Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All

Push OTP

Configure applications for Push OTP

Please Note:

SAS PCE
Get started
- System Requirements
- Installation
  - Install SafeNet Authentication Service
  - Prepare database
  - Configure SafeNet Authentication Service
  - Configure SafeNet Authentication Service for High Availability
  - Configure for MobilePASS and MobilePASS+ Enrollment
  - Onboarding for MobilePASS+ enrollment
  - SAS PCE Windows Services Startup Recommendations
  - Security and Compliance
- Upgrade
  - SafeNet Authentication Service pre-upgrade checklist
  - SafeNet Authentication Service upgrade - primary data center
  - SafeNet Authentication Service upgrade - secondary data center
  - SafeNet Authentication Service post-upgrade checklist
  - Additional Considerations
- System setup
  - Setup
  - Communications
  - Logging
Dashboard
- On-Boarding
- Virtual Servers
- Administration
Users and groups
- Configure individual users
- Manage tokens for a user
- Groups
- Containers
- Restrict access based on the time, day, or date
- User Policies
User synchronization
- LDAP sync server settings
- LDAP integration
- LDAP settings
Operators and roles
- Operators
- External Operators
- Provision roles automatically
- Alerts
Tokens
- Token types
  - Hardware tokens
    - OTP hardware token
    - KT-4 tokens
    - RB-1 tokens
  - Software tokens
    - GrIDsure
    - SMS OTP token
  - Third Party tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary Password Policy
- Token Passcode Processing Policy
- Configure server-side PINs
- Token synchronization
- Import SafeNet tokens
- Token inventory
- Deallocate inventory
- MobilePASS target and Push OTP settings
- SMS credits
- SMS/Email/Voice OTP Delivery Methods
- Quicklog authentication
- Initialize hardware tokens
Provisioning tokens to users
- Provision tokens
- Automate token provisioning
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for Push OTP
- Enable Push OTP and MobilePASS+
- Push OTP Rejection Policy
- Customize Push notifications and alerts
- Configure applications for Push OTP
- Token management and enrollment
- Push OTP authentications
RADIUS integration
- RADIUS third-party token support
- RADIUS attributes for users or groups
- Block RADIUS authentication
Server and agent settings
- Authentication Nodes
- Pre-authentication rules
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configure a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
- Display Device Information
- Download an encryption key for remote services
Self-service site
- Site appearance and default language
- Self-Service Modules
- Self-Enrollment pages
- Configure authorities, OOB enrollment, and policies
- Process requests and view reports
Branding the appearance
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Troubleshooting
- Authentication errors
- Error codes

SAS PCE documentation
SAS PCE
Push OTP
Configure applications for Push OTP

Configure applications for Push OTP

Any application that is integrated through SafeNet RADIUS Service (FreeRADIUS), SafeNet Agent for AD FS, or SafeNet Agent for NPS 2.0 can support Push OTP. The agents provide two user interaction models:

Rich user experience, which is provided by the SafeNet Agent for AD FS
Simple mode, which is provided by the SafeNet RADIUS Service

Some of the web-based RADIUS clients (for example, F5, NetScaler, Citrix, etc.) require application integration. Refer to the appropriate integration section for details (see the list in Application integration).

Agents with rich user experience

SafeNet agents such as AD FS provide a rich user experience, compared to the simple mode in the RADIUS integration.

With the rich user experience, logging into a protected application redirects the user to a modified login screen, which presents options to choose between push or manual passcode entry. In addition, users have the ability to cancel a push notification.

The passcode triggers to override Push OTP apply to the push behavior for AD FS Agent login. The passcode triggers are described in Triggering push notifications in the agent section.

If the Enable Push/Manual OTP Selector option is disabled, the user can still trigger push or another challenge and response method with an empty passcode. Refer to Triggering Push notifications in the agent section.

SafeNet Agent for AD FS configuration

Install the new SafeNet Agent for AD FS v2.0 with Push OTP support.
Configure the SafeNet Agent for AD FS to use Push OTP.
1. Select Start > All Programs > SafeNet > Agents > ADFS Agent (run as administrator).
2. On the MFA Plug-In Manager window, click the Policy tab.
3. Under Default OTP Policy, click Push Challenge, and then click Apply.
  
  By choosing the Push Challenge option, the AD FS integration automatically promotes push. The user is presented with the option to use either push or manual passcode entry.

SafeNet RADIUS service

This type of application integration presents a simple user experience, which cannot be modified. Note the following behavioral changes:

Unlike the AD FS Agent, the login screen cannot be modified. Therefore, users are not presented with options to either select push or use manual passcode entry. To trigger Push OTP, users need to be instructed to leave the password field empty, or type any 1-character passcode on the login screen.
When deploying Push OTP (and it is enabled for the Virtual Server), if your users previously used GrIDsure or SMS, after they enroll a token on MobilePASS+, they have the option to authenticate either with Push OTP or with another authentication method by using a passcode trigger. Refer to Triggering Push notifications in the agent for details.

Passcode triggers are not case-sensitive.

RADIUS configuration

The only configuration requirement to support the SafeNet RADIUS Service is to set the RADIUS timeout value to at least 60 seconds on the client machine.

Agents with simple mode user experience

This type of application integration presents a simple user experience, which cannot be modified. Note the following behavioral changes:

Unlike the AD FS Agent, the login screen cannot be modified. Therefore, users are not presented with options to either select push or use manual passcode entry. To trigger Push OTP, users need to be instructed to leave the password field empty or to type any 1-character passcode on the login screen.
When deploying Push OTP (and it is enabled for the Virtual Server), if your users previously used GrIDsure or SMS, after they enroll a token on MobilePASS+, they have the option to authenticate either with Push OTP or with another authentication method by using a passcode trigger. Refer to Triggering Push notifications in the agent for details.

Passcode triggers are not case-sensitive.

SafeNet Agent for NPS 2.0 configuration

Install SafeNet Agent for NPS 2.0 with Push OTP support.
Configure the SafeNet Agent for NPS 2.0 to use Push OTP.
1. In the SAS console, in Policy > Token Policies, enable Push notifications.
2. In Policy > Token Policies, set MobilePASS+ as an allowed target.
Set the NPS 2.0 timeout value on the client machine such that the product of ((time-out) x (number of retransmissions)) is at least 60 seconds.

For example, if retransmissions is set to 6, then set time-out to 10 seconds or greater.

On this page

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com