Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

STA documentation
- Explore Thales Docs

SafeNet Trusted Access
SafeNet Agents
SafeNet MobilePASS+
API references
Account management
Release notes

All

All

Applications

Share your applications

SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

STA documentation
SafeNet Trusted Access
Applications
Share your applications

Share your applications

A service provider can share a common set of applications (for example, Salesforce) across multiple accounts (virtual servers). Each account manages the policies that control how their members access the shared applications. Any application (except the user portal) configured in the STA Access Management console can be shared. Shared applications can include SAML, OIDC, and Next Gen agents. Service providers can share an application with up to 670 accounts that they are delegated to manage.

About shared applications

SAML return attributes, OIDC claims, application icon, and application name are configured in the shared-from virtual server.
Configuration changes related to sharing applications are recorded in the audit logs of the shared-from virtual server.
An account cannot share to other accounts, applications that are shared to them.
Access and authentication logs are generated and displayed only in the account where the user is found.
Single Sign On (SSO) behavior extends to shared applications.
Username searches proceed from top to bottom of the application sharing list. The first match found is applied.

Share an application in STA

To share or un-share an application with another account (virtual server):

From the STA Access Management console of the shared-from service provider account, select the Applications tab.
From the applications list, select the configured application to be shared.
From the application details panel, select the Share tab.

The Share tab displays for service provider accounts only. This feature is not available to subscriber accounts.

A list of the virtual servers to which the application is shared displays.
Select Add Virtual Server.

A list of virtual servers to which you have delegated permission displays.
Select the virtual server to which the application will be shared by selecting .

The shared-to virtual server is added to the top of the list of virtual servers that have access to the application.

By default, the assignment rule for the application in the shared-to virtual server is "No users". Therefore, no users from the shared-to virtual server can access the application until the assignment rule is changed.

The bottom-most virtual server in the list is the shared-from virtual server.
(Optional) To un-share an application, select the menu icon on the application that you want to remove and then select Remove.

Using a shared application in STA

Applications which are shared-to you display in the applications list as <application name (shared-from account)>. For example, Salesforce New (Main Inc).

alt_text

The operator of an account that is using a shared application is responsible for:

Ensuring that policies (for example, the Global Policy) are in place to handle requests related to the shared application. For details, see Add an exception policy.
Assigning users to the shared application. For details, see Grant or deny access to groups of users.

How STA processes an access request for a shared application

This section describes a user’s experience when they attempt to access a shared application.

To open a shared application:

A user opens their browser, navigates to the shared application site, and attempts to log in.
The shared application redirects the request to the shared-from account, which presents a login prompt.

The login page presented at this step is configured by the shared-from account.
The user enters their login name.
STA searches for the account to which the user is a member and directs the access request to the first match found.

Searches proceed from top to bottom of the application sharing list.
The user's account applies its policies and prompts the user for their credentials.

The login page presented at this step is configured by the shared-to account.
The user enters their credentials and, upon authentication, the shared application opens.

Events related to the application are recorded in the access log of the user's account. If the user is not found, "Unknown user" is recorded in the access log of the shared-from account.

Example Access Log:

On this page

SafeNet Trusted Access

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com