UniFi Zero Trust Networking is built around the concept of a Fabric, created and managed through UniFi Site Manager at unifi.ui.com.
Zero Trust Networking with Identity
Last Updated:
Hardware / Software Requirements
Network10.4 and up
Enterprise Fortress GatewayEFG
Dream Machine Pro MaxUDM-Pro-Max
Dream Machine ProUDM-Pro
Dream Machine Special EditionUDM-SE
Overview
Fabric Architecture
A Fabric represents a collection of unified sites grouped into a single trust and administrative domain.
All UniFi applications and services operating within those sites inherit the Fabric’s identity and policy model, enabling consistent enforcement across locations.
Unified Identity and Policy Management
Within a Fabric, administrators centrally define people and roles, including administrative privileges, service entitlements, and resource permissions across sites.
All decisions are identity-based rather than network location–based. Users and devices are explicitly evaluated before interacting with Fabric-managed services or resources.
UniFi Endpoints
Interaction with Fabric resources is mediated through UniFi Endpoints, available on all major platforms: macOS, Windows, iOS, Android, and Linux.
Key Characteristics
UniFi Endpoints, facilitate user and device aware verification, and act as the enforcement layer.
Third-Party IdP Integration (Optional Single Source of Truth)
A Fabric can optionally be bound to a third-party identity provider (IdP), such as Microsoft Entra, Google Workspace, and others.
When enabled, UniFi integrates using open enterprise-standard protocols. UniFi uses SAML to authenticate users directly against the bound IdP.
Authentication benefits from the IdP’s security controls, including multi-factor authentication (MFA). Credentials and authentication flows remain fully owned and secured by the IdP.
Automated Identity Lifecycle with SCIM
SCIM enables real-time synchronization of users and groups. Employee onboarding and offboarding are automatically reflected in UniFi.
Access is granted or revoked immediately as identity state changes in the IdP. Together, SAML and SCIM ensure that identity, access, and lifecycle management remain centralized in a single source of truth, while UniFi enforces those decisions consistently across the Fabric.
Offline and Local Access Resilience
Not all Fabric interactions require live IdP authentication.
Local and device-based workflows, such as door access or on-site operations, continue to function independently, preserving availability during cloud or IdP outages.
Zero Trust by Design
UniFi Identity enforces explicit verification, least privilege, centralized policies, and continuous evaluation — without assuming trust based on network location or permanent connectivity.
Was This Article Helpful?
UniFi Assistant
