Add a Smart Card Identity Provider

Add a Smart Card as an Identity Provider (IdP) and configure its settings. This allows your end users to sign in using their Personal Identity Verification (PIV) or Common Access Card (CAC) credentials.

Add a Smart Card Identity Provider

  1. In the Admin Console, go to SecurityIdentity Providers.
  2. Click Add identity provider.
  3. Select Smart Card and click Next. The Configure Smart Card IdP page opens.

Configure the Smart Card Identity Provider

On the Configure Smart Card IdP page, configure the following settings:

Field

Value

Name Enter a name for the identity provider. End users see this name when they sign in.
Upload certificate chain files

Upload certificate files to build your certificate chain. The files must be in .pem or .der format.

Upload all the files and click Build certificate chain. The chain and its certificates are displayed.

Click Reset certificate chain to replace the current chain with a new one.

Cache CRL for

Select the duration for which Okta should consider the CRL valid after it's successfully downloaded.

This option is scheduled for deprecation. Okta will provide an automatic and a more resilient CRL caching mechanism if and when this option is deprecated.

IdP username Select a Smart Card attribute from the dropdown menu to use as the IdP username. You can also define a custom username using Okta Expression Language. See Smart card idpUser expressions and Expressions
Match against Select an Okta attribute from the dropdown menu. The IdP username is matched against this value to find an existing user account in Okta.
Allow multiple identities matching the criteria Optional. Select the checkbox if you want to allow matching the IdP username with multiple identities that meet the Match against criteria. This allows your end users to use one Smart Card for different identities and authenticate into corresponding accounts.
If no match is found

Early Access release. See Enable self-service features.

Select what to do if no matching user account is found in Okta.

  • Redirect to Okta sign-in page: The end user is redirected to the Okta sign-in page.
  • Create new user (JIT): Okta creates a new Active user in Universal Directory. Specify how to create the Just in Time (JIT) account in JIT settings.
Map required profile attributes

Map the Smart Card attributes to the user profile attributes that are required in Okta. The default required Okta user profile attributes are login, first name, last name, and email. However, depending on your configuration there may be additional required profile attributes.

The Smart Card attribute you've selected for IdP username is mapped to the login attribute in Universal Directory when creating a JIT user. In the Profile Editor mappings, ensure the value mapped to the login attribute conforms to your username requirements.

Click Edit profile and mappings to map the values in the Profile Editor. See Map profile attributes.

Specify additional required certificate values

Optional. In addition to the Okta-required values, you can specify additional certificate values required to create the JIT account. Certificates without these values are denied access.

Select a Smart Card attribute from the dropdown menu and specify a corresponding required certificate value. You can also define a custom value using Okta Expression Language.

For multiple attributes require

If you require multiple additional attributes, select if all or any of them are required to create the JIT account.

Group assignment

Optional. Select groups to which the user created by JIT is assigned. You can assign the user to multiple groups.

This Smart Card IdP is

Select the security characteristics associated with this Smart Card IdP: PIN protected, Hardware protected.

Okta uses these characteristics to determine how this IdP is prompted for users in policies.

After you've configured the settings, click Finish. The Smart Card IdP appears in the list on the Identity Providers page.

Next steps

Sign in with a Smart Card/PIV as an end user