Set up smart card authentication
Smart card log in is a certificate-based log in. The certificate is supplied by the smart card and used by CyberArk Identity to authenticate users. To use smart cart authentication with CyberArk Identity, your users must already be configured for smart card log in.
If you need to set up derived credentials for secure mobile access to applications, websites and services that require smart card authentication, see CyberArk-issued derived credentials. See Enroll a device for enabling smart card users to enroll their devices.
To set up smart card authentication
- Log in to the Identity Administration portal.
- Click Core Services > Policies and select the relevant policy or create a new one.
- Click Authentication Polices > CyberArk Identity.
Confirm Use certificates for authentication (in the Other Settings section) is enabled (default).
You must have this option enabled to use smart card authentication. This option allows CyberArk Identity to use the smart card generated certificate to authenticate users to the cloud.
(Optional) Enable the Set identity cookie for connections using certificate authentication option only if you have a hybrid system where users are logging in using smart cards and another authentication method.
Enabling this option allows CyberArk Identity to write cookies in the browser after a successful log-in. CyberArk Identity then checks the browser for this cookie upon subsequent log ins and takes action based on any identity cookie authentication rules you have configured. See Create authentication rules.
Upload your certificate authority chain.
The uploaded file must contain all certificates required to establish chain trust from a user certificate. If chain trust verification requires intermediate authorities, package all required certificates in p7b format, and upload the p7b file. The p7b file should contain all intermediate authorities chaining up to a root authority.
- Log-in to the Identity Administration portal.
- Click Settings > Authentication > Certificate Authorities.
- Provide a unique name for the trusted certificate authority.
- Specify the field to use for extracting the user login name from the certificate.
Select the same field for all certificates in the chain.
- Click Browse to select certificate authority chain for uploading.
The uploaded chain must contain all certificates for chain validation, starting from intermediate CA trusting to a root certificate authority.
(Optional) Select the Enable Client Certificate Revocation Check checkbox to allow CyberArk Identity to verify the smart card certificate has not been revoked.
If the user certificate has revocation check information -- CRL Distribution Point (CDP) or Online Certificate Signing Protocol (OCSP) URL -- and the Enable Client Certificate Revocation Check option is enabled on the CA chain, CyberArk Identity communicates with the certificate endpoints to check for certificate validity.
Important: To perform certificate revocation checks, CDP URLs and OCSP URLs must be reachable from the Internet. Turning on revocation check on the CA chain when revocation check endpoints are not reachable from the Internet causes certificate authentication to fail.
This revocation check is specific to smart card logins. After derived credentials are securely stored on enrolled devices, this check does not impact the derived credentials.
- Click Save.
Click Settings > Authentication > Security Settings then select Enable smart card authentication on login screen, and click Save.
For more information on managing certificate authorities, see Manage Certificate Authorities