# CAC/PIV Verification *** Using Okta as an authentication layer allows S-Sign to leverage hardware-based certificates (CAC/PIV) to verify a signer's identity before they can access and sign a document within Salesforce. ### 1. Architectural Overview The authentication flow moves the signer from the S-Sign document link through Okta’s secure verification process before returning them to Salesforce to complete the signature. * S-Sign: Acts as the service requester. * Okta: Acts as the Identity Provider (IdP) that handles the certificate challenge. * Salesforce: The native environment where the document and audit trail reside. *** ### 2. Prerequisites Before beginning the configuration, ensure the following environments are prepared: * Okta Tenant: An active Okta instance with administrative access. * Salesforce Org: S-Sign must be installed and configured. * Certificates: Valid Root and Intermediate CA certificates must be uploaded to Okta to validate the CAC/PIV cards. * Attribute Mapping: A unique identifier (typically email or UPN) must match between the user's CAC/PIV certificate and their record in Salesforce/Okta. * SSign.AuthenticationRedirect must be added to the S-Sign Site's Visualforce pages *** ### 3. High-Level Configuration Steps #### A. Okta Configuration 1. Enable Personal Identity Verification: In the Okta Admin Console, navigate to Security > Authenticators and set up the PIV/CAC card authenticator. 2. Upload Certificates: Upload the necessary CA certificates that issued the CAC/PIV cards to the Okta Trust Store. 3. Create an OIDC Application: Create a new App Integration in Okta using OIDC (OpenID Connect). * Sign-in redirect URIs: This must match the S-Sign callback URL provided in the S-Sign setup. * Assignments: Assign the specific users or groups who will be required to sign documents using this method. #### B. Salesforce & S-Sign Setup 1. Create Auth. Provider: In Salesforce Setup, create a new Auth. Provider using the "Open ID Connect" type. Use the Client ID and Secret generated in the Okta App Integration. 2. Named Credentials: Configure a Named Credential if required by your specific S-Sign version to securely handle the callouts to Okta. 3. S-Sign Custom Settings: Navigate to the S-Sign Configuration page. Under the "Alternative Authentication" section, input the Okta Auth. Provider details and the specific Okta Org URL. *** ### 4. Applying Authentication to Templates Once the global connection is established, you must enable it on a per-template basis: * Open the S-Sign Template Editor. * Navigate to Template Settings > Signer Profiles. * For the specific signer (e.g., Signer 1), change the Authentication Method from "Email PIN" to "Okta/CAC/PIV". * Save and select the appropriate Auth. Provider from the dropdown menu. *** ### 5. The Signer Experience When a signer receives a document link with CAC/PIV enabled, the workflow changes: 1. Click Link: The signer clicks the link in their email. 2. Redirect: S-Sign automatically redirects the browser to the Okta login page. 3. Certificate Challenge: The signer inserts their CAC/PIV card and enters their PIN. Okta validates the certificate against the trusted CA. 4. Verification: Upon success, Okta redirects the signer back to the S-Sign document. 5. Access: The document is unlocked, and the signer can proceed to sign. *** ### 6. Security and Compliance Benefits * Multi-Factor Authentication (MFA): Satisfies federal requirements for hardware-based MFA. * Non-Repudiation: Digital certificates provide stronger proof of identity than standard email access. * Audit Trail: The S-Sign Audit Trail will record that the user was authenticated via an external Identity Provider (Okta), including the successful authentication timestamp. *** ### 7. Troubleshooting Common Issues * Redirect Mismatch: Ensure the "Sign-in redirect URI" in Okta exactly matches the URL in the Salesforce Auth. Provider. * Certificate Errors: If the signer's card is not recognized, verify that the full certificate chain (Root and Intermediate) is correctly uploaded to Okta. * User Matching: Ensure the "Subject Alternative Name" or "Common Name" on the CAC card matches the username or email expected by Okta. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.sdocs.com/s-sign/advanced-signer-scenarios/signer-authentication/cac-piv-verification.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.