Add a Smart Card identity provider
To add a smart card identity provider, you must provide a name, the certificate chain, and specify the amount of time for Okta to consider the certificate revocation list(CRL) valid after a successful download.
Before you begin
Download the certificate chain for the Certificate Authority that issued your organization's Smart Cards.
Certificates must be in Privacy Enhanced Mail (PEM) or Distinguished Encoding Rules(DER) format.
If there are multiple certs in the chain, they must be in a single .DER or .PEM file, appended in order with the root certificate last, as described in Format a PKI Certificate Chain
- In the Admin Console, go to Security > Identity Providers.
- Click Add Identity Provider, and then select Add Smart Card.
- On the Add Identity Provider screen, enter information for your organization.
- Name: Enter the Friendly Name of this Identity Provider.
- Certificate Chain: Click Browse files... to launch a file picker. Choose the certificate chain for the issuing authority.
- IdP Username: Specify which attribute of the certificate should be used to locate the Okta user.
Can be any of:
- Match Against: Specify whether Okta should match against Email, Okta Username, or Email or Okta Username. For a user to sign in to Okta, their user account must already exist and either the email address or the Okta username must match the attribute or expression defined above.
If the IDP Extensible Matching feature is enabled, you can then choose from a list of custom attributes to use for matching. With this feature, the "Okta Username or Email" combination is not available.
Click Add Identity Provider or Save to continue. The org is now configured to accept PIV cards as an alternate form of authentication.