---title: Configuring Smart Cards as an Identity Provider---
- Home
- Single Sign-On and MFA
- Configuring SSO Connections
- Identity Providers
- Current: Configuring Smart Card as an Identity Provider
Configuring Smart Card as an Identity Provider
The EmpowerID SSO framework allows you to configure a Smart Card connection as an identity provider (IDP) for EmpowerID.
For your users to be able to access EmpowerID with a smart card, the account store containing your user identities must be named after the issuer of the smart card certificate associated with the IDP connection.
The root certificate for your smart card issuer must be installed in the Trusted Root Certification Authorities certificate store on the EmpowerID Web server.
Prerequisites
Before setting up smart card registration, you must do the following on the EmpowerIDWebIdPSmartCard application in IIS:
- Enable Anonymous Authentication
- Set the SSL Settings to Require SSL and Require Client certificates
- Click Edit Permissions in the Actions pane and give Read & execute, List folder contents and Read permissions to the Users, IIS_IUSR and ANONYMOUS LOGON groups
This topic describes how to configure an IDP connection for smart cards and is divided into the following activities:
Once the IDP Connection has been set up for smart cards, you can create a link similar to the one below to allow users to login to EmpowerID using their smart cards.
Be sure to replace "sso.empowerID.com" with the FQDN of the EmpowerID Web server in your environment and "SmartCard" with the name of the smart card IDP connection you create in EmpowerID.
https://sso.empowerid.com/EmpowerIDWebIdPForms/Login/EmpowerIDWebSite/SmartCard?returnUrl=%2FEmpowerIDWebIdPForms%2F
To configure an IDP connection for a smart card
- From the Navigation Sidebar, navigate to SAML Connections management page by expanding Admin > Applications and Directories > SSO Connections and clicking SAML.
- From the SAML Connections tab of the SAML Connections management page, search for Smart, click the drop-dwon arrow for Login using Smart Card and then click the Editlink.
- From the Actions pane of Application Manager, click the Create SAML Connection action link.
- From the General tab of the Connection Details form, scroll to the Account Information section and select the appropriate account store from the Account Directory drop-down.
- In the Certificates section, select the signing and verifying certificates for your environment from theSigning Certificate and Verifying Certificate drop-downs.
- Leave all other fields as is.
- Click the Domains tab and then click the Add (+) button in the Assigned Domains section.
- In the Add Domain dialog that appears, type the name of the existing EmpowerID domain for which you want a SmartCard login tile to appear on the Login page and then click the tile for that domain.
- Click Add to close the Add Domain dialog.
- Back in the Connections Details page, click Save to save your changes.
Now that the IDP Connection is configured, you can test it by following the procedure outlined below.
To test the Smart Card connection
- Insert your Smart Card reader on a machine and then launch your web browser, pointing it to the domain name you configured for the Smart Card ID Connection.
- Click the Login using your SmartCard button.
- In the Select a certificate dialog that appears, select the appropriate authenticating certificate and then click OK.
- In the Check for EmpowerID Login page the appears, click Yes if you wish to link the smart card to an existing user or No if you wish to link the smart card to a new user.
- Type your EmpowerID Login or Email in the form and click Submit. The EmpowerID Person must have a valid email address as EmpowerID sends a one-time password to that address.
- Check your email for the one-time password.
- Back in the EmpowerID Web application, type the one-time password into the Password form and click Submit.
- Related Topics
Administrative Procedures:
- Creating IdP Domains
- Configure AD SF as an Identity Provider
- Configure Azure as an Identity Provider
- Configure Box as an Identity Provider
- Set up the Remote Windows Identity Provider Applications
- Configure Facebook as an Identity Provider
- Configure Google as an Identity Provider
- Configure LinkedIn as an Identity Provider
- Configure Smart Card as an Identity Provider
- Configure Twitter as an Identity Provider
- Configure Windows Auth as an Identity Provider
- Configure Yahoo as an Identity Provider
- Configure Yammer as an Identity Provider
- Creating IP Address Ranges
- Setting MFA Points Granted by SSO Connections