Skip to content

Configuring SAML identity providers

Zero Touch PKI supports single sign-on through SAML identity providers (IdPs) such as PingFederate. To use SAML, you create a SAML application in your identity provider using service provider details from Zero Touch PKI. Then, you complete the configuration in Zero Touch PKI and test the integration.

Prerequisites

  • An understanding of how to register web applications in a SAML IdP.
  • The sign-in URL for your Zero Touch PKI instance.
  • A Zero Touch PKI Account Admin role.
  • (Optional) Parent and child accounts in Zero Touch PKI. If creating separate applications for multiple accounts, complete this tutorial once for each account.

Step 1: Collect service provider details from Zero Touch PKI

  1. Sign in to Zero Touch PKI.

  2. Click Admin > Accounts.

  3. In Select an account to work on, select your Zero Touch PKI account.

  4. In SSO Config, click the pencil icon.

  5. In Modify SSO Config, under Type, select SAML.

  6. In Modify SSO Config, under Service Provider Details, securely save the following for the next step, leaving the browser window open:

    • Reply URL (Assertion Consumer Service URL): Endpoint where your IdP sends the SAML response when a user signs in.
    • Signing Certificate: Public certificate enabling your IdP to validate signed SAML requests or metadata.
    • Identifier (Entity ID): Unique string that identifies Zero Touch PKI to your IdP during SAML exchanges.

Step 2: Configure Zero Touch PKI as a SAML application

In your SAML identity provider, add Zero Touch PKI as a SAML application. During configuration, add the service provider details saved from Zero Touch PKI.

While registering the application, securely save the following for the next step:

  • IdP Sign-In (SSO) URL: The endpoint where Zero Touch PKI redirects users to authenticate.
  • IdP Signing Certificate: The public certificate your IdP uses to sign SAML assertions.

Configuring specific identity providers

Application configuration varies across SAML providers. For an example, see Configuring a SAML application in PingFederate.

Step 3: Complete configuration in Zero Touch PKI

  1. If Zero Touch PKI is not already open, sign in and click Admin > Accounts.

  2. In Select an account to work on, select your Zero Touch PKI account.

  3. In SSO Config, click the pencil icon.

  4. (Optional) In Modify SSO Config, edit the Slug, which is based on your account name and appears at the end of your sign-in URL, for example https://ztpki.venafi.com/login/your-account-name.

  5. Under Options, select Enable Testing to temporarily enable password sign-in.

    Disable password sign-in after testing

    Use password sign-in during testing to maintain access while you configure SSO. Disable it before your instance goes live.

  6. Under Identity Provider Details, enter the following:

    • Sign-In Endpoint: The SAML SSO URL from your IdP where users are redirected to authenticate.
    • Signing Cert: The public signing certificate for your IdP used to verify SAML assertions.

  7. Click Save SSO Config. Under SSO Configuration, your SSO status appears, with a Direct Login URL.

Step 4: Test the instance and disable password sign-in

  1. In a private browser window, go to the instance URL and click Use Connection. If configured correctly, the Zero Touch PKI dashboard appears.

  2. Click Admin > Accounts.

  3. In Select an account to work on, select your Zero Touch PKI account.

  4. In SSO Config, click the pencil icon.

  5. In Modify SSO Config under Options, clear Enable Testing to disable password sign-in.