Allow user creation via SSO
You can allow users to register using information from your organization’s Identity Provider and issue and renew certificates using DigiCert Trust Assistant by creating a Trust Lifecycle Manager certificate profile configured with the DigiCert ONE Login as the Authentication method.
Note
When using the DigiCert ONE Login authentication method, automatic user creation via SSO is only supported for DigiCert Trust Assistant users in Trust Lifecycle Manager. For all other non-DigiCert Trust Assistant users, you must manually create user in DigiCert ONE, even if their domain is listed as allowed and they are available in the IdP.
One of the prerequisites of this procedure, is that you must specify which email domains users can onboard from. This article explains how to add those domains.
Tip
Can I list the same domain in multiple accounts?
Yes, if the account names must match.
Note: Once a domain is shared across accounts, you can no longer edit the account name. To change your account name, you'll need to first remove the domain from one of the accounts.
Prerequisites
Who can update these domains?
Adding and removing allowed email domains can only be performed by a system administrator with the Manage accounts permission:
For DigiCert hosted accounts, contact your DigiCert support to enable this feature.
For on-premise customers, contact the system administrator within your organization to enable this feature by following the steps below.
Specify allowed email domains
To specify allowed email domains:
Sign in to DigiCert ONE.
In the Managers () menu, select Account.
In the Account menu, go to Accounts.
On the Accounts page, select the Name of the account.
On the Account details page, in the Allow user creation via SSO section, enter one or more domains.
Note
This field will only display if all the prerequisites mentioned above have been met.