While Tresorit supports the most commonly used Identity Providers (Azure Active Directory, Okta and Google Workspace), it cannot support every provider, mainly because not every one of them is compatible with Tresorit’s solution for Zero Knowledge encryption, as they do not allow us to securely store secrets which are essential for the encryption.
To solve this problem we can offer an integration by using Amazon Cognito as an intermediate Identity Provider, which is compatible with almost every other provider, thus enabling you to connect your choice of Identity Provider with Tresorit.
This custom Single-Sign-On (SSO) option is only available in our Enterprise plan. Please contact your account manager to ask for a quote on the setup fee.
What is Amazon Cognito?
As previously mentioned, Amazon Cognito is an Identity Provider itself that can propagate the queries made to the your actual identity provider. Also, it lets us store secrets completely separately from your provider, so no other application can have access to it, furthermore the attribute, used for storing the secret, is not visible on the user’s own profile page on the provider, so it cannot be accidentally deleted.
When to use Amazon Cognito?
You should use Amazon Cognito only if your Identity Provider is not directly supported by Tresorit, but you would still like to enable your users to use Tresorit’s with Single Sign-On authentication.
How to set up?
The set up process for Amazon Cognito involves more steps than the directly supported IdPs, because you have to set up Amazon Cognito to work with Tresorit, and then you have to set up your own provider to work with Cognito, but the steps of such setup are basically the following:
Create Cognito User Pool and add a custom attribute called tresoritLoginKey (type string, min length 0, max length 256)
Set up Cognito with your choice of provider. You can find descriptions about the set up process for different Identity Providers here (Amazon Cognito section): https://aws.amazon.com/premiumsupport/knowledge-center/
Connect Tresorit to Cognito.