Smartcard Authentication with SSO¶
This article will provide you with basic details to configure a Domain Controller, add test users and integrate the users for smart card authentication using Okta as the IDP. This reference is based on using Windows Server 2019 Standard with Okta IDP for Single Sign-on.
After completing these steps you will be able to:
-
Use Okta to login with Smart card authentication using an Active directory user certificate.
-
Use Okta to login using the username and password of an Active directory user.
Windows Server Configuration¶
-
Open Server Manager from the Windows Server search field.
-
Select the Active Directory Domains and Services as a server role from the Add Roles and Features Wizard and click Next then Install.
-
Click the flag and select Promote this Server to a DC (Domain Control).
-
Select Add a new forest and create a domain name and click Next.
-
Create a password and select Next until the install button shows.
-
Select Install.
-
Restart the server and create some users and groups in Active Directory Users and Computers.
-
From the Domain Controller that was just created, login to Okta, navigate to Settings > Downloads and download the Okta AD Agent and install it.
-
Enter the AD Domain Name.
-
Create an Okta Service Account as recommended and enter the password.
-
Enter the Okta URL, once redirected to the Okta page, enter the Okta credentials and select Allow access.
-
From the Okta dashboard, navigate to Directory > Directory Integrations.
-
Select the AD Server name and configure it using the default settings. Once completed, the agent displays as active.
-
Click on the Import tab and Import now with full import.
-
After the import, highlight the users and select Assign the users.
After assigning the users you can see the AD users in the Assignments tab. -
Navigate to Directory > People and Activate the imported AD users.
After activating the AD users, try to login Okta with the AD credentials to verify a working configuration.
-
From the Domain Controller server, navigate to Server Manager > Manage > Add Roles and Features, select Active Directory Certificate Services and select Next.
-
Select Certificate Authority and Certificate Authority Web Enrollment and click Install.
-
(22) From the Server Manager header, click the flag icon and click Promote this Server to a certificate server.
While Configuring Certificate Authority select Enterprise and Root CA
-
In the search bar, type Certification Authority and select your local CA.
-
Right click Certificate Template and click Manage.
-
Right click Enrollment Agent and click Duplicate Template.
-
Right click Duplicated Template and click Properties.
-
From the General tab, select the Publish Certificate in Active Directory checkbox.
-
From the Compatibility tab and ensure Windows Server 2003 is selected for Certificate Authority and Certificate recipient compatibility settings.
-
From the Request Handling tab, select Signature from the Purpose drop-down list and select the Prompt the user during enrollment and require user input when the private key is used radio button.
-
From the Cryptography tab, ensure the Microsoft Base Smart Card Crypto Provider checkbox is selected.
-
From the Subject tab, ensure the Include e-mail name in subject name and E-mail name checkboxes are cleared.
-
From the Security tab, ensure Full Control is selected for Authenticated Users and click OK.
-
Create a Group in Active Directory with one or two users and add them in the security tab with Full Control permissions and click OK.
-
From the Certification Authority, right click the Certificate Template folder and select Manage, then right click on Smartcard User and select Duplicate Template.
-
From the General tab of the Smartcard user properties dialog, set the Validity and Renewal periods and ensure Publish certificate in Active Directory is selected.
-
From the Compatibility tab, ensure Windows Server 2003 is set for Certificate Authority and Certificate recipient compatibility options and that Show resulting changes is selected.
-
From the Request Handling tab, select Signature and encryption from the Purpose option drop-down list and select the Enroll subject without requiring any user input radio button.
-
From the Cryptography tab, ensure the Microsoft Base Smart Card Crypto Provider option is selected.
-
From the Subject tab, clear the Include e-mail name in subject name and E-mail name options.
-
From the Security tab, select Read, Write and Enroll permissions for Authenticated Users.
-
Create a Group for smart card users in Active Directory with one or two users and add them in the Security tab with Read, Write and Enroll permissions and click OK.
-
(41)From the Certification Authority, right click the Certificate Templates and click New > Certificate Template to issue and select the two duplicated templates—Copy of Enrollment Agent and Copy of Smartcard User. After adding the templates, they are visible in the Certificate Templates folder.
-
Find the Certificate Revocation List certificate (extension is .crl) in C:\Windows\System32\certsrv\CertEnroll and create a customized link to this certificate using a format of FQDN/Path/Certificate_Name. The link must be reachable from both inside and outside of the server's network.
Example
Certificate Revocation List Certificate PathFrom the Certificate Revocation List Certificate Path image and the format criteria, this sample path would be:
http://win-ti9upfujb93.primesoft.us/CertEnroll/primesoft-WIN-TI9UPFUJB93-CA.crl
-
From the Certification Authority, right click on your Domain Name and click on Properties.
-
From the Extensions tab, select CRL Distribution Point (CDP) from the Select extension drop-down list, click Add to add the customized Certificate Revocation List certificate link, and ensure the following checkboxes are selected.
-
Include in CRLs. Clients use this to find Delta CRL locations.
-
Include in the CDP extension of issued certificates.
-
Include in the IDP extension of issued CRLs
Confirm the path has been added.
-
-
Restart the Certificate Authority Server.
Download the Chain Certificate from the Certificate Authority Server¶
-
Use the URL of the Certificate Authority Server to download the certificate. The URL will have the format similar to http://<server_IP_address>/certsrv/.
-
Click on the Download CA certificate chain link and download your certificate.
Okta Configuration¶
-
Login to Okta and navigate to Security > Identity Providers > Add Identity Providers > Add Smart Card and upload the certificate chain that was downloaded in the previous steps.
-
In the USER MATCHING section ensure idpuser.subjectAltNameUpn is entered in the IDP Username field and Okta Username or Email is selected in the Match against drop-down fields and click the Update Identity Provider button.
Workstation Configuration¶
-
Login to the workstation as >DOMAIN_NAME<\Administrator and join the domain.
-
Install smart card drivers and minidrivers. Such as the PIVKEY Administrators Kit https://pivkey.com/pkadmin.zip.
-
Run Microsoft Management Console (mmc.exe).
-
Click File > Add or Remove Snap-in, select Certificates and click Add.
-
Select the My User Account radio button and click Finish and then OK.
-
From the Console root expand Certificates - Current User, right click Personal and select All Tasks > Request a New Certificate....
-
Click Next on the Before you Begin and Next on the Certificate Enrollment Policy dialogs.
-
Select the Copy of Smartcard User checkbox and then click Enroll.
-
Enter the smart card PIN to enroll the certificate to the smart card.
Login to Okta Using PIV Card¶
-
Browse to the Okta URL where the smartcard is configured.
-
Click on PIV Card button.
-
Select your user Certificate.
-
Click OK.
-
Enter your smart card PIN.
You are now logged into Okta using smart card authentication.
Browser Configuration for use with Smartcards¶
Chrome and Edge (version 88.0 or newer) browsers are not known to require additional configurations at the time this article was written. Firefox requires the following configuration to display the certificate popup dialog box.
Open a Firefox browser and enter about:config in the URL field and configure the following options. If the option does not exist, it can be added.
-
security.cert_pinning.max_max_age_seconds: 30
-
security.remember_cert_checkbox_default_setting: false
-
network.ssl_tokens_cache_enabled: true
-
security.osclientcerts.autoload: true