Enforce SaaS access with device identity

User credentials alone aren’t enough. Smallstep adds a frictionless second layer of trust to every SaaS login by verifying hardware-bound device certificates. Every authentication is tied directly to a trusted, company-approved machine—delivering true Zero Trust security across SaaS apps like Salesforce, GitHub, Dropbox, and more. Protect critical data without slowing your team down.

background graphic
MFA Fatigue IconReduce MFA fatigue
Certificate iconEliminate credential theft
List iconSane defaults out of the box
IDP integration
Easy onboarding & offboardingEasy onboarding & offboarding
Cross-platform coverageCross-platform coverage

SMALLSTEP ENTERPRISE RELAY

Protect SaaS apps with Smallstep Relay

Smallstep Enterprise Relay ensures only your company-owned devices can access SaaS and private network resources. Leveraging standards-based private MASQUE relay servers [RFC9298], hardware-attested device certificates, and mutual TLS, Smallstep provides the highest level of assurance that only authorized endpoints reach sensitive resources. Compatible with any SaaS app supporting IP allow lists, Smallstep Enterprise Relay makes enforcing trusted device policies simple and secure.

Granular Zero-Trust Access Diagram

A fast, secure replacement for traditional VPNs

Smallstep Enterprise Relay proxies traffic only for the domains you specify—like Salesforce or GitHub—routing them through a dedicated tunnel. This precision approach replaces broad VPN subnets with granular, app-level controls, preventing lateral movement and improving security while streamlining connectivity.

Enterprise Relay - GitHub

Granular Zero Trust access

Smallstep Enterprise Relay proxies traffic for a set of domains, letting you specify exactly which SaaS apps (for example, salesforce.com or github.com) must pass through a dedicated tunnel. This method prevents lateral movement and replaces broad VPN subnets with precise, app-level controls.

Hardware-bound credentials

Enterprise Relay works with SaaS IP allowlists. Outbound traffic is restricted to your managed egress IP. Each user device gets a short-lived certificate pinned to its hardware (TPM, Secure Enclave), blocking unauthorized endpoints or personal machines from sneaking into your SaaS apps.

Cross-platform security

Built on modern standards (QUIC and MASQUE), Smallstep Enterprise Relay reduces latency and avoids TCP bottlenecks.The client is built into iOS and macOS, and extends coverage to Windows and Linux through a Smallstep agent. The result is secure connectivity without extra steps.

See how it works

SMALLSTEP OKTA INTEGRATION

More secure logins with Smallstep + Okta®

Combining Smallstep and Okta® offers the strongest possible guarantee that your protected SaaS apps are only available on trusted devices. Access is bound to the specific device and cannot be exported. This enables you to require authorization of the user and device before granting access.

Hardware-based device trust diagram

Add hardware-based device trust to your existing SSO

Solutions like Okta® Device Trust are great, but in practice they still rely on SCEP certificates which can be exfiltrated. When you integrate Smallstep with your IdP, you gain an extra layer of security that authenticates the trusted device at all times.

Learn more
Enterprise Relay - Okta

High assurance device factor

Smallstep works with Okta as an external IdP factor, verifying the user’s hardware certificate before granting access. If the device is valid, the sign-in proceeds quietly. If not, the user is prompted to install or update the Smallstep app. This goes beyond standard MFA or YubiKeys by binding both user and device identity.

Hassle-free setup and SCIM sync

Smallstep integrates with Okta via OIDC, requiring no special configuration beyond standard SSO. SCIM automatically maps each Okta user to Smallstep, streamlining certificate issuance. Users see no extra prompts—just an invisible check confirming the device is cleared for access.

Immutable hardware bindings

By anchoring keys to a device’s secure enclave or TPM, Smallstep eliminates the risk of credential theft. Even if someone gains user credentials, they can’t access apps without the validated hardware. Unlike YubiKeys (which can be misplaced or shared), Smallstep locks down both user and device identity, cutting off attackers who try to reuse stolen tokens on different machines.

See how it works
Inventory list view UI

Learn more about the platform

The Smallstep platform helps mitigate numerous cybersecurity threats – from phishing to advanced hardware attacks – without impacting end-user workflows.

Learn more
gradient background

Leading the industry in Zero Trust for devices

Empower your teams to work at the pace and scale of modern engineering.

Contact us