1. At the Identity Domain create an X509 Identity Provider
    X509 Identity Provider
  2. When creating the Identity import the root CA cert, that is required for the User to sign in.

    Import Root CA

  3. At “x509 Identity Provider” and set User matching criteria to match Identity Domains Username to “CN” from the CAC-PIV card as the matching attribute.

    Cert Attributes

     

  4. Enable Online Certificate Status Protocol (OCSP) Validation. Provide the OCSP endpoint.

    OCSP validation

     

  5. Activate the IDP after creating it.
    Activate IDP
  6. Edit the IDP Rule to add the X509 IdP that has been created.

    IDP Rule

     

  7. Create the user, for an example user Adam Smith and sets her username to her CN 
               Eg. Adam.Smith.D0987654321

    Create User

     

  8. We are done with the setup at the Identity Domains.
  9. When a user navigates to console. Example: https://oc2.cloud.oracle.com/
  10. Provide the tenant name.
  11. The user is prompted to select the IdP.
    1. User selects the x509 IdP

      X509 IDP login

  12. A prompt pop’s up for the user to plug in their smart card.
    1. The browser prompts the user to select a certificate from the CAC-PIV card and enter their PIN.

      Cert for Authentication

       

    2. If CA and user certificate for CAC-PIV card are both registered with the tenant, if the CN’s match, authentication will be successful (Once a user has presented a valid certificate, Identity Domains will match that certificate to a user in the directory using the CN (Common Name) attribute of the certificate) and will redirect the user to Console with an authenticated session.

      Authenticated