Smallstep for SaaS Apps enforces device identity-based access control for SaaS applications using hardware-bound certificates. It operates via two primary mechanisms: Enterprise Relay and an Okta integration. Enterprise Relay is a MASQUE-based (RFC9298) relay server that routes traffic for specified SaaS domains through a dedicated tunnel, leveraging mutual TLS and hardware-attested device certificates. It integrates with SaaS IP allowlists to restrict outbound traffic to a managed egress IP, replacing broad VPN subnets with app-level access controls. It is compatible with any SaaS application that supports IP allowlists. The Okta integration adds hardware-based device trust on top of existing SSO by acting as an external IdP factor. Before granting access, it verifies a hardware-bound certificate pinned to the device's TPM or Secure Enclave. User-to-device mapping is handled automatically via SCIM, and SSO is configured via OIDC with no additional end-user prompts. Short-lived certificates are issued per device and bound to hardware (TPM or Secure Enclave), preventing credential export or reuse on unauthorized machines. The client is natively built into iOS and macOS, with Windows and Linux support via a Smallstep agent. The solution covers access to standard SaaS apps as well as internal AI copilots, AI admin consoles, and MCP-enabled SaaS tools.