You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Smart Card

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

The EmpowerID SSO framework allows you to configure a Smart Card connection as an identity provider (IDP) for EmpowerID.

  • For your users to access EmpowerID with a smart card, the account store containing your user identities must be named after the issuer of the smart card certificate associated with the IDP connection.

  • The FQN of the Account Directory must match the Root CA CN of the smart card certificate issuer for EmpowerID to authenticate the smart card user.

  • The root certificate for your smart card issuer must be installed in the Trusted Root Certification Authorities certificate store on the EmpowerID Web server.

Prerequisites — Before setting up smart card registration, you must do the following on the EmpowerIDWebIdPSmartCard application in IIS:

  1. Enable Anonymous Authentication
  2. Set the SSL Settings to Require SSL and Require Client certificates
  3. Click Edit Permissions in the Actions pane and give Read & execute, List folder contents and Read permissions to the Users, IIS_IUSR and ANONYMOUS LOGON groups



Once the IDP Connection has been set up for smart cards, you can create a link similar to the one below to allow users to log in to EmpowerID using their smart cards.

https://sso.empowerid.com/WebIdPForms/Login/EmpowerIDWebSite/SmartCard?returnUrl=%2FWebIdPForms%2F

Be sure to replace "sso.empowerID.com" with the FQDN of the EmpowerID Web server in your environment and "SmartCard" with the name of the smart card IDP connection you create in EmpowerID.




Configure the IDP Connection

  1. On the navbar, expand Apps and Authentication  > SSO Connections and click SAML.

  2. On the SAML Connections tab, search for smartcard and then click Login using SmartCard.


    This directs you to the View One page for the connection.

  3. Click the Display Name link to put the connection in Edit mode.

  4. On the Edit page for the connection, scroll to the Certificates section and select the signing and verifying certificates for your environment from the Signing Certificate and Verifying Certificate drop-downs.

  5. Select the Domains tab and then click the Add (blue star) button in the Assigned Domains section.

  6. In the Add Domain dialog that appears, enter the name of the domain where the SmartCard login tile should appear on the Login page and then click the tile for that domain.

  7. Click Save to close the dialog.

  8. Back in the Connections Details page, click Save to save your changes.

Now that the IDP Connection is configured, you can test it by following the procedure outlined below.

Test the Smart Card connection

  1. Insert your Smart Card reader on a machine and then launch your web browser, pointing it to the domain name you configured for the Smart Card ID Connection.

  2. Click the Login using your SmartCard button.

  3. In the Select a certificate dialog that appears, select the appropriate authenticating certificate and then click OK.

  4. In the Check for EmpowerID Login page the appears, click Yes if you wish to link the smart card to an existing user or No if you wish to link the smart card to a new user.

  5. Enter your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.

  6. Check your email for the one-time password.

  7. Back in the EmpowerID Web application, type the one-time password into the Password form and click Submit.



  • No labels