Okta must be configured to use only DOD-approved certificate authorities.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-273207 | OKTA-APP-001920 | SV-273207r1098888_rule | Medium |
| Description |
| Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not DOD approved, trust of this CA has not been established. The DOD will accept only PKI certificates obtained from a DOD-approved internal or external CA. Reliance on CAs for the establishment of secure sessions includes, for example, the use of Transport Layer Security (TLS) certificates. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that use communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA). Satisfies: SRG-APP-000427, SRG-APP-000910 |
| STIG | Date |
| Okta Identity as a Service (IDaaS) Security Technical Implementation Guide | 2025-05-06 |
Details
| Check Text (C-77298r1098886_chk) |
| From the Admin Console: 1. Select Security >> Identity Providers (IdPs). 2. Review the list of IdPs with "Type" as "Smart Card". If the IdP is not listed as "Active", this is a finding. 3. Select Actions >> Configure. 4. Under "Certificate chain", verify the certificate is from a DOD-approved CA. If the certificate is not from a DOD-approved CA, this is a finding. |
| Fix Text (F-77203r1098887_fix) |
| From the Admin Console: 1. Go to Security >> Identity Providers. 2. Click "Add identity provider." 3. Click "Smart Card IdP". Click "Next". 4. Enter the name of the identity provider. 5. Build a certificate chain: - Click "Browse" to open a file explorer. Select the certificate file to add and click "Open". - To add another certificate, click "Add Another" and repeat step 1. - Click "Build certificate chain". On success, the chain and its certificates are shown. If the build failed, correct any issues and try again. - Click "Reset certificate chain" if replacing the current chain with a new one. 6. In "IdP username", select the "idpuser.subjectAltNameUpn" attribute. This is the attribute that stores the Electronic Data Interchange Personnel Identifier (EDIPI) on the CAC. 7. In the "Match Against" field, select the Okta Profile Attribute in which the EDIPI is to be stored. |