Sign in with a Smart Card/PIV as an end user
You can test your Smart Card/PIV (personal identity verification) configuration by signing in as an end user.
Before you begin
Ensure you have completed tasks:
- Ensure that your Smart Card/PIV Card reader is plugged in and your Smart Card/PIV Card is inserted.
- In a new browser session, go to the Okta sign-in page for your Okta org and click Sign in with PIV / CAC Card.
If Sign in with PIV / CAC card is selected and multiple Smart Card/PIV identity providers are configured, the sign in request will be evaluated against all active smart card IdPs regardless of routing rules. If multiple IdPs could match, the first match is returned.
If presented with the PIV/CAC card dialog, ensure your card reader is properly connected and your PIV/CAC card is inserted.
- In the certificate picker, choose the certificate with the Smart Card Logon value under the Enhanced Key Usage attribute. You might have to view more certificate details to find the right certificate.
- Enter the end user's Pin and click Enter or OK.
Okta will sign you in to your end user dashboard.
If your org has an MFA policy configured, you will be prompted for the configured authentication factor first.
Validation of Smart Card/PIV certificate
The following process describes client certificate validation.
- The client certificate that is provided in the Sign in with a Smart Card/PIV Card as an end user procedure is validated as issued by a known issuer. A known issuer is an issuing certificate authority that has been uploaded explicitly to Okta as part a certificate chain provided during the Enable Smart Card/PIV Authentication procedure. Validation will fail if the provided client certificate was issued by an unknown issuer.
- The certificate is then verified against a Certificate Revocation List (CRL). Okta periodically downloads and caches CRLs for the known issuers. If the CRL has expired or the associated CRL is not in the cache then Okta will try to download the CRL in real-time.
- If the client certificate is valid, verified as active, and not revoked against a CRL, the user is then matched against the rule specified in the IDP configuration, and the user is signed in.