  6. In Modify SSO Config, under Type, select OIDC.

  7. Under Options, select Enable Testing to temporarily enable password sign-in.

    Disable password sign-in after testing

    Use password sign-in during testing to maintain access while you configure SSO. Disable it before your instance goes live.

  8. Under Application Details, enter the Client ID and Client Secret from your IdP application.

  9. Under Identity Provider Details, enter the Issuer URL from your IdP application.

  10. Click Save SSO Config. Under SSO Configuration, your SSO status appears, with a Direct Login URL.

    About direct login URLs

    The direct login URL where users access your instance combines its location and the account slug:

    • Americas: https://ztpki.venafi.com/login/your-account-name
    • Europe: https://ztpki.eu.venafi.com/login/your-account-name
    • Australia: https://ztpki.au.venafi.com/login/your-account-name

Step 3: Test the instance and disable password sign-in

  1. In a private browser window, go to the instance URL and click Use Connection. If configured correctly, the Zero Touch PKI dashboard appears.

  2. Click Admin > Accounts.

  3. In Select an account to work on, select your Zero Touch PKI account.

  4. In SSO Config, click the pencil icon.

  5. In Modify SSO Config under Options, clear Enable Testing to disable password sign-in.