See you at Oktane! Come say hi at booth #S2

Enforce SaaS access with device identity

User credentials alone aren’t enough. Smallstep adds a frictionless second layer of trust to every SaaS login by verifying hardware-bound device certificates. Every authentication is tied directly to a trusted, company-approved machine—delivering true Zero Trust security across SaaS apps like Salesforce, GitHub, Dropbox, and more. Protect critical data without slowing your team down.

background graphic
MFA Fatigue IconReduce MFA fatigue
Certificate iconEliminate credential theft
List iconSane defaults out of the box
IDP integration
Easy onboarding & offboardingEasy onboarding & offboarding
Cross-platform coverageCross-platform coverage

SMALLSTEP ENTERPRISE RELAY

Protect SaaS apps with Smallstep Relay

Smallstep Enterprise Relay ensures only your company-owned devices can access SaaS and private network resources. Leveraging standards-based private MASQUE relay servers [RFC9298], hardware-attested device certificates, and mutual TLS, Smallstep provides the highest level of assurance that only authorized endpoints reach sensitive resources. Compatible with any SaaS app supporting IP allow lists, Smallstep Enterprise Relay makes enforcing trusted device policies simple and secure.

Enterprise Relay - multi-OS devices, hardware attestation, SaaS integration - Google AWS Slack GitHub access

A fast, secure replacement for traditional VPNs

Smallstep Enterprise Relay proxies traffic only for the domains you specify—like Salesforce or GitHub—routing them through a dedicated tunnel. This precision approach replaces broad VPN subnets with granular, app-level controls, preventing lateral movement and improving security while streamlining connectivity.

GitHub access denied - Smallstep device verification failed, untrusted device blocked

Granular Zero Trust access

Smallstep Enterprise Relay proxies traffic for a set of domains, letting you specify exactly which SaaS apps (for example, salesforce.com or github.com) must pass through a dedicated tunnel. This method prevents lateral movement and replaces broad VPN subnets with precise, app-level controls.

Hardware-bound credentials

Enterprise Relay works with SaaS IP allowlists. Outbound traffic is restricted to your managed egress IP. Each user device gets a short-lived certificate pinned to its hardware (TPM, Secure Enclave), blocking unauthorized endpoints or personal machines from sneaking into your SaaS apps.

Cross-platform security

Built on modern standards (QUIC and MASQUE), Smallstep Enterprise Relay reduces latency and avoids TCP bottlenecks.The client is built into iOS and macOS, and extends coverage to Windows and Linux through a Smallstep agent. The result is secure connectivity without extra steps.

See how it works

SMALLSTEP OKTA INTEGRATION

More secure logins with Smallstep + Okta®

Combining Smallstep and Okta® offers the strongest possible guarantee that your protected SaaS apps are only available on trusted devices. Access is bound to the specific device and cannot be exported. This enables you to require authorization of the user and device before granting access.

Smallstep device attestation workflow - enrolling device through platform verification resulting in locked or approved status - hardware-bound certificate issuance decision flow

Add hardware-based device trust to your existing SSO

Solutions like Okta® Device Trust are great, but in practice they still rely on SCEP certificates which can be exfiltrated. When you integrate Smallstep with your IdP, you gain an extra layer of security that authenticates the trusted device at all times.

Learn more
Okta Smallstep integration - device verified, high-assurance identity, FastPass SSO redirect

High assurance device factor

Smallstep works with Okta as an external IdP factor, verifying the user’s hardware certificate before granting access. If the device is valid, the sign-in proceeds quietly. If not, the user is prompted to install or update the Smallstep app. This goes beyond standard MFA or YubiKeys by binding both user and device identity.

Hassle-free setup and SCIM sync

Smallstep integrates with Okta via OIDC, requiring no special configuration beyond standard SSO. SCIM automatically maps each Okta user to Smallstep, streamlining certificate issuance. Users see no extra prompts—just an invisible check confirming the device is cleared for access.

Immutable hardware bindings

By anchoring keys to a device’s secure enclave or TPM, Smallstep eliminates the risk of credential theft. Even if someone gains user credentials, they can’t access apps without the validated hardware. Unlike YubiKeys (which can be misplaced or shared), Smallstep locks down both user and device identity, cutting off attackers who try to reuse stolen tokens on different machines.

See how it works
Smallstep ACME certificate management dashboard with 32,175 attested devices across all platforms

Learn more about the platform

The Smallstep platform helps mitigate numerous cybersecurity threats – from phishing to advanced hardware attacks – without impacting end-user workflows.

Learn more
gradient background

Leading the industry in Zero Trust for devices

Empower your teams to work at the pace and scale of modern engineering.

Contact us