Add a Smart Card Identity Provider

Upload one or more certificates and build the certificate chain used to sign your organization's smart cards. Certificates must be in Privacy Enhanced Mail (PEM) or Distinguished Encoding Rules (DER) format.

  1. In the Admin Console, go to Security > Identity Providers.
  2. Click Add identity provider.
  3. Click Smart Card IdP.
  4. Click Next.
  5. Enter a user-friendly Name for the identity provider.
  6. Build a certificate chain:
    1. Click Browse to open a file explorer. Select the certificate file you want to add and click Open.
    2. To add another certificate, click Add Another, and repeat step 1.
    3. Click Build certificate chain. On success, the chain and its certificates are shown. If the build failed, correct any issues and try again.

      Click Reset certificate chain if you want to replace the current chain with a new one.

  7. Select the length of time to Cache CRL for. This is the length of time Okta that considers the CRL valid after a successful download.

    The Cache CRL for option is scheduled to be deprecated. Okta will honor the CRL's published Next Update expiration date.

  8. Select the attribute to use to locate the Okta user from the IdP username dropdown list or enter an Okta Expression Language expression (see Smart card idpUser expressions and Expressions). The available attributes are:
    • idpuser.subjectAltNameUpn
    • idpuser.subjectAltNameEmail
    • idpuser.subjectAltNameUuid
    • idpuser.subjectKeyIdentifier
    • idpuser.subjectCn
    • idpuser.subjectO
    • idpuser.subjectOu
    • idpuser.subjectUid
    • idpuser.sha1PublicKeyHash
  9. Choose the value Okta should Match against: Okta Username, Email, or Okta Username or Email.

    For a user to sign in to Okta, they must have an existing Okta account, and that account's Okta username or email address must match the attribute or expression defined by IdP username.

  10. If the IDP Extensible Matching feature is enabled, the Okta Username or Email match option isn't available. Instead, Okta matches against a custom attribute that you choose from the dropdown list.

  11. Click Finish. The org is configured to accept PIV cards as an alternate form of authentication.

Next task

Sign in with a Smart Card/PIV as an end user