Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

STA documentation
- Explore Thales Docs

SafeNet Trusted Access
SafeNet Agents
SafeNet MobilePASS+
API references
Account management
Release notes

All

All

Authentication

External FIDO management

SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

STA documentation
SafeNet Trusted Access
Authentication
External FIDO management

External FIDO management

If you manage FIDO authenticators in an external Credential Management System (CMS), you can use the REST API for STA to export those authenticators into SafeNet Trusted Access (STA).

Using STA with an external CMS, such as vSEC:CMS from Versasec, enables you to manage the lifecycle of your FIDO authenticators in the CMS, and to provide strong user authentication with STA. You retain control over the enrollment process and can follow your approved security procedures to ensure secure access to protected resources.

After you export the authenticators into STA, the authenticators are in the pending state. When the user confirms their identity and activates their assigned authenticator, the state changes to active.

Authentication flow with an external CMS

When you use STA with an external CMS to manage your FIDO authenticators, authentication flows as follows:

In STA, allow FIDO authenticators to be imported.
In the external CMS, enroll the FIDO authenticators.
The external CMS uses the authenticator management API POST method to export the FIDO authenticators to STA.
In STA and on the user portal, the imported FIDO authenticators appear in the pending state.
The user tries to authenticate to a resource that is protected with a FIDO policy.
The user proceeds through activation for their pending FIDO authenticator.
The FIDO authenticator is activated in STA and the state changes to active.
You manage the FIDO authenticator lifecycle in the external CMS. Any updates to the FIDO authenticator are synchronized to STA.

Allow authenticator import

On the STA Access Management console, specify whether FIDO authenticators are allowed to be imported.

Select Settings > FIDO-Based Authentication.
Select Edit.
Turn on the toggle so that Authenticator import via API is enabled.
Select Save.

FIDO activation for users

The activation flow for imported FIDO authenticators is triggered only if the user has a pending FIDO authenticator.

In the activation flow, a separate, additional identification factor is validated to ensure that the user is in possession of the authenticator.

Pending authenticators

When the authenticator was imported via the API, but the user has not yet confirmed their identity, they must activate their authenticator before they can log in:

The user tries to access a resource that is protected with a FIDO policy.
STA detects that there is at least one pending FIDO authenticator that is associated with this user.
The login page asks the user to activate a pending authenticator.
After the user clicks Activate Authenticator, they confirm their identity by entering their password or the verification code that was emailed to them.
Finally, the user logs in with their activated FIDO authenticator.

Imported FIDO authenticators on the STA console

On the STA Access Management console, on the Users tab, the Authenticators list shows the status (Pending or Active) of FIDO tokens.

Authenticator states

The pending state identifies FIDO authenticators that were imported into STA using the API, but that the user has not yet activated. Active FIDO authenticators were either imported authenticators that users activated, or authenticators that were created in STA.

Each user in STA can have multiple FIDO authenticators that are managed externally and imported using the API.

The option to delete authenticators is not available for imported FIDO tokens, because they are managed externally in vSEC:CMS.

Imported FIDO authenticators on the user portal

Users can see the status of their FIDO authenticators on the user portal. Pending authenticators include a tip that informs the user to activate the authenticator the next time that they log in to a resource that is protected with a FIDO policy.

Imported FIDO tokens on the user portal

Active and pending FIDO authenticators

If the user has both an active and a pending FIDO authenticator, the login screen includes an option to skip the activation flow:

Skip FIDO activation

When the user clicks Not now, they proceed to log in with their existing, active FIDO authenticator.

Authenticator activation flow

Users activate their externally managed FIDO authenticators, and then use them to log in.

After a user activates their FIDO authenticator, the authenticator's status changes from pending to active.

The user accesses a login page, such as the user portal login page, and enters their Username.
The user selects Activate Authenticator.
Thee user enters the Verification code that the system sent to their email.
The user follows the browser instructions for their FIDO authenticator. For example, they enter the security key PIN and then touch the authenticator.
The user enters or verifies the Authenticator Nickname.
The user follows the browser instructions to log in with their activated FIDO authenticator.

Imported FIDO authenticators in the audit logs

The audit logs identify the import and activate actions.

Audit logs with import and activate

On this page

SafeNet Trusted Access

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com