Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

STA documentation
- Explore Thales Docs

SafeNet Trusted Access
SafeNet Agents
SafeNet MobilePASS+
API references
Account management
Release notes

All

All

STA Hybrid Access Management Add-On

STA Access Continuum

SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

STA documentation
SafeNet Trusted Access
Authentication
STA Hybrid Access Management Add-On
STA Access Continuum

STA Access Continuum

In many industries, there is a significant need for continued service availability to access critical resources. Such industries are regulated by governments and authorities that enforce service continuity for users while considering data sovereignty and on-premise fallback options during events such as:

Unavailability of internet connectivity enforced due to a cyberattack, war, or another catastrophe.
Purposeful disconnection of STA from the internet to preempt a cyberattack or for a long maintenance window.

These business requirements highlight the need for a robust business continuity solution. This solution should ensure the seamless authentication operation of essential processes before, during, and after STA or internet unavailability.

Solution Approach

The STA Hybrid Access Management solution is extended to provide access continuum, i.e., service continuity for the protected resources. In this solution, the SafeNet Access Exchange (SAE), works as an access exchange, orchestrating the flow to STA or SAS PCE. STA provides adaptive access management and MFA for cloud resources, and SAS PCE acts as the alternative MFA during an outage.

The diagram below outlines the components involved in authenticating users for accessing cloud and on-premises applications:

alt_text

Let’s delve into the respective components:

Cloud and On-prem Apps: Represent any application that end-users are trying to access.
SafeNet Access Exchange (SAE): Acts as an identity broker between the client applications and STA.
STA: An enterprise-class access management and authentication service that includes workflow automation and management tools.
SAS PCE: An alternative authentication server that works in the absence of STA.

Detailed Authentication Workflow

alt_text

The detailed authentication flow steps are specified below:

User Access Request: The process begins when a user tries to access an application.
On-Premise SAE: The user’s request is redirected to an on-premise SAE. This on-premise SAE will serve as an identity broker, the service provider will point to SAS PCE or STA.
STA Availability Check: If cloud Single Sign-On Token (STA) is available and an external Identity Provider (IDP) is enabled in the SAE. The user is redirected to the STA login.
Access Token Post User Authentication: After successful user authentication (which may involve two-factor authentication), an access token is provided. This token represents the user’s authorization to access the application.
STA or Internet Unavailability: When the STA or Internet is unavailable, the user is presented with the SAS-PCE login screen.
User Authentication: The user provides their regular credentials. The SAS-PCE fallback mechanism verifies their identity.
Access Token Passed to Service Provider: Upon successful authentication, an access token is passed to the service provider. The service provider can then validate this token to grant access.
Access Granted: Finally, access is provided to the user. The user can now use the application or service.

Important Key points from the above workflow are:

This solution requires a manual switch from STA to SAS-PCE and vice versa during an outage of STA or the Internet, and during recovery, respectively. This configuration is managed within SAE as part of the STA Access Management Service Pack.
Tokens are not shared between STA and SAS-PCE.
The STA access policies (Global policy and Exception policy) apply exclusively when authentication operates through the primary flow (via SafeNet Trusted Access).
During switching back authentication flow from SASPCE to STA, make sure all the logged-in user sessions and LDAP connections (if created) from SafeNet Access exchange are removed.

Access Continuum Setup

This setup utilizes SAS PCE as an alternative IDP instead of STA, facilitated through SafeNet Access Exchange (SAE) integration.

Pre-requisites

STA Configuration

Setup the tenant operator account as specified here.
End users are already provisioned as mentioned here.

SAS PCE Configuration

A dedicated on-prem machine with SASPCE version 3.20 and above.

Access Exchange Configuration

Realm configuration
User Federation configuration

User Enrollment

Every end user must enroll for authentication tokens separately on both STA and SAS PCE.

Add STA as an Identity Provider in Access Exchange

Once the prerequisites are configured, you can follow the below process to set up the primary flow which involves adding the SafeNet Trusted Access as an external IDP in SAE as mentioned in the diagram. The process involves the following sections:

Generate Redirect URI
Add Access Exchange as OIDC application in STA
Identity Provider Configuration (STA)

Generate Redirect URI

Login to SAE as an administrator.
Select the required realm.
Navigate to the Identity providers section, located on the left side panel of the console.
In the right pane, under User-defined, select OpenID Connect v1.0 from the list.
In the Alias field, enter an alias of your choice. The default value is oidc.
(Optional) In the Display Name field, enter a name of your choice.
Copy the Redirect URI from the SAE console and store it in a text editor for later use.

Add Access Exchange as an OIDC application in STA

Refer here to set up a generic OIDC template.
Copy the items as mentioned in this section (except the logout URL).
In the VALID REDIRECT URL field, enter the Redirect URI from the SAE.
Assign the application to the required users and groups as specified here.

Note

You can apply any customized policy driven by STA as mentioned here.

Identity Provider Configuration (STA)

The OpenID Connect Config fields mentioned in STA as Identity Provider in the SAE section are configured here.

Provide the values of required fields marked with asterisk (*) (from the above section) in the OIDC application (SAE) as shown below.

In Client Authentication field, select the value as Client secret as post.

alt_text

Setup Client in Access Exchange

Access Exchange supports both SAML and OIDC applications added as clients. Follow the below process to set up a client in SAE.

SAML

In the left pane, under Manage, click Import client.
On the Import client window, perform the following steps:
1. In the Resource file field, click Browse and select your Service Providers metadata (.xml) file.
2. Click Save to save the settings:
To download and share SAE metadata to service provider perform the following steps.
1. In the Left pane click Realm Settings.
2. On the Realm settings window, click SAML 2.0 Identity Provider Metadata to get the SAE SAML metadata.

OIDC

In the left pane, under Manage, click Clients, and in the right pane, click Create client.
Under Create Client, perform the following steps:
1. In the General Settings tab, perform the following steps:
  - In the Client type field, select OpenID Connect.
  - In the Client ID field, enter a client ID (for example, your OIDC application).
    
    This ID is an alpha-numeric string that is used to identify the client in OIDC requests.
  - (Optional) In the Name field, enter a name of your choice (for example, your OIDC application).
  - Click Next.
2. In the Capability config tab, perform the following steps:
  - Turn on the Client authentication toggle.
  - In the Authentication flow field, unselect the Direct access grants.
  - Click Next.
3. In the Login settings tab, perform the following steps:
  - In the Valid Redirect URIs field, enter the App Gateway instance URL (for example, https://your OIDC application/*).
  - Click Save to complete the client configuration.

Configure Authentication Flow for External IDP

In the SAE console, go to the Identity providers section, and copy the name of the specified identity provider.
In the SAE console, go to the Authentication section, select flow type (for example, SafeNet LDAP OTP flow), and select the Identity Provider Redirector Auth Type.
Click icon.
Paste the copied value from step 1 into both the Alias and Default Identity Provider fields.
Click Save.

Switch Authentication Flow between STA and SAS PCE

STA as the primary authentication flow

The below configuration enables the direct authentication flow via the STA application.

In the SAE console, under the User Federation section. The Ldap and Sas-user- provider must be set to false.

Note

Ldap authentication is only required if you wish to provide both LDAP + OTP or OTP + LDAP login during authentication with SAS PCE.
Under the Identity providers section, perform the following steps to enable external IdP:
1. Click on the external IdP name (the name selected in the Redirect URI section).
2. In the external IdP, Toggle on the button on top right.
Under the Authentication section, select the required flow.
1. Change Identity Provider Redirector requirement from Alternative to Required.
2. Change SafeNet LDAP OTP Flow Forms requirement from Required to Disabled.
  
  In the below example, SafeNet LDAP OTP Flow is selected. Apart from this flow, SafeNet OTP Flow, SafeNet OTP LDAP Flow and SafeNet OTP UserIdProvided Flow can also be selected. as per the requirement.

STA End-User Flow

When the end-user tries to authenticate to the target application through STA, they will see the URL and screenshot below.

URL Structure

https://< STA URL >/auth/realms//login- actions/authenticate?sessioncode....

Login Screen

alt_text

Alternate Authentication Flow

SAS PCE as alternate authentication flow

The below configuration enables the authentication redirection via the SAS PCE application.

In the SAE console, under the User Federation section. The Ldap and Sas-user-provider must be Enabled.

Note

Ldap authentication is only required, if you wish to provide both LDAP + OTP or OTP + LDAP login during authentication with SAS PCE.
Under the Identity providers section, perform the following steps to disable the external IdP:
1. Click on the external IdP name (the name selected in the Redirect URI section).
2. In the external IdP, Toggle off the button on top right.
Under the Authentication section, select the required flow,
1. Change Identity Provider Redirector requirement from Alternative to Disabled.
2. Change SafeNet LDAP OTP Flow Forms requirement from Disabled to Alternative.
  
  In the below example, SafeNet LDAP OTP Flow is selected. Apart from this flow, SafeNet OTP flow, SafeNet OTP LDAP flow and SafeNet OTP UserIdProvided flow can also be selected. as per the requirement.

SAS PCE End-User Flow

When SAS PCE is implemented as the alternate authentication flow, the end-user will observe the following URL structure and screenshot.

URL Structure

https://< SASPCE URL>/realms//protocol/openid- connect/auth?client_id…..

Login Screen

alt_text

Frequently Asked Questions

Q1: Would STA BCP strategy support automated switching from STA to SAS PCE during planned maintenance?
Ans: Currently, only manual switching is supported from SafeNet Access Exchange.

Q2: What are the key considerations while switching back authentication flow from SASPCE to STA?
Ans: During switching back from SASPCE to STA, make sure all the logged-in user sessions and LDAP connections (if created) from SafeNet Access exchange are removed.

Q3: Is it mandatory to synchronize the users from source directory to both STA and SASPCE?
Ans: Every user for whom business continuity is required must be synchronized from source directory to both STA and SASPCE. However, in your test environment you may create same user in both SASPCE and STA.

Q4: Does each user require token enrollment in STA and SAS PCE separately?
Ans: Yes, it is recommended to synchronize and enroll the tokens of users in both STA and SAS PCE.

Q5: Is it required to integrate all the applications with SafeNet Access Exchange (SAE) for business continuity plan?
Ans: It is recommended to integrate only business critical applications with SAE for which business continuity is required in the event of STA or internet unavailability. All non-critical apps can directly be integrated with STA.

Q6: Does STA Access Continuum support business continuity for non-OIDC/SAML (custom) web apps?
Ans: Yes, it is supported using SafeNet App Gateway. Refer to the following link for more details.

Q7: What all User Stores STA Access Continuum is compatible with?
Ans: So, far this solution has been tested with LDAP where the identity source taken was Active Directory.

Q8: During the switch over from STA to SAS PCE, will the application policy applied in STA continue to function?
Ans: The STA access policies (Global policy and Exception policy) are only effective when authentication is conducted through the primary flow via STA.

Q9: Would Group driven Access of application will remain if switched to SASPCE?
Ans: No since the policies on STA will be nullified after switchover to SASPCE. The group driven access will also be void. That means during the authentication with SASPCE, every user will get access to all the applications. It is recommended to plan application level access during the switchover.

Q10: I have multiple realms, each connected to different STA tenant in my setup. How switching from STA to SASPCE and vice versa will be handled?
Ans: For each realm, the switch must be triggered manually.

Q11: Is Office 365 Application supported by SafeNet Access Exchange (SAE) under business continuity plan?
Ans: No, it is not currently supported.

On this page

SafeNet Trusted Access

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com