Enforce SaaS access with device identity

Smallstep Enterprise Relay proxies traffic for a set of domains, letting you specify exactly which SaaS apps (for example, salesforce.com or github.com) must pass through a dedicated tunnel. This method prevents lateral movement and replaces broad VPN subnets with precise, app-level controls.

Enterprise Relay works with SaaS IP allowlists. Outbound traffic is restricted to your managed egress IP. Each user device gets a short-lived certificate pinned to its hardware (TPM, Secure Enclave), blocking unauthorized endpoints or personal machines from sneaking into your SaaS apps.

Built on modern standards (QUIC and MASQUE), Smallstep Enterprise Relay reduces latency and avoids TCP bottlenecks.The client is built into iOS and macOS, and extends coverage to Windows and Linux through a Smallstep agent. The result is secure connectivity without extra steps.

Smallstep works with Okta as an external IdP factor, verifying the user’s hardware certificate before granting access. If the device is valid, the sign-in proceeds quietly. If not, the user is prompted to install or update the Smallstep app. This goes beyond standard MFA or YubiKeys by binding both user and device identity.

Smallstep integrates with Okta via OIDC, requiring no special configuration beyond standard SSO. SCIM automatically maps each Okta user to Smallstep, streamlining certificate issuance. Users see no extra prompts—just an invisible check confirming the device is cleared for access.

By anchoring keys to a device’s secure enclave or TPM, Smallstep eliminates the risk of credential theft. Even if someone gains user credentials, they can’t access apps without the validated hardware. Unlike YubiKeys (which can be misplaced or shared), Smallstep locks down both user and device identity, cutting off attackers who try to reuse stolen tokens on different machines.