SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

Integrated Windows Authentication (Kerberos)

You can configure SafeNet Trusted Access (STA) to automatically authenticate users with the Kerberos protocol applied by Integrated Windows Authentication if they first open their session from a Windows domain-joined device with their user name and domain password. In this case, for STA policies and scenarios that require password authentication, a user does not have to re-enter their password each time they access a protected application. However, if the policy requires multiple authentication factors (for example, password and token-based authentication), the additional factors are still required.

Each authentication attempt using Integrated Windows Authentication is recorded as using Kerberos credentials.

This feature is available with the STA and STA Premium subscription plans only.

Integrated Windows Authentication includes the following tasks:

Configure Integrated Windows Authentication
Add Integrated Windows Authentication to a policy
Configure browser settings for your users

Configure Integrated Windows Authentication

On the STA Access Management console, select the Settings tab.
Select Integrated Windows Authentication.
Select Setup and then follow the AD configuration instructions that are displayed.

You can copy or email the instructions to use as a reference.
Select Next.

The STA setup instructions display.
Select Upload and follow the prompts to upload the AD Keytab file that was generated in step 3.

The Keytab file details display.
Under User Mapping, select the SafeNet Trusted Access attribute to which the user authenticated by the Kerberos ticket will be mapped.

The system uses this mapping to validate that the user information found in the Kerberos ticket maps to the STA user that has requested the authentication.

The attribute choices include: STA user ID, UPN, email address, aliases, and custom names.
Under User ID Management > User ID Automation, select the login method:
- None - Requires that the user enter their User ID and click Login.
- Autofill - Prefills the Username field with the User ID that is extracted from the Kerberos ticket. The user must click Login to submit the login request.
- Auto submit - Prefills the Username field with the User ID that is extracted from the Kerberos ticket and submits the login request.
Under User ID Management > User ID Format, select the format of the User ID that is extracted from the Kerberos ticket and presented as the username at login:
- UPN - For example, username@example.com.
- User account name - For example, username only.
Click Finish.

The Enable Integrated Windows Authentication prompt displays.
Click one of the following options:
- Enable - Implements Integrated Windows Authentication for all users.
  
  When Enable is selected:
  - If either Autofill or Auto submit is selected (see step 7), Integrated Windows Authentication becomes immediately active for all users.
  - Policies can be configured to allow Integrated Windows Authentication as an alternative to a password login. For details, see Add Integrated Windows Authentication to a policy.
- Keep Disabled - Saves the Integrated Windows Authentication configuration in a disabled state.
Ensure that end-user browser settings are set correctly for your users before selecting Enable.

Add Integrated Windows Authentication to a policy

To add Integrated Windows Authentication as an authentication method within a policy scenario:

On the STA Access Management console, select the Policies tab, select a policy and then click .

The policy details display.
Select Password and one of the following options:
- Once per session
- Every access attempt
Select Allow Integrated Windows Authentication (Kerberos) and then click Save.

Configure browser settings for your users

The settings in this section must be configured on the browser of end-users whom authenticate with Integrated Windows Authentication.

Browser	Steps
Chrome or Internet Explorer 11	From your Chrome or Internet Explorer 11 browser, select Internet Properties > Security. Click Sites. Enter your IdP URL (for example, https://idp.safenetid.com or https://idp.eu.safenetid.com) in the field provided. Click Add and then click Close. Click Custom level.... Select User Authentication > Logon > Automatic logon with current user name and password and then select OK.
Edge	From your Edge browser, select Internet Options > Security > Local Intranet > Sites > Advanced > Add IDP URL. Enter the IdP URL (for example, https://idp.safenetid.com or https://idp.eu.safenetid.com) in the field provided. Click Add and then click Close. Select one of the following options: Automatic login with current username and password Automatic logon only in intranet zone for the Local Intranet zone Click OK.
Firefox	From your Firefox browser, enter about:config as the target URL. Enter network.negotiate-auth.trusted-uris as the preference name. Enter the IdP URL (for example, https://idp.safenetid.com or https://idp.eu.safenetid.com) as the string value and click OK.

Suggest A Change

Integrated Windows Authentication (Kerberos)

Configure Integrated Windows Authentication

Add Integrated Windows Authentication to a policy

Configure browser settings for your users

On this page