Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Configuration

Integrations using SafeNet Access Exchange

search

Please Note:

printsuggest an edit

Integrations using SafeNet Access Exchange

This section will walk you through various integrations for SAS PCE using SafeNet Access Exchange.

copy link to clipboardCertificate Based Authentication Support

Thales’s SafeNet portfolio of certificate-based tokens offers strong multi-factor authentication in a traditional token form factor, enabling organizations to address their PKI security needs.

This section provides details on the usage of certificate based authentication (CBA) with SAS PCE in conjunction with SafeNet Access Exchange, where applications are configured for the primary IDP.

A typical CBA workflow includes:

  1. Client sends an authentication request over SSL/TLS channel.
  2. During the SSL/TLS handshake, the server and the client exchange their x.509 certificates.
  3. The SafeNet Access Exchange validates the client certificate.
  4. The user is redirected to SAS for authentication.
  5. After successful authentication, the user is redirected to the end application.

To configure CBA with SAS PCE, follow the steps mentioned below:

  1. Configure Prerequisites
  2. Add an Issuing CA to the SafeNet Access Exchange Trust Store
  3. SafeNet Access Exchange Tenant Configuration to enable CBA
  4. Extract User Identifiers from Client Certificate
  5. Test the CBA User Flow

copy link to clipboardConfigure Prerequisites

  • Ensure the SafeNet Access Exchange server version is 1.0.0 is installed on the machine.

  • To enable CBA, you need to add at least one certificate chain from an issuing certificate authority (CA) to your trust store in the SafeNet Access Exchange. The trust store lists the certificate chains from the CAs that your organization trusts for the authentication of your users. Adding an issuing CA establishes a trust relationship that the system relies on to verify the authenticity of your users when they authenticate through SAS SafeNet Access Exchange instance.

  • TLS/SSL certificate and key file in PEM format.

copy link to clipboardSupported Certificate Types

The certificates must meet the following conditions:

  • The certificates are configured for client authentication (ISO OID code 1.3.6.1.5.5.7.3.2).
  • For Chrome, Internet Explorer, and Microsoft Edge browsers on Windows, certificate containers are managed by Microsoft Cryptographic Application Programming Interface (MS-CAPI) middleware.
  • For Firefox browsers, certificate containers are managed by PKCS#11 middleware.
  • For Safari browsers on macOS, certificates are configurable in the Keychain Access app.
note

Note

There are usability limitations on Firefox and Safari browsers due to the browser’s implementation of TLS authentication and the associated certificate handling. For example, on these browsers, the user may not be prompted to insert their smart card.

copy link to clipboardAdd an Issuing CA to the SafeNet Access Exchange Trust Store

To validate client certificates and enable the certificate based authentication methods, you need to create a trust store with all the certificates chains (intermediate and root) that the SafeNet Access Exchange should trust. Follow the below sub-sections to add and configure the TLS/SSL certificate and the issuing CA certificate to the SafeNet Access Exchange trust store.

copy link to clipboardCreate a new Trust Store

To create trust store file follow the below steps:

  1. Execute the below command to generate a trust keystore file in .jks format.

    keytool -import -alias <Alias name> -file <CA Cert file>.crt-keystore <Trust Store file>.jks

    Where,

    Alias name is a unique name which can be set as per your preference.
    CA Cert file is the path of issuing CA certificate file in .crt format.
    Trust Store file is the path where you wish to create the trust store file in .jks format.

  2. Set the password as per your preference.

  3. Press Y to trust the certificate.

    This process creates the trust store file in the current directory.

copy link to clipboardConfigure TLS/SSL certificate and Trust Store in SafeNet Access Exchange

You need to configure the TLS/SSL certificate and trust store containing the issuing CA in SafeNet Access Exchange.

Follow the below steps to configure the trust store:

  1. Go to docker compose.

  2. Open docker compose in a text editor and add below parameters:

    https-certificate-file: The file path to TLS/SSL certificate in PEM format.

    https-certificate-key-file: The file path to TLS/SSL certificate private key in PEM format.

    https-client-auth: Enter the value as request.

    https-trust-store-file: The path of the trust store file which holds the certificate information of the issuing CA certificates to trust.

    https-trust-store-password: The password of the trust store file.

    Environment Variables: - Env: KC_HTTPS_CERTIFICATE_FILE

    • Env: KC_HTTPS_CERTIFICATE_KEY_FILE

    • Env: KC_HTTPS_CERTIFICATE_KEY_FILE

    • Env: KC_HTTPS_CLIENT_AUTH

    • Env: KC_HTTPS_CLIENT_AUTH

    • Env: KC_HTTPS_TRUST_STORE_FILE

    • Env: KC_HTTPS_TRUST_STORE_FILE

    • Env: KC_HTTPS_TRUST_STORE_PASSWORD

    • Env: KC_HTTPS_TRUST_STORE_PASSWORD

    For more information, refer to Docker.

  3. Restart the SafeNet Access Exchange server.

copy link to clipboardSafeNet Access Exchange Tenant Configuration to enable CBA

To enable CBA, you have to add a new authenticator in your SafeNet Access Exchange realm.

Follow the steps mentioned below to add a new authenticator for CBA:

  1. Login to SafeNet Access Exchange Admin console.

  2. In the left pane, select your desired realm.

    alt_text

  3. In the left pane, click Authentication. Under the Flows tab, click the three vertical dots in front of Safenet OTP Flow and select the Duplicate option to copy the flow.

    Duplicate Flow pop-up is displayed.

    alt_text

  4. In the pop-up, enter the name and description of the flow. For example: Safenet OTP flow with CBA.

    alt_text

  5. Click Duplicate.

  6. Now, click the Add step button. A pop-up is displayed, search for X509/Validate Username Form and click Add to save the form.

    alt_text

  7. Mark X509/Validate Username Form as Alternative and move it above SafeNet OTP Flow Forms as shown below:

    note

    Note

    Ensure SafeNet OTP Flow Forms is also marked as Alternative. By configuring this setting, if the end user is accessing the application from a device which doesn’t have the company provided smart card (client certificate) then the user will be asked for OTP based authentication instead of CBA based authentication.

    alt_text

  8. Select the setting button (highlighted in the below image) and perform the following steps in the X509/Validate Username Form config window:

    1. In the Alias field, enter the name of the configuration. For example: pki-config.

    2. In the User Identity Source field, select the unique identity source which will extract the user identity from X509 Certificate. For example: Subject’s email.

      note

      Note

      This mapping can vary between customer depending on their CA - user certificate profiles.

    3. In the User mapping method field, select Username or Email.

    4. Ensure Check certificate validity option is ON.

    5. Click Save.

      alt_text

  9. Click the CBA flow, select Bind flow from the Action drop-down.

    alt_text

  10. In the Bind Flow pop-up, select the instance that you have created from the Browser flow field, and click Save.

copy link to clipboardExtract User Identifiers from Client Certificate

You need to create the client certificate using the issuing CA certificate that you have configured as a trust store in Add an issuing CA to the SafeNet Access Exchange trust store section.

note

Note

While creating the client certificate, ensure that the user has the same username and email address in SafeNet Access Exchange and SAS PCE as provided for common name and email address in the certificate.

For example, for the user with the username as test.user and email address as test.user@example.com, the user details in Client Certificate, SafeNet Access Exchange Agent and SAS PCE will appear as shown in the pictures below.

Client Certificate

alt_text

SafeNet Access Exchange User

alt_text

SAS PCE User

alt_text

copy link to clipboardTest the CBA User Flow

To test the CBA authentication, you need to install the client certificate where the authentication needs to happen. You need to install the .pfx client certificate in the Certificate Manager under Personal > Certificate.

note

Note

Ensure the browser is able to fetch the above certificate details.

alt_text

Follow the steps mentioned below to test the authentication:

  1. Access the application URL that you have configured as client in your SafeNet Access Exchange Realm. For example:

    https://<Your Domain Name>:8443/auth/realms/<Realm Name>/account

    alt_text

  2. Select the client certificate and click OK.

    alt_text

  3. Click on Sign In. You will be redirected to SafeNet Authentication Service page that will display the user attributes fetched from the client certificate. Then, click on Continue button if the information is valid.
    However, you can choose the authentication method based on your requirement.

  4. After successful authentication, you will be redirected to the application.

    alt_text

On this page