Enforce SaaS access with device identity
User credentials alone aren’t enough. Smallstep adds a frictionless second layer of trust to every SaaS login by verifying hardware-bound device certificates. Every authentication is tied directly to a trusted, company-approved machine—delivering true Zero Trust security across SaaS apps like Salesforce, GitHub, Dropbox, and more. Protect critical data without slowing your team down.
SMALLSTEP ENTERPRISE RELAY
Protect SaaS apps with Smallstep Relay
Smallstep Enterprise Relay ensures only your company-owned devices can access SaaS and private network resources. Leveraging standards-based private MASQUE relay servers [RFC9298], hardware-attested device certificates, and mutual TLS, Smallstep provides the highest level of assurance that only authorized endpoints reach sensitive resources. Compatible with any SaaS app supporting IP allow lists, Smallstep Enterprise Relay makes enforcing trusted device policies simple and secure.
A fast, secure replacement for traditional VPNs
Smallstep Enterprise Relay proxies traffic only for the domains you specify—like Salesforce or GitHub—routing them through a dedicated tunnel. This precision approach replaces broad VPN subnets with granular, app-level controls, preventing lateral movement and improving security while streamlining connectivity.
Granular Zero Trust access
Smallstep Enterprise Relay proxies traffic for a set of domains, letting you specify exactly which SaaS apps (for example, salesforce.com or github.com) must pass through a dedicated tunnel. This method prevents lateral movement and replaces broad VPN subnets with precise, app-level controls.
Hardware-bound credentials
Enterprise Relay works with SaaS IP allowlists. Outbound traffic is restricted to your managed egress IP. Each user device gets a short-lived certificate pinned to its hardware (TPM, Secure Enclave), blocking unauthorized endpoints or personal machines from sneaking into your SaaS apps.
Cross-platform security
Built on modern standards (QUIC and MASQUE), Smallstep Enterprise Relay reduces latency and avoids TCP bottlenecks.The client is built into iOS and macOS, and extends coverage to Windows and Linux through a Smallstep agent. The result is secure connectivity without extra steps.
SMALLSTEP OKTA INTEGRATION
More secure logins with Smallstep + Okta®
Combining Smallstep and Okta® offers the strongest possible guarantee that your protected SaaS apps are only available on trusted devices. Access is bound to the specific device and cannot be exported. This enables you to require authorization of the user and device before granting access.
Add hardware-based device trust to your existing SSO
Solutions like Okta® Device Trust are great, but in practice they still rely on SCEP certificates which can be exfiltrated. When you integrate Smallstep with your IdP, you gain an extra layer of security that authenticates the trusted device at all times.
High assurance device factor
Smallstep works with Okta as an external IdP factor, verifying the user’s hardware certificate before granting access. If the device is valid, the sign-in proceeds quietly. If not, the user is prompted to install or update the Smallstep app. This goes beyond standard MFA or YubiKeys by binding both user and device identity.
Hassle-free setup and SCIM sync
Smallstep integrates with Okta via OIDC, requiring no special configuration beyond standard SSO. SCIM automatically maps each Okta user to Smallstep, streamlining certificate issuance. Users see no extra prompts—just an invisible check confirming the device is cleared for access.
Immutable hardware bindings
By anchoring keys to a device’s secure enclave or TPM, Smallstep eliminates the risk of credential theft. Even if someone gains user credentials, they can’t access apps without the validated hardware. Unlike YubiKeys (which can be misplaced or shared), Smallstep locks down both user and device identity, cutting off attackers who try to reuse stolen tokens on different machines.
Learn more about the platform
The Smallstep platform helps mitigate numerous cybersecurity threats – from phishing to advanced hardware attacks – without impacting end-user workflows.
Leading the industry in Zero Trust for devices
Empower your teams to work at the pace and scale of modern engineering.