Configuring UniFi Identity Endpoint Services For Zero-Trust Network Access (ZTNA)

UniFi Identity Endpoint is an app that streamlines how users interact with UniFi services across multiple sites directly from their PC or mobile device. By combining centralized Fabric-level permissions with secure, identity-based authentication, UniFi Identity Endpoint provides seamless access to WiFi, VPN, and Door Access while enforcing zero-trust network policies.

Requirements

Before configuring Identity Endpoint Services, ensure the following are in place:

• A Fabric with Consolidated People Management enabled. For more information, see Getting Started with UniFi Fabrics.
• (Optional) An integrated Identity Provider (IdP) for secure SAML-based authentication and zero-trust networking. See UniFi Fabrics Identity Provider (IdP) Integration for more information.

What is Identity Endpoint?

Identity Endpoint serves as the central location for users to interact with UniFi services across any site they are granted permission to, directly from their PC or mobile device.

When an Identity Provider (IdP) is bound to the Fabric, Identity Endpoint provides additional security benefits by enforcing SAML-based authentication, including MFA if configured. This ensures access is granted only after identity verification, aligning with zero-trust security principles.

Available Identity Endpoint Services

• One-Click WiFi for seamless, secure WiFi access across applicable sites using identity-based authentication—eliminating the need for per-site credentials or manual onboarding.
• One-Click VPN which allows users to connect to authorized networks across sites while enforcing centralized, zero-trust access policies.
• Smart Door Access to grant physical access to doors across applicable sites, ensuring consistent access control without maintaining site-specific credentials.

Enabling Identity Endpoint Services

To enable Identity Endpoint services:

1. Go to Site Manager.
2. Select a Fabric.
3. Navigate to Settings > Identity.
4. Select the Identity Endpoint service(s) to enable. See Identity Endpoint Configuration Options below for more details on available settings.
5. By default, all sites are included. To limit availability, select specific sites.
6. Add people to your Fabric and assign them permissions to use Identity Endpoint. See Managing UniFi Fabric People, Roles, and Permissions for more information.

Identity Endpoint Configuration Options

One-Click WiFi

• WiFi Name: Specifies the SSID that will be provisioned across selected sites and authenticated using the Identity Endpoint app.

One-Click VPN

• Split Tunnel Routing: By default, all traffic is routed through the One-Click VPN. Split tunneling allows you to specify which traffic traverses the VPN, reducing load on corporate infrastructure and improving performance for traffic that does not require VPN access.

Smart Door Access

• Credential Types: Select which credential types are available for assignment in the Fabric’s People tab and usable through the Identity Endpoint app.
  • NFC Card
  • Mobile Unlock
  • Face Unlock
  • PIN
  • Hand Wave
  • QR Code
• Remote Unlock: Allows users to unlock doors remotely through the Identity Endpoint app, even when not physically near the door. This option is disabled by default to maintain maximum security.

Identity Endpoint Email Invite

• Send Automatically To New People: Once a role and/or permission is assigned for an Identity Endpoint service, an email will automatically be sent to onboard the user.
• Require 2FA Code: The onboarding email will include a 2FA code that must be used when onboarding to the Identity Endpoint app.
• Invite Expiration: Configure the onboarding email expiration time (default 30 days).