Allow users to get certificates via single sign-on using existing IdP
|
|
|
|
|
Allow users to get certificates using PAM (supports passwords, LDAP, Kerberos, Duo, etc.)
|
|
|
|
|
Only allow particular groups of users to get certificates
|
|
|
|
|
Leverage existing IdP group definitions for access control
|
|
|
|
|
Define access control groups separately at the SSH CA
|
|
|
|
|
Restrict SSH access to particular hosts
|
|
|
|
|
SSH users must authenticate as themselves (vs. as a principal account like “ops” or “eng”)
|
|
|
|
|