Add a Smart Card Identity Provider

Add a Smart Card as an Identity Provider (IdP) and configure its settings. This allows your end users to sign in using their Personal Identity Verification (PIV) or Common Access Card (CAC) credentials.

Add a Smart Card Identity Provider

  1. In the Admin Console, go to SecurityIdentity Providers.
  2. Click Add identity provider.
  3. Select Smart Card and click Next. The Configure Smart Card IdP page opens.

Configure the Smart Card Identity Provider

On the Configure Smart Card IdP page, configure the following settings:

Field

Value

Name Enter a name for the identity provider. End users see this name when they sign in.
Upload certificate chain files

Upload certificate files to build your certificate chain. The files must be in .pem or .der format.

Upload all the files and click Build certificate chain. The chain and its certificates are displayed.

Click Reset certificate chain to replace the current chain with a new one.

Cache CRL for

Select the duration for which Okta should consider the CRL valid after it's successfully downloaded.

This option is scheduled for deprecation. Okta will provide an automatic and a more resilient CRL caching mechanism if and when this option is deprecated.

IdP username Select a Smart Card attribute from the dropdown menu to use as the IdP username. You can also define a custom username using Okta Expression Language. See Smart card idpUser expressions and Expressions
Match against Select an Okta attribute from the dropdown menu. The IdP username is matched against this value to find an existing user account in Okta.

This Smart Card IdP is

Select the security characteristics associated with this Smart Card IdP: PIN protected, Hardware protected.

Okta uses these characteristics to determine how this IdP is prompted for users in policies.

After you've configured the settings, click Finish. The Smart Card IdP appears in the list on the Identity Providers page.

Next steps

Sign in with a Smart Card/PIV as an end user