New: Try our AI‑powered Search (Ctrl + K) — Read more

Device Service Account Provisioning on Sensor Management

  • Published on Mar 20, 2026
  • 3 minute(s) read
Prev Next

This article explains how to configure the device service account provisioning on the Sensor Management.

The service account provisioning feature has been created to provide a device with essential configuration settings that enable access to functionalities such as Single Sign-On, utilizing OAuth/OpenID/OIDC clients like ZITADEL within our solution.

Refer to Accessing the Identity and Access Management UI for access to the ZITADEL UI.

Creating the Sensor Management Service User on the ZITADEL server

Because the Orchestrator application is always associated with the Analytics project, both the Analytics project and Orchestrator application must be automatically created under the <Tenant_name> organization in your ZITADEL after deploying the Sensor Management replicated system.

Note: Default tenant name is pca.

The Sensor Management Service User is used by the system responsible for provisioning devices:

  • Cisco Provider Connectivity Assurance Sensor Control 25.07 and later
  • Cisco Provider Connectivity Assurance Sensor (GT/LT/LX) 25.07 and later

It is the service that will call /v1/mediator/onboardMachineCredentials to create a new service user for an on-boarded device, get back the Personal Access Token (PAT), and push it on the devices.

For service user details, refer to the ZITADEL documentation.

To create a service user on ZITADEL

  1. Access the ZITADEL user interface and navigate to Service Users.
  2. Click New.
  3. Enter a User Name and a display name.
  4. Select the Access Token Type.
  • The service user must be authenticated with JWT Access Token Type.
  1. Click Create to finalize the service user setup.
    25.07 Device Service Account Provisioning on Sensor Management_1.png

Configuring ZITADEL to Add Authorizations for Sensor Management Service User

During authentication, the Sensor Management service user account must be assigned two following roles for the Authorizations configuration in ZITADEL:

  • szgw.admin
  • szgw.pat.token.manager

25.07 Device Service Account Provisioning on Sensor Management_2.png

25.07 Device Service Account Provisioning on Sensor Management_3.png

Configuring Private Key JWT Authentication for Sensor Management Service User

This section demonstrates how developers can leverage private key JWT authentication to secure communication between service users and client applications within ZITADEL.

ZITADEL supports private key JWT authentication where you generate a private/public key pair for service users.

For JWT authentication details, refer to the ZITADEL documentation.

To generate a private key file

  1. Access the ZITADEL user interface and navigate to the Service Users details.
  2. On the new service user’s details page, click Keys in the menu on the left side.
  3. Click New.
  4. You can set an expiration date or leave the field blank if you do not want the key to expire.
    25.07 Device Service Account Provisioning on Sensor Management_4.png
  5. Click Download and save the key file.
    25.07 Device Service Account Provisioning on Sensor Management_5.png

Configuring Device Service Account Configuration on the Sensor Management

This section describes the procedure for configuring device service account provisioning within Sensor Management.

To configure device service account provisioning

  1. Log in to the Sensor Management web interface.
  2. Navigate to Admin ▶ Authentication.
  3. Locate the Device service account configuration section.
  4. Select the Enable checkbox to enable the Device service account configuration feature.
  5. Enter the Required URL Configurations as shown below:
URL Configurations Sensor Management was installed without DNS Sensor Management was installed with DNS
Gateway Server URL https://{external-IP}:443 https://{tenant-name}.{domain-name}:443
JWT Audience https://{external-IP}:3443 https://auth.{domain-name}:443
  1. Upload the private JWT key file:
  • Choose the JSON key file that is associated with your service account created in the procedure To generate a private key file above.
  • Click Import signing key.
  1. Click Test.
    The JWT configuration verification succeeded dialog will be displayed.
    25.07 Device Service Account Provisioning on Sensor Management_6.png
  2. Click Apply to save the configuration.

Adding the Devices to Sensor Management

After enabling the Device service account feature, you must add the devices to complete the on-boarding process.

Refer to the About Devices article for steps on managing devices within Sensor Management.

When completing the device onboarding process, a service user with a unique serial number as its name will be automatically created on the ZITADEL server and will be assigned the szgw.admin and szgw.pat.token.manager roles. This allows the returned Personal Access Token to be used for self-refresh.

© 2026 Cisco and/or its affiliates. All rights reserved.

For more information about trademarks, please visit: Cisco trademarks 
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit:  Accedian legal terms and trademarks


© 2026 Cisco Privacy Statement Cookies Legal