Skip to content
GOVERN Admin

CAC/PIV Authentication

GOVERN Federal disables username/password authentication and requires Common Access Card (CAC) or Personal Identity Verification (PIV) smart card authentication for all users.

Overview

CAC/PIV authentication works via PKCS#11 (smart card middleware) or via your agency’s identity provider (IdP) with PIV support. GOVERN supports both paths:

PathUse CaseInfrastructure Required
Direct PKCS#11On-premise deploymentsSmart card readers, middleware
Agency IdP (SAML/OIDC)GovCloud deploymentsIdP with PIV support (e.g., Okta, Azure AD, Ping)
DoD Enterprise IdPDoD deploymentsCAC-enabled IdP (DISA or agency)

Direct PKCS#11 Configuration

For on-premise deployments where users authenticate directly with their smart card:

Prerequisites

  • OpenSC or DoD/agency-approved smart card middleware
  • SSL certificates loaded from the DoD Trust Store
  • CAC/PIV certificates issued by DoD or agency CA

Helm Configuration

values-federal.yaml
auth:
  provider: cac-piv
  cacPiv:
    mode: pkcs11
    trustStore: /etc/govern/certs/dod-trust-store.pem
    ocsp:
      enabled: true
      url: http://ocsp.disa.mil
    crl:
      enabled: true
      url: http://crl.disa.mil/crl/DODIDCA.crl
    userMappingAttribute: upn  # or email, subject
    requiredExtendedKeyUsage:
      - clientAuth
      - msSmartcardLogon

Loading DoD Trust Store

Terminal window
# Download DoD root certificates (from DoD PKI management)
curl -o dod-roots.p7b https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-dod_approved_external_pkis_trust_chain.zip


# Convert to PEM
openssl pkcs7 -in dod-roots.p7b -print_certs -out dod-trust-store.pem


# Create Kubernetes secret
kubectl create secret generic dod-trust-store \
  --from-file=dod-trust-store.pem \
  -n govern

Agency IdP (SAML/OIDC) Configuration

For GovCloud deployments where authentication flows through an agency IdP:

SAML Configuration

auth:
  provider: saml
  saml:
    metadataUrl: https://idp.agency.gov/saml/metadata
    entityId: https://govern.agency.gov
    assertionConsumerServiceUrl: https://govern.agency.gov/auth/saml/callback
    nameIdFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    attributeMapping:
      email: mail
      displayName: displayName
      role: memberOf  # LDAP group → GOVERN role mapping
    roleMapping:
      "CN=GOVERN-SOC-Analysts,OU=Groups,DC=agency,DC=gov": soc_analyst
      "CN=GOVERN-Admins,OU=Groups,DC=agency,DC=gov": platform_admin

OIDC Configuration (Azure Government)

auth:
  provider: oidc
  oidc:
    issuer: https://login.microsoftonline.us/$TENANT_ID/v2.0
    clientId: $AZURE_CLIENT_ID
    clientSecret: $AZURE_CLIENT_SECRET
    scopes: [openid, profile, email, User.Read]
    usernameClaim: preferred_username
    groupsClaim: groups
    requirePivClaim: true  # Require PIV method in token claims

Certificate Validation

GOVERN validates smart card certificates against the DoD Trust Store on every authentication:

  1. Certificate chain validation to a trusted root CA
  2. OCSP/CRL check (certificate not revoked)
  3. Certificate policies check (id-fpki-common-authentication policy required)
  4. Extended Key Usage check (clientAuth required)
  5. Subject Alternative Name extraction (UPN or email for user matching)

Testing CAC/PIV Authentication

Terminal window
# Test authentication (from a workstation with CAC reader)
curl -v https://govern.agency.gov/auth/cac \
  --cert /path/to/cac-cert.pem \
  --key /path/to/cac-key.pem \
  --cacert dod-trust-store.pem

Troubleshooting

IssueCauseResolution
Certificate chain errorDoD root not in trust storeRe-import DoD PKI bundle
OCSP timeoutNo connectivity to OCSP serverConfigure OCSP responder proxy or CRL fallback
User not foundUPN/email not in GOVERNProvision user in GOVERN or configure auto-provisioning
Role not assignedGroup mapping missingAdd group → role mapping in auth config