Login
      Contents x
      Add a Smart Card Identity Provider in Okta
      • 11 Jul 2023
      • 1 Minute to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      Add a Smart Card Identity Provider in Okta

      • Updated on 11 Jul 2023
      • 1 Minute to read
      • Print
      • Dark
        Light
      • PDF
      Article Summary

      1. Open the Axiad Cloud welcome page for your tenant. Your URL looks like the following example, and is sent via email:
        http://crl.{tenantName}.{platform}.axiadids.net/welcome.html
      2. In the Resources section, click Root CA Certificate
        The root.cer file downloads.
      3. In the Resources section, click Issuing CA Certificate.
        The issuing.cer file downloads.
      4. Sign into your Okta admin portal.
      5. From the left menu, click Settings > Features.
      6. Locate the Smart Card Authenticator feature, and enable it.
        TIP
        This is a preview feature, but it is highly recommended that you enable it. This allows you to use/require smart cards (CBA) in authentication policies. It also allows smart cards to fulfill MFA requirements, including both Phishing resistant and Hardware protected requirements in authentication policies.
      7. From the left menu, click Security > Identity Providers.
      8. Click + Add identity provider.
      9. Click Smart Card IdP:
        scr-okta-ip
        WARNING
        If Smart Card IdP is not available, contact Okta support and ask them to enable smart cards for your Okta tenant.
      10. Click Next.
      11. In the Name field, enter Axiad Cloud CBA.
      12. Click Browse... next to the Upload certificate chain files.
      13. Select the root.cer file you downloaded.
      14. Click + Add Another.
      15. Click Browse...
      16. Select the issuing.cer file you downloaded.
      17. Click Build certificate chain.
      18. Optionally, change the Cache CRL for setting to match your requirements.
        NOTE
        This setting specifies the total amount of time Okta will consider the CRL valid after successful download. Okta will automatically attempt to download the latest CRL every hour in the background, but if the download fails for any reason you can still allow the cached CRL to be used for login attempts until it reaches the age specified here.

        The default value is 6 hours.
      19. In the IdP username field, select idpuser.subjectAltNameUpn.
      20. In the Match against field, select Okta Username.
      21. In the Security Characteristics field, ensure PIN protected and Hardware protected are both selected.
      22. Confirm the settings are correct.
        When finished with the entries, your screen should look like the following example:
        scr-okta-config-smartcard
      23. Click Finish.
      24. From the left menu, click Security > Authenticators.
      25. Click Add authenticator.
      26. Find Smart Card IdP and click Add.
      27. In the Smart Card Identity Provider (IdP) field, click the text box to show a drop-down list, and select the Smart Card IdP created in the previous steps.
      28. Click Add.
        CBA authentication is now enabled. You can now configure your Okta Authentication policies to support/require Smart Card authentication. 
      TIP
      To use CBA to sign into Okta, see Okta's official documentation: Sign in with a Smart Card/PIV as an end user (okta.com).
      Was this article helpful?
      What's Next
      900 Lafayette St. Suite 600
      Santa Clara, CA 95050
      United States
      Social
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout