Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

STA documentation
- Explore Thales Docs

SafeNet Trusted Access
SafeNet Agents
SafeNet MobilePASS+
API references
Account management
Release notes

All

All

IDP orchestration

OneWelcome as an external IDP

SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

STA documentation
SafeNet Trusted Access
Authentication
IDP orchestration
OneWelcome as an external IDP

OneWelcome as an external IDP

You can integrate STA with an external identity provider (IDP) to redirect network traffic from STA to the external IDP for user authentication. STA remains the primary IDP while orchestrating with an external or secondary IDP.

Here, OneWelcome is used as an external IDP.

Integrating STA with OneWelcome requires the following steps:

Adding STA as a Web Client in OneWelcome
Adding OneWelcome as an external identity provider in STA
Adding OneWelcome as an authentication method in a STA policy
Verify authentication

As a prerequisite, obtain the STA Redirect URI. Perform the following steps:

On the STA Management Console, click on the settings icon .
Under SETTINGS > AUTHENTICATION, click External Identity Provider , and click Setup.
On the External Identity Provider window, click Set up new IDP.
Under Redirect URI, click Copy to copy the redirect URI, and paste it into a text editor. You will need it while adding STA as a web client in OneWelcome.

Adding STA as a Web Client in OneWelcome

Perform the following steps to add STA as a web client in OneWelcome:

Log in to the OneWelcome administrator dashboard.
Go to the Configuration tab, and then the Web clients tab.
Under Web clients, click Add Web client.
Under Add Web client, in the Name field, enter a name for the application (for example, SafeNet Trusted Access). Do not change values of rest of the fields.
Under Credentials, perform the following steps:
1. In the Client ID field, click Generate to generate a unique client ID. Copy the ID and paste it in a text editor. You will need the client ID while adding OneWelcome as an external IDP in STA.
2. Under Authentication method, select the Client secret (basic authentication) option.
3. In the Client secret field, click Generate to generate a secret corresponding to the client ID that you generated in step a. Copy the client secret and paste it into the text editor. You will need the client secret while adding OneWelcome as an external IDP in STA.
Under OAuth settings, perform the following steps:
1. In the Grant types field, select Authorization code.
2. Ensure that JSON Web Token (JWT) is selected as Access token format.
3. In the Redirect URL field, enter the redirect URL that you obtained as a prerequisite.
4. Enter values in the rest of the fields as per your preferred configuration.
Scroll down, under Scopes, under Default Scopes, select email, openid, and profile.
Under User registration, in the Identity provider field, select an IDP as per your choice.
Do not change values in the rest of the fields.
Click Save.
On the Configuration tab, go to the System tab, and in the left pane, select JWT Key Configuration.
In the right pane, under JWT Key Configuration, copy the Discovery URL and paste it in the text editor. You will need it while adding OneWelcome as an external IDP in STA.

Adding OneWelcome as an External Identity Provider in STA

Perform the following steps to add OneWelcome as an external IDP in STA:

On the STA Management Console, on the External Identity Provider window, on the top-right side, click Edit.
Under Display Names, perform the following steps:
1. In the IDENTITY PROVIDER NAME field, enter a name for your IDP (for example, OneWelcome).
2. In the CREDENTIALS NAME field, enter the authentication method that the external IDP uses (for example, Password).
In policies, such names are used to identify the external IDP in the format, [Identity Provider Name] ([Credentials Name]) (for example, OneWelcome (Password)).
Under Server Details, perform the following steps:
1. In the CLIENT ID field, enter the client identifier that you copied earlier in step 5 (a) of Adding STA as a Web Client in OneWelcome. This is the OIDC application (client) ID that is used to identify OneWelcome.
2. In the CLIENT SECRET field, enter the shared secret that you copied earlier in step 5 (c) of Adding STA as a Web Client in OneWelcome. STA sends the OIDC shared secret to authenticate the redirection request using OneWelcome.
3. In the WELL-KNOWN CONFIGURATION ENDPOINT field, enter the Discovery URL of OneWelcome that you copied earlier in step 12 of Adding STA as a Web Client in OneWelcome.
4. Click Load to populate the Endpoint URLs and the Issuer fields.
Under User Mapping, perform the following steps:
1. In the REQUEST USER IDENTIFIER field, ensure that E-mail address is selected. This is the STA user attribute that is sent in the authentication request to the external IDP.
2. In the VERIFICATION USER IDENTIFIER field, ensure that the E-mail address is selected. The identifier is generally identical to the request user identifiers. This is the STA user attribute that is used to match with the content of the specified ID token claim.
3. In the VERIFICATION CLAIM NAME field, enter the name of your claim (for example, email.). This is the claim present in the returned ID token that contains the user identifier to be verified.
For demonstration purposes in this documentation, E-mail Address is used as a user attribute for user mapping. You can configure user mapping as per your preferred configuration.
Under Scope, in the SCOPE VALUE field, enter the scope values as openid, profile and email.
Click Save.

Adding OneWelcome as an authentication method in a STA policy

The external IDP OneWelcome is now an authentication method that you can add to STA policies and authentication scenarios.

On the STA Management console, select the Policies tab.
Select the icon to add a new policy or a scenario.
Enter a name and a description for the policy.
Under Scope, select the users and the applications, on which you want to apply the policy.
Under Decision, under Primary authentication requirements, click Change to select the authentication methods as per your preferred configuration.
If you want to keep OneWelcome as a mandatory authentication method, select External IDP as one of the Primary authentication requirements and select the OneWelcome (Password), which you have added in the above steps.
If you want to keep OneWelcome as optional or secondary authentication method, select External IDP as one of the Secondary authentication requirements and select the OneWelcome (Password), which you have added in the above steps.

It depends on the administrators how they choose to authenticate the organization's employees.
Click Save.

For more information, refer to the Add a Policy section in the STA Online Documentation.

Verify Authentication

Using the STA console

Navigate to the end application SSO URL.

You will be redirected to your STA sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the OneWelcome sign-in page. Enter your OneWelcome login credentials and you should be redirected to the application dashboard.

Using the STA user portal

Navigate to the user portal URL to log in to the STA user portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the end application icon, you should be redirected to the OneWelcome sign-in page. Enter your OneWelcome login credentials and you should be redirected to the application dashboard.

Appendix: OneWelcome as an Identity Broker

Identity Brokers allow Service Providers to offer a selection of Identity Providers (authentication methods) to their customers via a single integration. An Identity Broker is an intermediary service that connects Service Providers (SPs) with multiple Identity Providers (IDPs).

Here, OneWelcome functions as an identity broker, redirecting any incoming requests to another IDP based on the configuration. This happens based on the scope parameter. Depending on the scope, OneWelcome decides which identity provider to redirect the authentication request.

This integration enables IDP flow orchestration between STA, OneWelcome ID Broker, and configured third-party IDP. In this external IDP integration, any request coming to STA will be redirected to the OneWelcome ID Broker, and from there, the flow is redirected to another IDP for authentication. Refer to the below workflow:

alt_text

To configure a third-party IDP within the OneWelcome ID broker, refer to the OneWelcome documentation.

On this page

SafeNet Trusted Access

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com