Add a Smart Card Identity Provider
Add a Smart Card as an Identity Provider (IdP) and configure its settings. This allows your end users to sign in using their Personal Identity Verification (PIV) or Common Access Card (CAC) credentials.
Add a Smart Card Identity Provider
- In the Admin Console, go to .
- Click Add identity provider.
- Select Smart Card and click Next. The Configure Smart Card IdP page opens.
Configure the Smart Card Identity Provider
On the Configure Smart Card IdP page, configure the following settings:
|
Field |
Value |
|---|---|
| Name | Enter a name for the identity provider. End users see this name when they sign in. |
| Upload certificate chain files |
Upload certificate files to build your certificate chain. The files must be in .pem or .der format. Upload all the files and click Build certificate chain. The chain and its certificates are displayed. Click Reset certificate chain to replace the current chain with a new one. |
| Cache CRL for |
Select the duration for which Okta should consider the CRL valid after it's successfully downloaded. This option is scheduled for deprecation. Okta will provide an automatic and a more resilient CRL caching mechanism if and when this option is deprecated. |
| IdP username | Select a Smart Card attribute from the dropdown menu to use as the IdP username. You can also define a custom username using Okta Expression Language. See Smart card idpUser expressions and Expressions |
| Match against | Select an Okta attribute from the dropdown menu. The IdP username is matched against this value to find an existing user account in Okta. |
| Allow multiple identities matching the criteria | Optional. Select the checkbox if you want to allow matching the IdP username with multiple identities that meet the Match against criteria. This allows your end users to use one Smart Card for different identities and authenticate into corresponding accounts. |
| If no match is found |
Early Access release. See Enable self-service features. Select what to do if no matching user account is found in Okta.
|
| Map required profile attributes |
Map the Smart Card attributes to the user profile attributes that are required in Okta. The default required Okta user profile attributes are login, first name, last name, and email. However, depending on your configuration there may be additional required profile attributes. The Smart Card attribute you've selected for IdP username is mapped to the login attribute in Universal Directory when creating a JIT user. In the Profile Editor mappings, ensure the value mapped to the login attribute conforms to your username requirements. Click Edit profile and mappings to map the values in the Profile Editor. See Map profile attributes. |
|
Specify additional required certificate values |
Optional. In addition to the Okta-required values, you can specify additional certificate values required to create the JIT account. Certificates without these values are denied access. Select a Smart Card attribute from the dropdown menu and specify a corresponding required certificate value. You can also define a custom value using Okta Expression Language. |
|
For multiple attributes require |
If you require multiple additional attributes, select if all or any of them are required to create the JIT account. |
|
Group assignment |
Optional. Select groups to which the user created by JIT is assigned. You can assign the user to multiple groups. |
|
This Smart Card IdP is |
Select the security characteristics associated with this Smart Card IdP: PIN protected, Hardware protected. Okta uses these characteristics to determine how this IdP is prompted for users in policies. |
After you've configured the settings, click Finish. The Smart Card IdP appears in the list on the Identity Providers page.