Add a Smart Card identity provider

To add a smart card identity provider, you must provide a name, the certificate chain, and specify the amount of time for Okta to consider the certificate revocation list(CRL) valid after a successful download.

Before you begin

Download the certificate chain for the Certificate Authority that issued your organization's Smart Cards.

Certificates must be in Privacy Enhanced Mail (PEM) or Distinguished Encoding Rules(DER) format.
If there are multiple certs in the chain, they must be in a single .DER or .PEM file, appended in order with the root certificate last, as described in Format a PKI Certificate Chain


  1. In the Admin Console, go to Security > Identity Providers.
  2. Click Add Identity Provider, and then select Add Smart Card.
  3. In the Add Identity Provider dialog, enter information for your organization.
    • Name: Enter the user friendly name of this Identity Provider.
    • Certificate Chain: Click Browse files... to launch a file picker. Choose the certificate chain for the issuing authority.
    • IdP Username: Specify which attribute of the certificate should be used to locate the Okta user.
      Can be any of:

      idp Username also accepts an Okta expression language expression, see Smart card idpuser expressions and Expressions and examples for details.

    • Match Against: Specify whether Okta should match against Email, Okta Username, or Email or Okta Username. For a user to sign in to Okta, their user account must already exist and either the email address or the Okta username must match the attribute or expression defined above.
    • If the IDP Extensible Matching feature is enabled, you can then choose from a list of custom attributes to use for matching. With this feature, the "Okta Username or Email" combination is not available.

  4. Click Add Identity Provider or Save to continue. The org is now configured to accept PIV cards as an alternate form of authentication.

Next task

Sign in with a Smart Card/PIV as an end user

Related topics

Smart card idpuser expressions

Expressions and examples