Skip to main content

CAC / PIV Authentication


Use this guide to enable CAC / PIV Authentication with SecureAuth IdP.


1. Have the root / intermediate public certificates for the CAC / PIV available for import on the SecureAuth IdP server.

2. Have the Subject Alternative Name (SAN) on the CAC / PIV linked to the users account in the data store.

SecureAuth IdP Server Configuration

CAC / PIV Certificate Import:

1. Open the Certificate Console for the local computer on the SecureAuth IdP server.

2. In the Trusted Root Certificates, import the root / intermediate CAC / PIV certificates.

3. In the Intermediate Certificate Authorities/Certificates, import the root / intermediate CAC / PIV certificates.


SecureAuth IIS Manager Settings

IIS Manager Settings:

1. Open the IIS Manager and navigate to the realm(s) being used for CAC / PIV authentication.

2. Click into the SSL Settings.

3. Change the setting of Client certificates to Require (as shown in picture).


SecureAuth IdP Configuration Steps


1. In the Product Configuration section, select Certification Enrollment and Validation from the Integration Method dropdown.

2. In the Client Side Control dropdown, select Device/Browser Fingerprinting.



3. In the Public/Private Mode dropdown, select Public Mode Only.

4. In the Default Public/Private dropdown, select Default Public.

5. In the Remember User Selection dropdown, select False.

6. In the Authentication Mode dropdown, select UserName Only.

If a password or second factor is still required, this option may be adjusted to meet the requirement.

7. In the Validate Persistent Token dropdown, select True.


Custom Front End

8. In the Receive Token dropdown, select Token.

9. In the Require Begin Site dropdown, select True.

10. In the Begin Site dropdown, select Client Side SSL.

11. In the Token Data Type (Receive) dropdown, select Name.



Click Save once the configurations have been completed and before leaving the Workflow page to avoid losing changes.


Contact SecureAuth Support if a SecureAuth Certificate is not used on the card