Add a Smart Card identity provider

To add a smart card identity provider, you must provide a name, certificate chain, and specify the amount of time for Okta to consider the certificate revocation list (CRL) valid after a successful download.

Before you begin

Download the certificate chain for the Certificate Authority that issued your organization's Smart Cards.

Certificates must be in Privacy Enhanced Mail (PEM) or Distinguished Encoding Rules(DER) format.
If there are multiple certs in the chain, they must be in a single .DER or .PEM file, appended in order with the root certificate last, as described in Format a PKI Certificate Chain


  1. In the Admin Console, go to Security > Identity Providers.
  2. Click Add Identity Provider, and then click Smart Card IdP. Click Next.
  3. In the Add Identity Provider dialog, enter the following information for your organization:
    • Name: Enter the user friendly name of this Identity Provider.
    • Certificate Chain: Click Browse files... to launch a file picker. Choose the certificate chain for the issuing authority.
    • Cache CRL for: Select the length of time that Okta will consider the CRL valid after successful download.

      The Cache CRL for option will be removed in September 2022. Okta will honor the CRL's published Next Update expiration date.

    • IdP Username: Specify which attribute of the certificate should be used to locate the Okta user. This can be any of:
      • idpuser.subjectAltNameUpn
      • idpuser.subjectAltNameEmail
      • idpuser.subjectAltNameUuid
      • idpuser.subjectKeyIdentifier
      • idpuser.subjectCn
      • idpuser.subjectO
      • idpuser.subjectOu
      • idpuser.subjectUid
      • idpuser.sha1PublicKeyHash

      Idp Username also accepts an Okta expression language expression, see Smart card idpuser expressions and Expressions and examples for details.

    • Match against: Specify whether Okta should match against Email, Okta Username, or Email or Okta Username. For a user to sign in to Okta, their user account must already exist and either the email address or the Okta username must match the attribute or expression defined above.
    • If the IDP Extensible Matching feature is enabled, you can then choose from a list of custom attributes to use for matching. When enabled, the Okta Username or Email match option is not available.

  4. Click Finish. The org is now configured to accept PIV cards as an alternate form of authentication.

Next task

Sign in with a Smart Card/PIV as an end user

Related topics

Smart card idpuser expressions

Expressions and examples