Add a Smart Card identity provider
Add a Smart Card as an identity provider (IdP) and configure its settings. This allows your end users to sign in using their Personal Identity Verification (PIV) or Common Access Card (CAC) credentials.
Add a Smart Card IdP
-
In the Admin Console, go to .
- Click Add identity provider.
- Select Smart Card and click Next. The Configure Smart Card IdP page opens.
Configure the Smart Card IdP
On the Configure Smart Card IdP page, configure the following settings:
| Field | Value |
|---|---|
|
Name |
Enter a name for the IdP. End users see this name when they sign in. |
|
Upload certificate chain files |
Upload certificate files to build your certificate chain. The files must be in .pem or .der format. Upload all the files and click Build certificate chain. The chain and its certificates appear. Click Reset certificate chain to replace the current chain with a new one. |
|
This Smart Card IdP is |
Select the security characteristics associated with this Smart Card IdP: PIN protected, Hardware protected. Okta uses these characteristics to determine how this IdP is prompted for users in policies. |
|
IdP username |
Select a Smart Card attribute from the dropdown menu to use as the IdP username. You can also define a custom username using Okta Expression Language. See Smart Card idpUser expressions and Expressions. |
|
Match against |
Select an Okta attribute from the dropdown menu. The IdP username is matched against this value to find an existing user account in Okta. |
|
Allow multiple identities matching the criteria |
Optional. Select the checkbox if you want to allow matching the IdP username with multiple identities that meet the Match against criteria. This allows your end users to use one Smart Card for different identities and authenticate into corresponding accounts. |
|
If no match is found during enrollment |
Select what to do if no matching user account is found in Okta during enrollment when the Smart Card authenticator is configured.
The following restrictions apply when you select the option to assign the Smart Card to the user:
The Smart Card is enrolled for the current user and all attribute values are updated from the Smart Card values. |
|
If no match is found during sign in |
Select what to do if no matching user account is found in Okta during sign-in attempt.
|
|
Profile source |
Update attributes for existing users: Update the existing user profile with the corresponding mapping attributes retrieved from the Smart Card. The following restrictions apply:
|
|
Map required profile attributes |
Map the Smart Card attributes to the user profile attributes that are required in Okta. The default required Okta user profile attributes are login, first name, last name, and email. However, depending on your configuration there may be more required profile attributes. The Smart Card attribute you've selected for IdP username is mapped to the login attribute in Universal Directory when creating a JIT user. In the Profile Editor mappings, ensure the value mapped to the login attribute conforms to your username requirements. Click Edit profile and mappings to map the values in the Profile Editor. See Map profile attributes. |
|
Specify additional required certificate values |
Optional. In addition to the Okta-required values, you can specify more certificate values required to create the JIT account. Certificates without these values are denied access. Select a Smart Card attribute from the dropdown menu and specify a corresponding required certificate value. You can also define a custom value using Okta Expression Language. |
|
For multiple attributes require |
If you require more attributes, select if all or any of them are required to create the JIT account. |
|
Group assignment |
Optional. Select groups to which the user created by JIT is assigned. You can assign the user to multiple groups. |
After you've configured the settings, click Finish. The Smart Card IdP appears in the list on the Identity Providers page.