diff --git a/.gitattributes b/.gitattributes
index b8bd2f10..51551c8a 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -15,4 +15,5 @@
 # Include these files in normal git tracking so they can be used by terragrunt
 packages/infrastructure/authentik_core_resources/logo.svg !filter !diff !merge text
 packages/infrastructure/authentik_aws_sso/aws.svg !filter !diff !merge text
-packages/infrastructure/authentik_vault_sso/vault.svg !filter !diff !merge text
\ No newline at end of file
+packages/infrastructure/authentik_vault_sso/vault.svg !filter !diff !merge text
+packages/infrastructure/authentik_zoho_sso/zoho.svg !filter !diff !merge text
\ No newline at end of file
diff --git a/packages/infrastructure/authentik_aws_sso/vars.tf b/packages/infrastructure/authentik_aws_sso/vars.tf
index 85f58ec9..b6b3b5c6 100644
--- a/packages/infrastructure/authentik_aws_sso/vars.tf
+++ b/packages/infrastructure/authentik_aws_sso/vars.tf
@@ -1,14 +1,14 @@
 variable "aws_acs_url" {
-  description = "The ACS url provided by AWS when configuring and external identity provider"
+  description = "The ACS url provided by AWS when configuring an external identity provider"
   type        = string
 }
 variable "aws_sign_in_url" {
-  description = "The Sign-in url provided by AWS when configuring and external identity provider"
+  description = "The sign-in url provided by AWS when configuring an external identity provider"
   type        = string
 }
 
 variable "aws_issuer" {
-  description = "The Issuer url provided by AWS when configuring and external identity provider"
+  description = "The Issuer url provided by AWS when configuring an external identity provider"
   type        = string
 }
 
diff --git a/packages/infrastructure/authentik_zoho_sso/README.md b/packages/infrastructure/authentik_zoho_sso/README.md
new file mode 100644
index 00000000..eb3d2970
--- /dev/null
+++ b/packages/infrastructure/authentik_zoho_sso/README.md
@@ -0,0 +1,3 @@
+# AWS SSO with Zoho
+
+**Type:** Live
diff --git a/packages/infrastructure/authentik_zoho_sso/USAGE.md b/packages/infrastructure/authentik_zoho_sso/USAGE.md
new file mode 100644
index 00000000..3c64219b
--- /dev/null
+++ b/packages/infrastructure/authentik_zoho_sso/USAGE.md
@@ -0,0 +1,13 @@
+## Usage
+
+### Sign-in URL
+
+For IDP-initiated logins, the `zoho_sign_in_url` variable must be provided.
+
+This is not found in the Zoho web UI and must be constructed manually.
+
+It is of the form `https://accounts.zoho.com/samlauthrequest/<domain>?serviceurl=<zoho_service>` where
+
+- `<domain>` is a domain **that has been verified with Zoho**
+
+- `<zoho_service>` is the `https` url of a Zoho service (e.g., `https://one.zoho.com`)
\ No newline at end of file
diff --git a/packages/infrastructure/authentik_zoho_sso/common_vars.tf b/packages/infrastructure/authentik_zoho_sso/common_vars.tf
new file mode 100644
index 00000000..b8fb9829
--- /dev/null
+++ b/packages/infrastructure/authentik_zoho_sso/common_vars.tf
@@ -0,0 +1,47 @@
+variable "environment" {
+  description = "The name of the environment the infrastructure is being deployed into. #injected"
+  type        = string
+  default     = null
+}
+
+variable "pf_root_module" {
+  description = "The name of the root Panfactum module in the module tree. #injected"
+  type        = string
+  default     = "authentik_aws_sso"
+}
+
+variable "pf_module" {
+  description = "The name of the Panfactum module where the containing resources are directly defined. #injected"
+  type        = string
+  default     = "authentik_aws_sso"
+}
+
+variable "region" {
+  description = "The region the infrastructure is being deployed into. #injected"
+  type        = string
+  default     = null
+}
+
+variable "extra_tags" {
+  description = "Extra tags or labels to add to the created resources. #injected"
+  type        = map(string)
+  default     = {}
+}
+
+variable "is_local" {
+  description = "Whether this module is a part of a local development deployment #injected"
+  type        = bool
+  default     = false
+}
+
+variable "pf_stack_version" {
+  description = "Which version of the Panfactum stack is being used (git ref) #injected"
+  type        = string
+  default     = "main"
+}
+
+variable "pf_stack_commit" {
+  description = "The commit hash for the version of the Panfactum stack being used #injected"
+  type        = string
+  default     = "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
+}
\ No newline at end of file
diff --git a/packages/infrastructure/authentik_zoho_sso/main.tf b/packages/infrastructure/authentik_zoho_sso/main.tf
new file mode 100644
index 00000000..9de65b04
--- /dev/null
+++ b/packages/infrastructure/authentik_zoho_sso/main.tf
@@ -0,0 +1,144 @@
+terraform {
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2024.2.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.27.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.6.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.5"
+    }
+  }
+}
+
+
+###########################################################################
+## Upload the logo
+###########################################################################
+
+resource "random_id" "logo" {
+  prefix      = "zoho-"
+  byte_length = 8
+}
+
+resource "kubernetes_config_map_v1_data" "media" {
+  metadata {
+    name      = var.media_configmap
+    namespace = var.authentik_namespace
+  }
+  data = {
+    "${random_id.logo.hex}.svg" = file("${path.module}/zoho.svg")
+  }
+  field_manager = random_id.logo.hex
+  force         = true
+}
+
+###########################################################################
+## Cert Config
+###########################################################################
+
+// These certs are only used for their random cryptographic
+// material to sign the SAML assertions. There is no
+// need to use cert-manager to manage them,
+// especially since they need to be manually uploaded to AWS
+// every time they rotate
+resource "tls_private_key" "signing" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "tls_self_signed_cert" "signing" {
+  private_key_pem = tls_private_key.signing.private_key_pem
+  subject {
+    common_name  = var.authentik_domain
+    organization = var.organization_name
+  }
+  validity_period_hours = 24 * 365 * 10
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+  ]
+}
+
+resource "authentik_certificate_key_pair" "signing" {
+  name             = "zoho-signing-certs"
+  certificate_data = tls_self_signed_cert.signing.cert_pem
+  key_data         = tls_private_key.signing.private_key_pem
+}
+
+###########################################################################
+## IdP Config
+###########################################################################
+
+
+data "authentik_flow" "default-authorization-flow" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_property_mapping_saml" "email" {
+  managed = "goauthentik.io/providers/saml/email"
+}
+
+resource "authentik_provider_saml" "zoho" {
+  name               = "zoho"
+  authorization_flow = data.authentik_flow.default-authorization-flow.id
+  acs_url            = var.zoho_acs_url
+  sp_binding         = "post"
+  issuer             = var.zoho_issuer
+  name_id_mapping    = data.authentik_property_mapping_saml.email.id
+  signing_kp         = authentik_certificate_key_pair.signing.id
+}
+
+data "authentik_provider_saml_metadata" "zoho" {
+  provider_id = authentik_provider_saml.zoho.id
+}
+
+
+resource "authentik_application" "zoho" {
+  name              = "zoho"
+  slug              = "zoho"
+  protocol_provider = authentik_provider_saml.zoho.id
+  meta_launch_url   = var.zoho_sign_in_url
+  meta_description  = var.ui_description
+  meta_publisher    = "Panfactum"
+  meta_icon         = "/media/public/${random_id.logo.hex}.svg"
+  group             = var.ui_group
+  open_in_new_tab   = true
+}
+
+
+data "authentik_group" "superusers" {
+  name = "superusers"
+}
+
+resource "authentik_policy_binding" "superuser_access" {
+  target = authentik_application.zoho.uuid
+  group  = data.authentik_group.superusers.id
+  order  = 0
+}
+
+
+data "authentik_group" "group" {
+  for_each = var.allowed_groups
+  name     = each.key
+}
+
+resource "authentik_policy_binding" "access" {
+  for_each = var.allowed_groups
+  target   = authentik_application.zoho.uuid
+  group    = data.authentik_group.group[each.key].id
+  order    = 10
+}
+
+
+
+
diff --git a/packages/infrastructure/authentik_zoho_sso/outputs.tf b/packages/infrastructure/authentik_zoho_sso/outputs.tf
new file mode 100644
index 00000000..a380d78f
--- /dev/null
+++ b/packages/infrastructure/authentik_zoho_sso/outputs.tf
@@ -0,0 +1,3 @@
+output "saml_metadata" {
+  value = data.authentik_provider_saml_metadata.zoho.metadata
+}
\ No newline at end of file
diff --git a/packages/infrastructure/authentik_zoho_sso/vars.tf b/packages/infrastructure/authentik_zoho_sso/vars.tf
new file mode 100644
index 00000000..cd92676d
--- /dev/null
+++ b/packages/infrastructure/authentik_zoho_sso/vars.tf
@@ -0,0 +1,53 @@
+variable "zoho_acs_url" {
+  description = "The ACS url provided by Zoho when configuring an external identity provider"
+  type        = string
+}
+variable "zoho_sign_in_url" {
+  description = "The sign-in url provided by Zoho when configuring an external identity provider"
+  type        = string
+}
+
+variable "zoho_issuer" {
+  description = "The issuer provided by Zoho when configuring an external identity provider"
+  type        = string
+  default     = "zoho.com"
+}
+
+variable "authentik_domain" {
+  description = "The domain name of the authentik instance"
+  type        = string
+}
+
+variable "organization_name" {
+  description = "The name of your organization"
+  type        = string
+}
+
+variable "ui_description" {
+  description = "The description to display in the Authentik web dashboard"
+  type        = string
+  default     = "Zoho"
+}
+
+variable "ui_group" {
+  description = "The section in the Authentik web dashboard that this will appear in"
+  type        = string
+  default     = "Admin"
+}
+
+variable "allowed_groups" {
+  description = "Only members of these groups can access AWS"
+  type        = set(string)
+  default     = []
+}
+
+variable "media_configmap" {
+  description = "The configmap holding the static media that Authentik will use"
+  type        = string
+}
+
+variable "authentik_namespace" {
+  description = "The kubernetes namespace where Authentik is deployed"
+  type        = string
+}
+
diff --git a/packages/infrastructure/authentik_zoho_sso/zoho.svg b/packages/infrastructure/authentik_zoho_sso/zoho.svg
new file mode 100644
index 00000000..37a34a4a
--- /dev/null
+++ b/packages/infrastructure/authentik_zoho_sso/zoho.svg
@@ -0,0 +1,8 @@
+<svg version="1.1" viewBox="0 0 1024 450" xmlns="http://www.w3.org/2000/svg">
+	<path d="m458.1 353c-7.7 0-15.5-1.6-23-4.9l-160-71.3c-28.6-12.7-41.5-46.4-28.8-75l71.3-160c12.7-28.6 46.4-41.5 75-28.8l160 71.3c28.6 12.7 41.5 46.4 28.8 75l-71.3 160c-9.5 21.2-30.3 33.7-52 33.7zm-9.7-34.9c12.1 5.4 26.3-0.1 31.7-12.1l71.3-160c5.4-12.1-0.1-26.3-12.1-31.7l-160.1-71.3c-12.1-5.4-26.3 0.1-31.7 12.1l-71.3 160c-5.4 12.1 0.1 26.3 12.1 31.7z" fill="#089949"/>
+	<path d="m960 353.1h-175.2c-31.3 0-56.8-25.5-56.8-56.8v-175.2c0-31.3 25.5-56.8 56.8-56.8h175.2c31.3 0 56.8 25.5 56.8 56.8v175.2c0 31.3-25.5 56.8-56.8 56.8zm-175.2-256c-13.2 0-24 10.8-24 24v175.2c0 13.2 10.8 24 24 24h175.2c13.2 0 24-10.8 24-24v-175.2c0-13.2-10.8-24-24-24z" fill="#f9b21d"/>
+	<path d="m303.9 153.2-23.6 52.8c-0.3 0.6-0.6 1.1-0.9 1.6l9.2 56.8c2.1 13.1-6.8 25.4-19.8 27.5l-173 28c-6.3 1-12.7-0.5-17.9-4.2s-8.6-9.3-9.6-15.6l-28-173c-1-6.3 0.5-12.7 4.2-17.9s9.3-8.6 15.6-9.6l173-28c1.3-0.2 2.6-0.3 3.8-0.3 11.5 0 21.8 8.4 23.7 20.2l9.3 57.2 24.4-54.7-1.3-7.7c-5-30.9-34.2-52-65.1-47l-173 28c-14.9 2.3-28.1 10.4-36.9 22.7-8.9 12.3-12.4 27.3-10 42.3l28 173c2.4 15 10.5 28.1 22.8 37 9.7 7.1 21.2 10.7 33.1 10.7 3 0 6.1-0.2 9.2-0.7l173-28c30.9-5 52-34.2 47-65.1z" fill="#e42527"/>
+	<path d="m511.4 235.8 25.4-56.9-7.2-52.9c-0.9-6.3 0.8-12.6 4.7-17.7s9.5-8.4 15.9-9.2l173.6-23.6c1.1-0.1 2.2-0.2 3.3-0.2 5.2 0 10.2 1.7 14.5 4.9 0.8 0.6 1.5 1.3 2.2 1.9 7.7-8.1 17.8-13.9 29.1-16.4-3.2-4.4-7-8.3-11.5-11.7-12.1-9.2-27-13.1-42-11.1l-173.8 23.6c-15 2-28.4 9.8-37.5 21.9-9.2 12.1-13.1 27-11.1 42z" fill="#226db4"/>
+	<path d="m806.8 265.1-22.8-168c-12.8 0.4-23.1 11-23.1 23.9v49.3l13.5 99.2c0.9 6.3-0.8 12.6-4.7 17.7s-9.5 8.4-15.9 9.2l-173.6 23.6c-6.3 0.9-12.6-0.8-17.7-4.7s-8.4-9.5-9.2-15.9l-8-58.9-25.4 56.9 0.9 6.4c2 15 9.8 28.4 21.9 37.5 10 7.6 21.9 11.6 34.3 11.6 2.6 0 5.2-0.2 7.8-0.5l173.4-23.4c15-2 28.4-9.8 37.5-21.9 9.2-12.1 13.1-27 11.1-42z" fill="#226db4"/>
+	<path d="m655.4 415.6c0-15 11-25.8 26-25.8 15.5 0 26 10.6 26 25.9 0 15.5-10.7 26.2-26.2 26.2-15.6 0-25.8-10.7-25.8-26.3zm40 0.2c0-9.1-4.4-16.9-14.3-16.9-10 0-13.8 8.1-13.8 17.3 0 8.7 4.7 16.7 14.3 16.7 9.9-0.1 13.8-8.6 13.8-17.1zm-150.9-25.2h7.4c1.1 0 2 0.9 2 2v18.6h21v-18.6c0-1.1 0.9-2 2-2h7.4c1.1 0 2 0.9 2 2v46.5c0 1.1-0.9 2-2 2h-7.3c-1.1 0-2-0.9-2-2v-18.8h-21v18.8c0 1.1-0.9 2-2 2h-7.4c-1.1 0-2-0.9-2-2v-46.5c-0.1-1.1 0.8-2 1.9-2zm-123.1 25c0-15 11-25.8 26-25.8 15.5 0 26 10.6 26 25.9 0 15.5-10.7 26.2-26.2 26.2-15.6 0-25.8-10.7-25.8-26.3zm40.1 0.2c0-9.1-4.4-16.9-14.3-16.9-10 0-13.8 8.1-13.8 17.3 0 8.7 4.7 16.7 14.3 16.7 9.9-0.1 13.8-8.6 13.8-17.1zm-144.5 20.4 24.8-36.6h-20.4c-1.1 0-2-0.9-2-2v-4.9c0-1.1 0.9-2 2-2h33.5c1.1 0 2 0.9 2 2v1.9c0 0.4-0.1 0.8-0.3 1.1l-24.3 36.6h21.8c1.1 0 2 0.9 2 2v4.9c0 1.1-0.9 2-2 2h-35.4c-1.1 0-2-0.9-2-2v-1.8c-0.1-0.5 0.1-0.9 0.3-1.2z"/>
+</svg>
\ No newline at end of file
diff --git a/packages/infrastructure/pf_website/main.tf b/packages/infrastructure/pf_website/main.tf
index 40690b1b..0d7f7495 100644
--- a/packages/infrastructure/pf_website/main.tf
+++ b/packages/infrastructure/pf_website/main.tf
@@ -128,6 +128,7 @@ module "ingress" {
   }]
 
   cors_enabled                   = true
+  cross_origin_embedder_policy   = "credentialless"
   csp_enabled                    = true
   cross_origin_isolation_enabled = true
   rate_limiting_enabled          = true
diff --git a/packages/reference/environments/production/global/aws_dns_records/terragrunt.hcl b/packages/reference/environments/production/global/aws_dns_records/terragrunt.hcl
index 7f484c6e..5c502523 100644
--- a/packages/reference/environments/production/global/aws_dns_records/terragrunt.hcl
+++ b/packages/reference/environments/production/global/aws_dns_records/terragrunt.hcl
@@ -14,8 +14,9 @@ inputs = {
         {
           subdomain = ""
           records = [
-            "1 smtp.google.com",
-            "15 ykrmc2xumckkmgqlgjjfkkzqcicjvadyfo5f7dpclaamrtcg7wca.mx-verification.google.com."
+            "10 mx.zoho.com",
+            "20 mx2.zoho.com",
+            "50 mx3.zoho.com"
           ]
         }
       ]
@@ -27,16 +28,24 @@ inputs = {
         },
         // DKIM (email)
         {
-          subdomain = "google._domainkey."
+          subdomain = "zmail._domainkey."
           records = [
-            "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyxt/FeLUEOazF2WCv+nj78WxNqpsByyiSgl0u9pGkAmyuEVhhUEp8oYWBt2pHkycCugCkW7tmk3ZaO+TrZ/sw5B/VlyUgaZKLcSngalzUYOvsNU5FREm1KE+MkcX610+h0PTdBQZ32MBg8yMcxKmt+FYHX7tTa5jzbai+5pTr5lVsU9ZYOnURHL9K1+itUwxyJz8VqaiqhR8wMV8tpWpLuDy6RFkatJgo8U1EohlhLQzjJTN4HUF/rjxoLEs18kTRR2ZzA3Esvi8FmERfAaO2chIldP60vBU78VAVHwi+pMavKb8U0pAyTVS/GjOQMjIRycCY7iGrvOWF2Yv6qRb/QIDAQAB"
+            "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxby/gQFkDpFdPv/SeR80eFSoxZZp8e/hJ+50WP5bEONClM4U83oFbJLUuGeRvMBmKsrWd5vVJq6THjDlwPAw73T8rpDSvy4bNHeuaC3x/GxalGaVTTserDvUvGpgV07EYdWq+0IaddbNzzDkahPXnLbBhkmvJubbuTTwXKomARwIDAQAB"
+          ]
+        },
+        // DKIM (CRM)
+        {
+          subdomain = "1522905413783._domainkey."
+          records = [
+            "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr6KMgdxxgg7oT3ulMwPJs9RXgXDrI9UWU118pHEMohl3UbL3Jwp4oxp/9N3thh/3WCJnYV134zbEVolZwqaT3JsFEq/mQ/RpW/JnOZ3rnxqJPurb2bcfJol4SDxiWVObzHX31xnANzFcXnq1/5dMK5QvW4Jh7n0fm4+4ywqiy2QIDAQAB"
           ]
         },
         {
           subdomain = ""
           records = [
-            "MS=ms89071327",                      // AAD Domain Ownership
-            "v=spf1 include:_spf.google.com ~all" // SPF record authorizing email senders
+            "MS=ms89071327",                                                                 // AAD Domain Ownership
+            "v=spf1 include:one.zoho.com include:zohomail.com include:_spf.google.com ~all", // SPF record authorizing email senders
+            "zoho-verification=zb69684923.zmverify.zoho.com"                                 // Zoho Domain Ownership
           ]
         }
       ]
diff --git a/packages/reference/environments/production/us-east-2/authentik_zoho_sso/.terraform.lock.hcl b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/.terraform.lock.hcl
new file mode 100644
index 00000000..d5a71b7a
--- /dev/null
+++ b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/.terraform.lock.hcl
@@ -0,0 +1,79 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/goauthentik/authentik" {
+  version     = "2024.2.0"
+  constraints = "2024.2.0"
+  hashes = [
+    "h1:AeyEcplt1WTQijM1d2E1pBPemcL57WC5bZr7y1XNui4=",
+    "zh:03b13879c66d1536f250c91f61ba078cc34af2fec271ea19c838a719dd4f1baa",
+    "zh:1c4d93aa3de72e4b00ac33fc0d4134fc5a641b863e9cd9afdc1105a4024fc8f0",
+    "zh:50d2f5b71ea5410633dbc8b143bef6fa77a9670a07a3fd85f9921e1094ab416e",
+    "zh:5320a267adb8506c23941df1c4cba56a176d0b9e0441f247fe714d34a514fcc8",
+    "zh:58376699c8941c109e49db7edfca4f83ec47b5b46619346380ca79d50902623e",
+    "zh:61f86a37dcb30167d1bfb84428b821de10c73cdec1ef911f167991ebc7eb9cd5",
+    "zh:6e99b5cf0f5987e3e3e24e26af12084f741a0f0b79a04d0b7e6703525cf4633e",
+    "zh:81c39322353f7da1c84c4ec82b6e7de70131156b256de21aee741240694e5bef",
+    "zh:bbec3872accea0294c86f812d668f9e2e8255b3d1f7424b39ddc261d6d02e036",
+    "zh:c1b56e5c4e82c683baf7854153caa85c600001ca6d1405f0d82a1aa29a600375",
+    "zh:cf4e41422aba2435f68bf1cf6c1e83315fe70c810dfd7e81a581d94490d6870b",
+    "zh:d86a2383e7fae38c9ea80f87d27d34d46a13fa24579b4612a248c888a3c9e265",
+    "zh:df693bc3156a2d632843abad9294d9192d1569039800c59e8a594c1b8e0fc9df",
+    "zh:e1a7148102d5a169dfb24c0de8441f3a9c25363976f4f2ce97f4c0b2e904302c",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/kubernetes" {
+  version     = "2.27.0"
+  constraints = "2.27.0"
+  hashes = [
+    "h1:Jtbdvbq8kIXUENtH3tVwgcjHqbuYp1pGfg4gFocY+e4=",
+    "h1:n/0Lc+5sJidhC2BCDYGBTU/zLMludBglLcz6YeFs1c0=",
+    "zh:1146f53fb39fd4bcea5574303c4871001a97d7891f65a60a4ecbc64da2a90d75",
+    "zh:1f7e3dc0dbb854f56a0f5ba3c50588272984ae9775da027c3c7f32cb6d8245b0",
+    "zh:2166f7fdade75266658603280bc822edab848e52a674340485847dde1c5d9324",
+    "zh:21a97530857330d2013aa66fb7afebb44fe4a5543418d0a3ca93750acd11fea5",
+    "zh:2d4b9fea7e99750647e1cd8df9a67cba45905825867dd19ab01411dad6b8c6fd",
+    "zh:de30e92e638b95e56dbb2232cb9a6f6a69346ecb3644965e9be715eaf29f22ff",
+    "zh:f4ae951c9add4349a498f44c3f5768cbaf7a966392a0e7632de288889e7cd5d9",
+    "zh:f54ecb1917dfa198933d72632ea6f0aa4da3ead070d6b9765ec1d3b7da60e827",
+    "zh:fba8a2f192eb5fe248708b9037db046e0d9176e7c54c6edc6f6aa55d50474082",
+    "zh:fe525956f3e54f0bbd2891a6abad1f807b4763b8dc734d810e223876741fefa3",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version     = "3.6.0"
+  constraints = "3.6.0"
+  hashes = [
+    "h1:/xwPFz7kMERBIEk8i6UJt2fTvgzMFbwKlcyCvRJO8Ok=",
+    "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75",
+    "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3",
+    "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23",
+    "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2",
+    "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9",
+    "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a",
+    "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4",
+    "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24",
+    "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4",
+    "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/tls" {
+  version     = "4.0.5"
+  constraints = "4.0.5"
+  hashes = [
+    "h1:zEH0OgSkeXDqNWzmOUWDczrUwyyujAHvnbW79qdxVMI=",
+    "zh:05a7dc3ac92005485714f87541ad6d0d478988b478c5774227a7d39b01660050",
+    "zh:547e0def44080456169bf77c21037aa6dc9e7f3e644a8f6a2c5fc3e6c15cf560",
+    "zh:6842b03d050ae1a4f1aaed2a2b1ca707eae84ae45ae492e4bb57c3d48c26e1f1",
+    "zh:6ced0a9eaaba12377f3a9b08df2fd9b83ae3cb357f859eb6aecf24852f718d9a",
+    "zh:766bcdf71a7501da73d4805d05764dcb7c848619fa7c04b3b9bd514e5ce9e4aa",
+    "zh:84cc8617ce0b9a3071472863f43152812e5e8544802653f636c866ef96f1ed34",
+    "zh:b1939e0d44c89315173b78228c1cf8660a6924604e75ced7b89e45196ce4f45e",
+    "zh:ced317916e13326766427790b1d8946c4151c4f3b0efd8f720a3bc24abe065fa",
+    "zh:ec9ff3412cf84ba81ca88328b62c17842b803ef406ae19152c13860b356b259c",
+    "zh:ff064f0071e98702e542e1ce00c0465b7cd186782fe9ccab8b8830cac0f10dd4",
+  ]
+}
diff --git a/packages/reference/environments/production/us-east-2/authentik_zoho_sso/module.yaml b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/module.yaml
new file mode 100644
index 00000000..69481af4
--- /dev/null
+++ b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/module.yaml
@@ -0,0 +1,5 @@
+providers:
+  - authentik
+  - tls
+  - random
+  - kubernetes
\ No newline at end of file
diff --git a/packages/reference/environments/production/us-east-2/authentik_zoho_sso/terragrunt.hcl b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/terragrunt.hcl
new file mode 100644
index 00000000..bc94b15b
--- /dev/null
+++ b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/terragrunt.hcl
@@ -0,0 +1,34 @@
+include "panfactum" {
+  path   = find_in_parent_folders("panfactum.hcl")
+  expose = true
+}
+
+terraform {
+  source = include.panfactum.locals.pf_stack_source
+}
+
+dependency "authentik_core" {
+  config_path = "../authentik_core_resources"
+}
+
+dependency "kube_authentik" {
+  config_path = "../kube_authentik"
+}
+
+inputs = {
+  zoho_acs_url     = "https://accounts.zoho.com/signin/samlsp/845266711"
+  zoho_sign_in_url = "https://accounts.zoho.com/samlauthrequest/panfactum.com?serviceurl=https://one.zoho.com"
+
+  organization_name   = dependency.authentik_core.outputs.organization_name
+  authentik_namespace = dependency.kube_authentik.outputs.namespace
+  media_configmap     = dependency.kube_authentik.outputs.media_configmap
+  authentik_domain    = dependency.kube_authentik.outputs.domain
+
+  allowed_groups = [
+    "superusers",
+    "privileged_engineers",
+    "engineers",
+    "restricted_engineers",
+    "billing_admins"
+  ]
+}
diff --git a/packages/reference/environments/production/us-east-2/pf_website/version.yaml b/packages/reference/environments/production/us-east-2/pf_website/version.yaml
index eb46875d..e13bcb1e 100644
--- a/packages/reference/environments/production/us-east-2/pf_website/version.yaml
+++ b/packages/reference/environments/production/us-east-2/pf_website/version.yaml
@@ -1 +1 @@
-version: alpha.30
+version: alpha.36
diff --git a/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_aws_sso/page.mdx b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_aws_sso/page.mdx
index 45fc7ef4..7efba26b 100644
--- a/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_aws_sso/page.mdx
+++ b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_aws_sso/page.mdx
@@ -36,19 +36,19 @@ Type: `string`
 
 ### <a name="input_aws_acs_url" /> [aws\_acs\_url](#input_aws_acs_url)
 
-Description: The ACS url provided by AWS when configuring and external identity provider
+Description: The ACS url provided by AWS when configuring an external identity provider
 
 Type: `string`
 
 ### <a name="input_aws_issuer" /> [aws\_issuer](#input_aws_issuer)
 
-Description: The Issuer url provided by AWS when configuring and external identity provider
+Description: The Issuer url provided by AWS when configuring an external identity provider
 
 Type: `string`
 
 ### <a name="input_aws_sign_in_url" /> [aws\_sign\_in\_url](#input_aws_sign_in_url)
 
-Description: The Sign-in url provided by AWS when configuring and external identity provider
+Description: The sign-in url provided by AWS when configuring an external identity provider
 
 Type: `string`
 
diff --git a/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_zoho_sso/page.mdx b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_zoho_sso/page.mdx
new file mode 100644
index 00000000..1040597d
--- /dev/null
+++ b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_zoho_sso/page.mdx
@@ -0,0 +1,119 @@
+{/* lint disable no-duplicate-headings */}
+
+# AWS SSO with Zoho
+
+**Source Code:** [Link](https://github.com/Panfactum/stack/tree/__currentPanfactumVersion__/packages/infrastructure/authentik_zoho_sso)
+
+**Type:** [Live](/docs/reference/infrastructure-modules/overview)
+
+## Providers
+
+The following providers are needed by this module:
+
+* [authentik](#requirement_authentik) (2024.2.0)
+
+* [kubernetes](https://registry.terraform.io/providers/hashicorp/kubernetes/2.27.0/docs) (2.27.0)
+
+* [random](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs) (3.6.0)
+
+* [tls](#requirement_tls) (4.0.5)
+
+## Required Inputs
+
+The following input variables are required:
+
+### <a name="input_authentik_domain" /> [authentik\_domain](#input_authentik_domain)
+
+Description: The domain name of the authentik instance
+
+Type: `string`
+
+### <a name="input_authentik_namespace" /> [authentik\_namespace](#input_authentik_namespace)
+
+Description: The kubernetes namespace where Authentik is deployed
+
+Type: `string`
+
+### <a name="input_media_configmap" /> [media\_configmap](#input_media_configmap)
+
+Description: The configmap holding the static media that Authentik will use
+
+Type: `string`
+
+### <a name="input_organization_name" /> [organization\_name](#input_organization_name)
+
+Description: The name of your organization
+
+Type: `string`
+
+### <a name="input_zoho_acs_url" /> [zoho\_acs\_url](#input_zoho_acs_url)
+
+Description: The ACS url provided by Zoho when configuring an external identity provider
+
+Type: `string`
+
+### <a name="input_zoho_sign_in_url" /> [zoho\_sign\_in\_url](#input_zoho_sign_in_url)
+
+Description: The sign-in url provided by Zoho when configuring an external identity provider
+
+Type: `string`
+
+## Optional Inputs
+
+The following input variables are optional (have default values):
+
+### <a name="input_allowed_groups" /> [allowed\_groups](#input_allowed_groups)
+
+Description: Only members of these groups can access AWS
+
+Type: `set(string)`
+
+Default: `[]`
+
+### <a name="input_ui_description" /> [ui\_description](#input_ui_description)
+
+Description: The description to display in the Authentik web dashboard
+
+Type: `string`
+
+Default: `"Zoho"`
+
+### <a name="input_ui_group" /> [ui\_group](#input_ui_group)
+
+Description: The section in the Authentik web dashboard that this will appear in
+
+Type: `string`
+
+Default: `"Admin"`
+
+### <a name="input_zoho_issuer" /> [zoho\_issuer](#input_zoho_issuer)
+
+Description: The issuer provided by Zoho when configuring an external identity provider
+
+Type: `string`
+
+Default: `"zoho.com"`
+
+## Outputs
+
+The following outputs are exported:
+
+### <a name="output_saml_metadata" /> [saml\_metadata](#output_saml_metadata)
+
+Description: n/a
+
+## Usage
+
+### Sign-in URL
+
+For IDP-initiated logins, the `zoho_sign_in_url` variable must be provided.
+
+This is not found in the Zoho web UI and must be constructed manually.
+
+It is of the form `https://accounts.zoho.com/samlauthrequest/<domain>?serviceurl=<zoho_service>` where
+
+* `<domain>` is a domain **that has been verified with Zoho**
+
+* `<zoho_service>` is the `https` url of a Zoho service (e.g., `https://one.zoho.com`)
+
+{/* lint enable no-duplicate-headings */}
diff --git a/packages/website/src/app/(web)/docs/reference/infrastructure-modules/modules.json b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/modules.json
index 11da63aa..8c81b1ac 100644
--- a/packages/website/src/app/(web)/docs/reference/infrastructure-modules/modules.json
+++ b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/modules.json
@@ -3,6 +3,7 @@
     "authentik_aws_sso",
     "authentik_core_resources",
     "authentik_vault_sso",
+    "authentik_zoho_sso",
     "aws_account",
     "aws_account_permission_binding",
     "aws_cloudwatch_log_group",
diff --git a/packages/website/src/app/(web)/stack/pricing/page.mdx b/packages/website/src/app/(web)/stack/pricing/page.mdx
deleted file mode 100644
index c68b3cbd..00000000
--- a/packages/website/src/app/(web)/stack/pricing/page.mdx
+++ /dev/null
@@ -1,3 +0,0 @@
-# Pricing
-
-TODO
diff --git a/packages/website/src/app/(web)/stack/pricing/page.tsx b/packages/website/src/app/(web)/stack/pricing/page.tsx
new file mode 100644
index 00000000..a87a0945
--- /dev/null
+++ b/packages/website/src/app/(web)/stack/pricing/page.tsx
@@ -0,0 +1,3 @@
+export default function Page () {
+  return (<div/>)
+}
diff --git a/packages/website/src/app/layout.tsx b/packages/website/src/app/layout.tsx
index c966e7b3..1f189698 100644
--- a/packages/website/src/app/layout.tsx
+++ b/packages/website/src/app/layout.tsx
@@ -1,6 +1,6 @@
-import { headers } from 'next/headers'
 import 'katex/dist/katex.min.css'
 import './globals.css'
+import Script from 'next/script'
 import React, { type ReactNode } from 'react'
 
 import ThemeRegistry from '@/components/ThemeRegistry'
@@ -15,10 +15,15 @@ export const metadata = {
 export default function RootLayout (
   { children } : {children: ReactNode}
 ) {
-  const nonce = headers().get('x-nonce')
   return (
 
-    <ThemeRegistry options={{ key: 'mui', prepend: true, nonce: nonce === null ? undefined : nonce }}>
+    <ThemeRegistry options={{ key: 'mui', prepend: true }}>
+      {process.env.NODE_ENV === 'production' && (
+        <Script
+          src="https://cdn.pagesense.io/js/panfactumllc/45522f8c2b43455886f060a28de4fa9e.js"
+          strategy="afterInteractive"
+        />
+      )}
       <html lang="en">
         <body
           id="root"
diff --git a/packages/website/src/middleware.ts b/packages/website/src/middleware.ts
index d9940f4a..5ddebb02 100644
--- a/packages/website/src/middleware.ts
+++ b/packages/website/src/middleware.ts
@@ -2,12 +2,11 @@ import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
 
 export function middleware (request: NextRequest) {
-  const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
   const cspHeader = `
-    default-src 'self';
-    script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${process.env.NODE_ENV === 'production' ? '' : '\'unsafe-eval\''};
+    default-src 'self' https://pagesense-collect.zoho.com https://cdn.pagesense.io;
+    script-src 'self' 'unsafe-inline' https://pagesense-collect.zoho.com https://cdn.pagesense.io https://static.zohocdn.com ${process.env.NODE_ENV === 'production' ? '' : '\'unsafe-eval\''};
     style-src 'self' 'unsafe-inline';
-    img-src 'self' blob: data:;
+    img-src 'self' https://pagesense-collect.zoho.com blob: data:;
     font-src 'self' https:;
     object-src 'none';
     base-uri 'self';
@@ -21,7 +20,6 @@ export function middleware (request: NextRequest) {
     .trim()
 
   const requestHeaders = new Headers(request.headers)
-  requestHeaders.set('x-nonce', nonce)
 
   requestHeaders.set(
     'Content-Security-Policy',