Smart Card IdP authenticator

This is an Early Access feature. To learn how to enable it, see Manage Early Access and Beta features.

The Smart Card IdP authenticator allows you to add smart card authentication. You can require users to authenticate themselves with smart cards when they sign in to Okta or when they access an app. You can also customize the assurance levels required to access your apps.

Before you begin

Before you enable the Smart Card IdP authenticator, you must create a Smart Card Identity Provider if one doesn't exist. See Add a Smart Card Identity Provider. Select the PIN protected or Hardware protected option in Security characteristics according to the configuration of the smart cards that your organization is using.

Enable the Smart Card IdP authenticator

  1. In the Admin Console, go to SecurityAuthenticators.
  2. Click Add authenticator.
  3. Click Add on the Smart Card IdP tile.
  4. Select all Identity Providers from the Smart Card Identity Provider (IdP) dropdown.
  5. Click Save.
  6. Configure an authenticator enrollment policy for the Smart Card IdP authenticator. See Create an authentication enrollment policy.
    1. Select an Eligible authenticators option in the policy for the Smart Card IdP authenticator.
    2. Configure what your users access with this authenticator in the User is accessing section of the rule.
  7. Configure an authentication policy for each app that you want to protect with smart cards. See Add apps to an authentication policy.
    1. In the authentication policy rule, select the options that apply to your configuration in the Possession factor constraints section.

End-user experience

  • End users can be enrolled in the Smart Card IdP authenticator either explicitly or implicitly.
    • Explicit enrollment: End users are prompted to enroll in the Smart Card IdP authenticator the next time they sign in if smart card authentication has been configured as Required in either the authentication policy or the authentication enrollment policy.
    • Implicit enrollment: End users are enrolled implicitly if smart card authentication has been configured as Optional or Required in either the authentication policy or the authentication enrollment policy.
  • If a user’s smart card is lost or stolen, they must remove the old smart card from Settings on their Okta Dashboard, and then click Set up beside the Smart Card IdP authenticator and enroll the new smart card.
  • If they receive a new smart card, they can enroll the new card while leaving previous ones enrolled.
  • When end users are required to use smart cards and attempt to sign in or access a protected app, they must perform the smart card verification within the time configured by the admin. Otherwise, the operation times out and they must authenticate themselves again.

Related topics

Identity Providers

Add a Smart Card Identity Provider

Sign-on policies and rules

Authentication

General Security

Network zones