Add a Smart Card Identity Provider

Upload one or more certificates and build the certificate chain used to sign your organization's smart cards. Certificates must be in Privacy Enhanced Mail (PEM) or Distinguished Encoding Rules (DER) format.

Before you begin

Format a PKI Certificate Chain

Add a Smart Card IdP

  1. In the Admin Console, go to SecurityIdentity Providers.
  2. Click Add identity provider.
  3. Click Smart Card IdP.
  4. Click Next.
  5. Enter a user-friendly Name for the identity provider.
  6. Build a certificate chain:
    1. Click Browse to open a file explorer. Select the certificate file that you want to add and click Open.
    2. To add another certificate, click Add Another, and repeat step 1.
    3. Click Build certificate chain. On success, the chain and its certificates are shown. If the build failed, correct any issues and try again.

      Click Reset certificate chain if you want to replace the current chain with a new one.

  7. Select the length of time to Cache CRL for. This is the length of time Okta that considers the CRL valid after a successful download.

    The Cache CRL for option is scheduled for deprecation. Okta will honor the CRL's published next update expiration date.

  8. Select the attribute to locate the Okta user from the IdP username dropdown list or enter Okta Expression Language (see Smart card idpUser expressions and Expressions). The available attributes are:
    • idpuser.subjectAltNameUpn
    • idpuser.subjectAltNameEmail
    • idpuser.subjectAltNameUuid
    • idpuser.subjectKeyIdentifier
    • idpuser.subjectCn
    • idpuser.subjectO
    • idpuser.subjectOu
    • idpuser.subjectUid
    • idpuser.sha1PublicKeyHash
  9. Choose the value Okta should Match against: Okta Username, Email, or Okta Username or Email.

    For a user to sign in to Okta, they must have an existing Okta account. That account's Okta username or email address must match the attribute or expression defined by IdP username.

  10. If the IDP Extensible Matching feature is enabled, the Okta Username or Email match option isn't available. Instead, Okta matches against a custom attribute that you choose from the dropdown list.

  11. Click Finish. The org is configured to accept PIV cards as an alternate form of authentication.

Next task

Sign in with a Smart Card/PIV as an end user