Add a Smart Card IdP

The Smart Card feature in Okta allows your end users to use smart cards with a x.509 compliant digital certificate, such as a PIV card, as a primary authentication factor to sign in to Okta.

A personal identity verification (PIV) card is a United States federal smart card that contains the necessary data for the cardholder to be granted access to federal facilities and information systems and assure appropriate levels of security for all applicable federal applications. PIV cards are very strong authenticators (up to IAL3/AAL3, per NIST guidance), which can replace the username and password as an authentication method where supported.

Typical workflow for configuring a Smart Card

Task

Description

Format a PKI Certificate Chain

If you're using more than one certificate, follow this procedure to combine them into a single file.

Add a Smart Card identity provider

To add a Smart Card identity provider, you must provide a name, the certificate chain, and specify the amount of time for Okta to consider the CRL valid after a successful download.

Sign in with a Smart Card/PIV as an end user

Test your Smart Card or PIV card configuration by signing in as an end user.

If Sign in with PIV / CAC card is selected and multiple Smart Card/PIV identity providers are configured, the sign in request will be evaluated against all active smart card IdPs regardless of routing rules. If multiple IdPs could match, the first match is returned.

Troubleshooting Smart Card/PIV authentication

If authentication with a Smart Card or PIV card fails, check the troubleshooting items.

Related topics

Add a SAML 2.0 IdP