Allow user creation via SSO
You can allow users to register using information from your organization’s identity provider and issue and renew certificates using DigiCert Trust Assistant. This process requires a Trust Lifecycle Manager certificate profile configured with the DigiCert ONE Login as the Authentication method.
Note
DigiCert ONE Login authentication for automatic user creation via single sign-on (SSO) is restricted to DigiCert Trust Assistant users in Trust Lifecycle Manager.
One of the prerequisites of this procedure, is that you must specify which email domains users can onboard from. This article explains how to add those domains.
Tip
Can I list the same domain in multiple accounts?
Yes, if the account names must match.
Note: when a domain is shared across accounts, you can't edit the account name. To change your account name, you need to first remove the domain from one of the accounts.
Prerequisites
Enable a SSO sign in method (Security Assertion Markup Language (SAML) or OpenID Connect (OIDC)).
Who can update these domains?
Adding and removing allowed email domains is restricted to system administrators with the Manage accounts permission:
For DigiCert hosted accounts, contact your DigiCert Support to enable this feature.
For on-premise customers, contact the system administrator within your organization to enable this feature by following these steps.
Specify allowed email domains
To specify allowed email domains:
In the Managers () menu, select Account.
In the Account menu, go to Accounts.
On the Accounts page, select the Name of the account.
On the Account details page, in the Allow user creation via SSO section, enter one or more domains.
Note
This field appears if all the prerequisites have been met.