The company certificate is put on the server. Manually, the sysadmin generates the user key signed by certificate and sends it to them. Or the self-serve system generates it and they download it.
The user uses the SSH key as normal. The server checks that if key is signed.
The self-serve system uses the single-sign-on system for the company. The SSH server can't do SSO, maybe can do LDAP, but it is giant annoyance to set it up. A lot SSH use assumes that using key and doesn't support username/password.
The user uses the SSH key as normal. The server checks that if key is signed.
The self-serve system uses the single-sign-on system for the company. The SSH server can't do SSO, maybe can do LDAP, but it is giant annoyance to set it up. A lot SSH use assumes that using key and doesn't support username/password.