Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Configuration

Realm creation and authentication flow

search

Please Note:

printsuggest an edit

Realm creation and authentication flow

A realm manages a set of users, credentials, roles, and groups. Each realm is isolated from one another and can only manage and authenticate the users under their control.

The realm is configured in two ways:

copy link to clipboardManual configuration of the realm

Perform the steps below to configure the realm using the SafeNetOTPRealm.json and the SafeNet Access Exchange Admin UI for SAS PCE and STA Hybrid Access Management Add-On based deployment:

  1. Log in to the SafeNet Access Exchange Admin UI as an Administrator user (created in Installation).

  2. In the left pane, click Create Realm.

  3. Browse the required json file, specify the realm name, and click Create.

    alt_text

    The realm is created with four SafeNet OTP Authentication Flows: SafeNet OTP Flow, SafeNet OTP UserId Provided Flow, SafeNet LDAP OTP Flow, and SafeNet OTP LDAP Flow.

  4. Navigate to Realm settings > General.

  5. Enable Unmanaged Attributes.

    alt_text

  6. Select the SafeNet OTP Flow and click the Setting icon at the bottom-right of the page, as highlighted in the figure below:

    alt_text

  7. A pop-up displays. Enter the details and click Save.

    alt_text

    note

    Note

    This configuration is required for all SafeNet OTP Authentication flows.

copy link to clipboardAgent BSID key

Path of Agent.bsidkey file or Content of Agent.bsidkey

  1. In the SAS console, navigate to the Comms tab in the required Virtual Server to download the Agent BSID Key.

  2. Navigate to the Authentication Processing > Authentication Agent Settings. Click Download to download the agent.bsidkey file.

    alt_text

copy link to clipboardToken Validator URL

http(s)://<sas-ip>:<port>/TokenValidator/TokenValidator.asmx?orgCode=<OrgCode>

  1. To find OrgCode details, go to the SAS console.

  2. Navigate to the Comms tab in the required Virtual Server to get the organization code for the token validator url.

    alt_text

    These settings can be found under the Authentication Processing > Authentication Agent Settings.

    alt_text

    note

    Note

    These settings are only visible on SafeNet Authentication Service PCE v3.13 and above.

copy link to clipboardOTP Auto Trigger Enabled (optional)

Toggle this setting to enable/disable the auto trigger of OTP. If enabled the challenge automatically generates the enrolled token.

copy link to clipboardUser Id Mapper Field (optional)

This field is used in combination with LDAP User Provider. It is used to send different user attribute as a UserName to SafeNet Authentication Service. The field value is named upon any LDAP Mapper. If the field value is not defined, default UserName from the request is sent to SafeNet Authentication Service.

copy link to clipboardConfiguration with SafeNetOTPRealm.json

Perform the following steps to add configuration values in the json file:

  1. Edit SafeNetOtpRealm.json using a text editor.

    1. Search for the agent.bsidkey key.
      Set the path of the agent.bsidkey file to C:\\Downloads\\agent.bsidkey or content of the agent.bsidkey file: <content-of-agent.bsidkey-file>.

      note

      Note

      For more details, refer to the agent.bsidkey section.

    2. Search for tokenvalidator.url key.
      Set the value of TokenValidator URL, with organization code. For more details, refer to the Organization Code Details section. tokenvalidator.url: http(s)://<sas-ip>:<port>/TokenValidator/TokenValidator.asmx?orgCode=<OrgCode>

    3. Search for user.id.mapper key.
      Set the value of User Id Mapper with name of defined LDAP Mapper for the required attribute.

    4. For details, refer to the Custom LDAP Mapper section.

    note

    Note

    In Windows, while copying the path in json, make sure to use "\\" instead of "\" in the path to adhere to the json syntax. For example, if the path is C:\Agent.bsidkey then use C:\\Agent.bsidkey.

  2. Log in to the Access Exchange Admin UI as an Administrator user (created in Installation).

    caution

    Caution

    Save the SafeNetOTPRealm.json on a different path, other than the package location (recommended).

  3. In the left pane, click Create realm.

  4. Browse the required json file, specify the realm name, and click Create.

  5. Navigate to Realm settings > General.

  6. Enable Unmanaged Attributes.

    alt_text

copy link to clipboardSafeNet authentication flow

SafeNet Access Exchange provides SAS Authentication flow. You can select a flow that works best for you.

copy link to clipboardSafeNet OTP flow (default flow)

Ideal for the integrations, where password or first factor authentication is done at the Service Provider (or Application) and you just need the second factor OTP authentication at the Access Exchange Identity Provider.

  1. Service Provider (or Application) authenticates Password as first factor with its User or Domain password before reaching to Access Exchange.

  2. Navigate to User Name form presented by Access Exchange. (User Name is auto-filled, from the request, if available).

  3. SafeNet Authentication form presented by Access Exchange authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).

    alt_text

copy link to clipboardSafeNet OTP userid provided flow

Ideal for the integrations same as “SafeNet OTP Flow” where you wish to skip User Name prompt at the SafeNet Access Exchange. User Name is extracted from the request and browser request navigates to the final OTP prompt page.

  1. Service Provider (or Application) authenticates Password as first factor with its User or Domain password before reaching to SafeNet Access Exchange.

  2. SafeNet Authentication Form prompted by SafeNet Access Exchange authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).

    alt_text

copy link to clipboardSafeNet LDAP OTP flow

Ideal for the integrations where you want to handle the 2FA (Password + OTP) at the SafeNet Access Exchange Identity Provider.

  1. SafeNet Access Exchange LDAP User Federation provider authenticates Password as first factor with Domain password.

  2. SafeNet Authentication Form prompted by SafeNet Access Exchange authenticates OTP as second factor with SafeNet Authentication Service. (Follow steps from Realm Configuration section).

  3. If you are using an existing realm, you must add an "LDAP Session Details Authenticator" after "Username Password Form", on the same level.

    alt_text

copy link to clipboardSafeNet OTP LDAP flow

Ideal for the integrations where you want to handle the 2FA (OTP + Password ) at the SafeNet Access Exchange Identity Provider.

  1. SafeNet Authentication Form prompted by SafeNet Access Exchange authenticates the OTP as first factor with SafeNet Authentication Service. (Follow the steps from Realm Configuration section).

  2. SafeNet Access Exchange LDAP User Federation provider authenticates password as second factor with Domain password.

  3. If you are using an existing realm, you must add an "LDAP Session Details Authenticator" after "Username Password Form", on the same level.

    alt_text

For existing realms, a new workflow for SafeNet OTP LDAP Flow can be added by following the below steps:

  1. Log in to SafeNet Access Exchangek Admin console.

  2. In the left pane, select your desired realm.

  3. In the left pane, click Authentication and under the Flows tab, select the SafeNet LDAP OTP Flow.

  4. From the Action drop-down, select Duplicate to copy the flow.

    alt_text

  5. In the Duplicate Flow window, enter the relevant details and click Duplicate.

  6. In the Authentication Flow details, ensure SafeNet OTP LDAP Flow is selected, click the Add icon.

    The Add step to SafeNet OTP LDAP Flow pop-up window is displayed.

    alt_text

  7. Search for the Username Form, select it from the provided options, and click Add.

  8. Now, manually rearrange /move the Username Form and Username Password Form in the order as shown below:

    alt_text

copy link to clipboardDefault authentication flow changes for realm

alt_text

alt_text

Note

When Custom Federation is configured with SAS User Federation, the LDAP Authentication only works in case the user is synched using Safenet Authentication Service Synchronization Agent with Enable Password Synchronization enabled.

copy link to clipboardAuthentication flow overrides

Authentication flow is overridden at the Client level.

alt_text

copy link to clipboardMulti-tenant support

To achieve multi-tenancy in SafeNet Access Exchange, you need to create different realms. Within Multi-tenant support, you can enable user authentication with different SAS tenants. You can perform the same steps as defined above for realm creation for the new tenant and define the configuration details for the Virtual Server respective to SAS.

For each Virtual Server, different Agent BSID Key and Token Validator URL has to be provided.

On this page