Add a Smart Card identity provider

To add a smart card identity provider, you must provide a name, the certificate chain, and specify the amount of time for Okta to consider the certificate revocation list(CRL) valid after a successful download.

Before you begin

Download the certificate chain for the Certificate Authority that issued your organization's Smart Cards.

Important Note

Certificates must be in Privacy Enhanced Mail (PEM) or Distinguished Encoding Rules(DER) format.
If there are multiple certs in the chain, they must be in a single .DER or .PEM file, appended in order with the root certificate last, as described in Format a PKI Certificate Chain

Steps

  1. In the Admin Console, go to Security > Identity Providers.
  2. Click Add Identity Provider, and then select Add Smart Card.
  3. On the Add Identity Provider screen, enter information for your organization.
    • Name: Enter the Friendly Name of this Identity Provider.
    • Certificate Chain: Click Browse files... to launch a file picker. Choose the certificate chain for the issuing authority.
    • IdP Username: Specify which attribute of the certificate should be used to locate the Okta user.
      Can be any of:
      idpuser.subjectAltNameUpn
      idpuser.subjectAltNameEmail
      idpuser.subjectAltNameUuid
      idpuser.subjectKeyIdentifier
      idpuser.subjectCn
      idpuser.subjectO
      idpuser.subjectOu
      idpuser.sha1PublicKeyHash

      idp Username also accepts an Okta expression language expression, see Smart card idpuser expressions and Expressions and examples for details.

    • Match Against: Specify whether Okta should match against Email, Okta Username, or Email or Okta Username. For a user to sign in to Okta, their user account must already exist and either the email address or the Okta username must match the attribute or expression defined above.
    • If the IDP Extensible Matching feature is enabled, you can then choose from a list of custom attributes to use for matching. With this feature, the "Okta Username or Email" combination is not available.

  4. Click Add Identity Provider or Save to continue. The org is now configured to accept PIV cards as an alternate form of authentication.

Next task

Sign in with a Smart Card/PIV as an end user

Related topics

Smart card idpuser expressions

Expressions and examples