Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

STA documentation
- Explore Thales Docs

SafeNet Trusted Access
SafeNet Agents
SafeNet MobilePASS+
API references
Account management
Release notes

All

All

STA Hybrid Access Management Add-On

Balancing Security and Flexibility with Hybrid IAM

SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

STA documentation
SafeNet Trusted Access
Authentication
STA Hybrid Access Management Add-On
Balancing Security and Flexibility with Hybrid IAM

Balancing Security and Flexibility with Hybrid IAM

You can integrate SafeNet Trusted Access (STA) with SafeNet Authentication Service Private Cloud Edition (SAS PCE), by configuring SAS PCE as the external identity provider (IDP) in STA. This hybrid deployment model enables you to provide protection for cloud applications with STA in the cloud, and secure authentication through SAS PCE on premises. Any existing on-premises or cloud-based applications continue to work as before with SAS PCE and STA, and users can use the same authenticator for all applications.

When SAS PCE operates as the external IDP, it uses SafeNet Access Exchange, which redirects traffic from STA to SAS PCE. STA remains the primary IDP, orchestrating the use of SAS PCE as a secondary, external IDP, that provides additional authentication where needed. As the external IDP, SAS PCE can be either the only authentication method or the second factor of authentication. It cannot be the first method of authentication in the order of authentication.

STA for cloud and SAS PCE for on-premises applications

You can keep user data in the cloud to a minimum, and reserve access to cloud applications for groups that need it. Users are synchronized independently to SAS PCE and STA. Users who don't need to access cloud applications don't need to be synchronized to STA.

This solution provides control, enabling you to protect your on-premises resources and shield them from the risk of internet disruptions. When authentication is redirected to SAS PCE, your multi-factor authentication (MFA) token secrets can remain on premises.

You can use SAS PCE as the external IDP for STA to facilitate the gradual migration from SAS PCE to STA, because users can authenticate with the same on-premises OTP token for both SAS PCE- and STA-protected resources. You have the option to migrate users to STA with self-provisioning or with token migration through professional services.

Login interface and language

The external IDP is entirely responsible for the login interface that it presents. This responsibility also includes any language selection logic that you must manage independently of STA on the external IDP.

When SAS PCE is the external IDP with SafeNet Access Exchange, you can configure SafeNet Access Exchange to use the language that the user selects on the STA IDP login page. This means that the language selected on the STA login page is also selected on the login screen shown by SafeNet Access Exchange. This gives the user a unified login experience. For information about how to configure the SafeNet Access Exchange IDP to use the custom language, see language-selection.

External IDPs and subscription plans

IDP orchestration is available in the STA and STA Premium subscription plans. It is not available in the STA Basic plan.

If you configure an external IDP and then later downgrade to the STA Basic plan, the external IDP becomes unavailable:

When you remove the external IDP from a policy or scenario, then you cannot select it again until you upgrade the virtual server to the STA or STA Premium plan.
When you disable the external IDP, you cannot enable it again until you upgrade the virtual server to the STA or STA Premium plan.

External IDP in policies or scenarios

The configured external IDP becomes an authentication method that you can select in STA policies and scenarios. STA redirects authentication to SAS PCE through policies or scenarios, based on group membership, application, or context. STA can redirect access requests that come from any of the following types of applications that are integrated on the Applications tab:

SAML-integrated applications
OIDC-integrated applications
Agent applications that are configured on the Applications tab, such as SafeNet Agent for Microsoft Outlook Web App.

Components in the implementation with SafeNet Access Exchange

SAS PCE and STA have separate management consoles. In SAS PCE, you manage tokens. In STA, you manage cloud applications and access policies.

The redirection from STA to the external IDP is executed internally through the OIDC protocol. SAS PCE handles OIDC through the SafeNet Access Exchange.

This implementation requires you to configure several components:

STA: You can configure one external IDP for each virtual server, and then use that external IDP in your policies and scenarios. IDP redirect requires connectivity between STA and the external IDP that is SAS PCE Enterprise.
SAS PCE Enterprise
- SAS PCE: Your virtual server includes the users who will authenticate with STA and the external IDP
- SafeNet Access Exchange: This SafeNet Access Exchange serves as a bridge between STA and SAS PCE.

Configure the STA Hybrid Access Management Add-On

You can configure one external IDP in each virtual server. You need to set up the two-way communication between STA and SAS PCE:

Configure SafeNet Access Exchange for SAS PCE: Create a realm and configure STA user federation.
Configure communication between STA and SafeNet Access Exchange: In SafeNet Access Exchange, create a client and a mapper for STA.
Configure the external IDP in STA: Configure STA using information from SafeNet Access Exchange.

In STA, after you add SafeNet Access Exchange as an external IDP, add a respective authentication method in a policy or scenario.

Configure SafeNet Access Exchange for SAS PCE

It is necessary to create a communication between SafeNet Access Exchange and SAS PCE. The communication is setup within a realm of SafeNet Access Exchange.

A realm manages a set of users, credentials, roles, and groups. Each realm is isolated from other realms and can manage and authenticate only the users under its control.

After a communication is set up between SafeNet Access Exchange and SAS PCE, SafeNet Access Exchange retrieves all necessary user information from SAS PCE. Users can authenticate using their SAS PCE user ID or any aliases configured in SAS PCE.

Follow the below steps described in Realm Creation and Authentication Flow to use either the SafeNet Access Exchange admin console or the realm JSON file (SafeNetOTPRealm.json):
1. Manually configure the realm by populating different UI fields
2. Import all required configuration from SafeNetOTPRealm.json
Set up User Federation between SafeNet Access Exchange and SASPCE. Refer to the User Federation Setup section in the SAS PCE documentation for detailed configuration steps.

Configure communication between STA and SafeNet Access Exchange

Once the realm and user federation are configured in SafeNet Access Exchange (SAE), it needs to be added as an external IDP in STA.

In STA, after you configure the external IDP, you must enable it before you can select it as an authentication method in policies or scenarios. You cannot disable the external IDP when no enabled policies or scenarios refer to it. You can only enable a disabled policy or scenario that refers to the external IDP when the external IDP is enabled.

Configuration is required in both STA and SafeNet Access Exchange. In STA, you configure the external IDP settings, while in SafeNet Access Exchang, you create a client and a mapper. The external IDP can be configured on each virtual server.

When you configure STA and SafeNet Access Exchange, you go back and forth between the STA Access Management console and the SAE Admin Console to copy and paste some information.

Complete these steps to configure the two-way communication between STA and SafeNet Access Exchange:

These steps must be performed within the same SafeNet Access Exchange realm.

Copy the Redirect URI from STA
Create a client in SafeNet Access Exchange
Create a mapper for the client in SafeNet Access Exchange
Configure the external IDP in STA

Copy the Redirect URI from STA

On the STA Access Management console, select Settings > External Identity Provider. If no external IDPs have been added, select Setup.
On the External Identity Provider page, select Set up new IDP.
Under Redirect URI, click Copy. You need to use this URI when you configure the client in SafeNet Access Exchange.

Keep this page open in STA while you configure SafeNet Access Exchange, so that the Redirect URI doesn't change. If you leave the External Identity Provider page without saving the settings, a new Redirect URI is generated.

Create a client in SafeNet Access Exchange

Log in to the SafeNet Access Exchange Admin Console. You can go directly to the console URL:
- If you log in from the same machine, the console URL is:
  
  http://localhost:8080/auth/admin/
- If you log in from a different machine, the console URL is:
  
  https://<FQDN or IP Address of your SafeNet Access Exchange host>/auth/admin
Select the realm that you created in SafeNet Access Exchange earlier.
In the Configure menu on the left, select Clients.
Click Create client on the right.
Under Create Client, perform the following steps:
1. Under General Settings, perform the following steps:
  - In the Client type field, select OpenID Connect.
  - In the Client ID field, enter a client ID. This ID is an alpha-numeric string that is used to identify the client in OIDC requests.
  - Click Next.
2. Under Capability config, perform the following steps:
  - Turn on the Client authentication toggle.
  - Click Next.
3. Under Login settings, perform the following steps:
  - In the Valid Redirect URIs field, paste the value that you copied from the STA Access Management console > Settings > External Identity Provider > Redirect URL field. Click the plus + sign to add the URI.
  - Click Save to complete the client configuration.

Create a mapper for the client in SafeNet Access Exchange

Go to the Client scopes tab.
Under Assigned client scope., click on the client ID that you entered while creating the client.
On the Mappers tab, click Configure a new mapper.
On the Configure a new mapper window, select the User Attribute mapping.
On the Add mapper window, perform the following steps:
1. Enter a Name for the mapper.
2. Enter a User Attribute (for example, Email address).
3. Enter a Token Claim Name (for example, email).
4. Select a corresponding Claim JSON Type (for example, String).
5. click Save.

Configure the external IDP in STA

Go back to the External Identity Provider page in STA.
Under Display Names, in the Identity Provider Name field, enter a friendly name for the IDP.

The identity provider name is used in the access logs, policies, and scenarios, but is not visible to your users.
In the Credentials Name field, enter the authentication method that the external IDP uses.

For example, the authentication method might be FIDO, OTP, push, bio, password, context, and so on.

In policies, the display name is used to identify the external IDP in the format [Identity Provider Name] ([Credentials Name]), such as SafeNet Access Exchange (password).
Under Server Details, enter the Client ID and the Client Secret from SafeNet Access Exchange.
- For the Client ID, use the SafeNet Access Exchange client that you created earlier.
  
  The client ID is the OIDC application (client) ID that is used to identify SafeNet Access Exchange as the external IDP.
- For the Client Secret, use the SafeNet Access Exchange value in Clients > Credentials > Client Secret.
  
  STA sends the OIDC shared secret to authenticate the redirection request with SafeNet Access Exchange.
Enter the Well-Known Configuration Endpoint URL from SafeNet Access Exhange.
- In SafeNet Access Exhange, go to Realm Settings > General > Endpoints, and then right-click and copy the OpenID Endpoint Configuration URL.
Click Load to populate the endpoint URLs and the Issuer:
- Authorization Endpoint: This is the URL to which the user is redirected to authenticate.
- Token Endpoint: When authentication is successful, an authorization code is sent to this URL to obtain an ID token and an access token.
- Token Keys Endpoint: This is the URL that is used to retrieve the key that is needed to validate the ID token signature.
- Issuer: This is the issuer string that is used to validate the keys for the ID token signature.
Under User Mapping, select the user attributes to represent the user ID in the redirection to the external IDP:
- Request User Identifier: This is the STA user attribute that is sent in the authentication request to the external IDP.
- Verification User Identifier: This identifier is usually identical to the request user identifier. It is the STA user attribute to match with the content of the specified ID token claim.
- Verification Claim Name: This is the name of the mapper that you created in SafeNet Access Exchange.
Click Save and turn on the toggle at the top-right of the page to enable the external identity provider.

Add the external IDP in a policy

The configured external IDP becomes an authentication method that you can select in STA policies and scenarios. The redirection to the external IDP becomes part of the decision about whether to grant access, based on group membership, application, or context.

On the STA Access Management console, select Policies.
Select the policy or scenario and then select Edit.

Alternatively, you can create a new policy or scenario.
Under Decision, in the Authentication Methods section, select External IDP, and then Select an IDP from the list.

The external IDP is identified using the IDP name and credentials name that are configured in Settings > External Identity Provider and use the format [IDP Name] ([Credentials Name]), such as SAS PCE (OTP).
Select how often users must authenticate:
- Once per session: Prompt the user to authenticate once per STA SSO session within a browser.
- If not verified in the last [number of minutes or hours]: Prompt the user to authenticate at least every N minutes or hours. Select the value that meets your organization's requirements. The values supported by STA are: 5, 10, 15, 30, 45, or 60 minutes; as well as 2, 3, 4, 5, 6, 7, or 8 hours.
  
  Use this option to provide a presence check for sensitive applications by requiring users to re-authenticate if the specified number of minutes or hours have elapsed since they last accessed the application.
  
  Between this setting and the single sign-on session timeout, the shortest setting takes precedence.
- Every access attempt: Prompt the user to authenticate regardless of whether they previously authenticated in the current STA SSO session.
  
  If you use CBA, some certificates and their drivers might have their own session, apart from the STA SSO session, and might not prompt a user for authentication. For example, the user might not be prompted to authenticate as long as a smart card is inserted in a computer.
Select Save.

IDP orchestration in the logs

IDP orchestration is logged in the authentication logs and the access logs.

alt_text

IDP orchestration in the authentication logs

On the STA Token Management console, the authentication logs are available in Snapshot > Authentication activity.

The logs use the Identity Provider Name and Credentials Name that are specified in Settings > External Identity Provider.

Each type of activity includes different log entries:

Initiation of the redirection: The initiation of the redirection by STA includes the following information in the logs:
- Timestamp: The time when the redirection initiated.
- Result: Redirection
- Credential Type: [Credentials Name]
- Message: Redirection to [Identity Provider Name] for [Credentials Name] authentication.
Success: The successful response from the external IDP is logged:
- Timestamp: The time when the response was returned, or the timeout time in case no response was received.
- Result: Success
- Credential Type: <Credentials name >
- Message: Redirection to [Identity Provider Name] for [Credentials name] authentication.
Failure: The failure in redirection to the external IDP is logged:
- Timestamp: The time when the response was returned, or the timeout time in case no response was received.
- Result: Failure
- Credential Type: <Credentials name >
- Message: Timing out without response from <Identity Provider Name>.

IDP orchestration in the access logs

The redirection to the external IDP is recorded in the access logs:

The Credentials field includes the Credentials Name that is configured in Settings > External Identity Provider.
When there is a failure due to timing out without a response from the external IDP, the Reason is Redirection timeout.

On this page

SafeNet Trusted Access

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com