SafeNet Trusted Access (STA) can be integrated with an external identity provider (IDP) to redirect network traffic from STA to the external IDP for user authentication. STA remains the primary IDP while orchestrating the use of an external or secondary IDP.

The external IDP can either be an exclusive authentication method or the second authentication method. It cannot be the first authentication method in a multi-factor authentication environment.

In this documentation, Microsoft Entra ID is used as an external IDP.

Integrating SafeNet Trusted Access with Microsoft Entra ID requires:

1. Configuring STA as an OIDC application in Microsoft Entra ID

2. Adding Microsoft Entra ID as an external IDP in STA

3. Adding Microsoft Entra ID as an authentication method in a STA policy

4. Verifying authentication

Configuring STA as an OIDC Application in Microsoft Entra ID

As a prerequisite, obtain the STA Redirect URI by performing the following steps:

1. On the STA Access Management Console, click Settings > External Identity Provider.

   

2. In the right pane, click Setup.

3. Under Redirect URI, click Copy to copy the redirect URI, and paste it in a text editor for future use.

   

Configuring STA as an OIDC application in Microsoft Entra ID requires:

• Registering an OIDC application

• Configuring tokens

• Granting API permissions to applications

Registering an OIDC Application

Perform the following steps to add an OIDC application:

1. Log in to the Microsoft Entra ID portal as an administrator.

2. On the portal, in the left pane, click Microsoft Entra ID.

   

3. Under Manage, click App registrations.

   

4. In the right pane, click New registration.

   

5. Under Register an application, perform the following steps:

   1. In the Name field, enter a name for the application (for example, SafeNet Trusted Access).

   2. Under Redirect URI (optional), in the drop down list, select platform as Web and in the field, enter the redirect URI that you obtained earlier as the prerequisite.

   3. Click Register.

   

6. Under Essentials, copy the value of Application (client) ID, and paste it in a text editor for future use.

   

7. On the top of the window, click Endpoints.

   

8. Copy the OpenID Connect metadata document URL, and paste it in the text editor for future use.

   

9. In the left pane, click Certificates & secrets > New client secret.

10. In the right pane, under Add a client secret, in the Description field, enter a name for the client (for example, SafeNet Trusted Access), and click Add.

    

11. On the Client secret tab, in the Value column, click on to copy the STA shared secret, and paste it in the text editor for future use.

    

Configuring Tokens

In Microsoft Entra ID, you can select claims to be included in the tokens sent to the applications.

Perform the following steps to configure a token:

1. On the Microsoft Entra ID portal, in the left pane, click Token configuration.

   

2. In the right pane, under Optional claims, click Add optional claim.

   

3. Under Add optional claim, under Token type, select the ID option.

   

4. In the Claim column, select the claims (for example, email) to be included in the ID token for your application.

   

   This integration is tested with the email claim. You can configure claims as per your preferred configuration.

5. Click Add.

   

6. A pop-up window is displayed. Click Add.

Granting API Permissions to Applications

Applications are authorized to call APIs when they are granted permissions. Applications should be granted all the permissions that are required to call APIs.

Perform the following steps to grant API permissions to applications:

1. In the left pane, click API permissions, and in the right pane, click Add a permission.

   

2. Under Request API Permissions, on the Microsoft APIs tab, select the Microsoft Graph tile.

   

3. Under Microsoft Graph, select Delegated permissions.

   

4. Under OpenId permissions, select the email and openid permissions, and click Add permissions.

   

5. Click Grant admin consent for Integration.

   

6. Under Grant admin consent confirmation, click Yes.

   

   Once, you click on Yes, the Status of the added permissions changes to Granted for Integration.

Adding Microsoft Entra ID as an External IDP in STA

Perform the following steps to add Microsoft Entra ID as an external IDP in SafeNet Trusted Access:

1. On the STA Access Management Console, click Settings > External Identity Provider, and click Setup.

2. On the External Identity Provider window, on the top-right side, click Edit.

3. Under Display Names, perform the following steps:

   1. In the IDENTITY PROVIDER NAME field, enter a name for your IDP (for example, Microsoft Entra ID).

   2. In the CREDENTIALS NAME field, enter the authentication method that the external IDP uses (for example, Password).

   In policies, such names are used to identify the external IDP in the format, [Identity Provider Name] ([Credentials Name]) (for example, Microsoft Entra ID (Password).

4. Under Server Details, perform the following steps:

   1. In the CLIENT ID field, enter the client identifier that you copied earlier in Registering an Application Group. This is the OIDC application (client) ID that is used to identify Microsoft Entra ID.

   2. In the CLIENT SECRET field, enter the shared secret that you copied earlier in Registering an Application Group. STA sends the OIDC shared secret to authenticate the redirection request using Microsoft Entra ID.

   3. In the WELL-KNOWN CONFIGURATION ENDPOINT field, enter the URL that you copied earlier in Registering an Application Group.

   4. Click Load to populate the Endpoint URLs and the Issuer fields.

5. Under User Mapping, perform the following steps:

   1. In the REQUEST USER IDENTIFIER field, ensure that E-mail address is selected. This is the STA user attribute that is sent to the external IDP as a part of the authentication request.

   2. In the VERIFICATION USER IDENTIFIER field, ensure that E-mail address is selected. The identifier is generally identical to the request user identifiers. This is the STA user attribute that is used to match with the content of the specified ID token claim.

   3. In the VERIFICATION CLAIM NAME field, enter the same value (for example, email). This is the claim present in the returned ID token that contains the user identifier to be verified.

   Only the claim type email is supported in this release. Other claim types will be supported in the future.

6. Click Save.

   

Adding Microsoft Entra ID as an Authentication Method in a STA Policy

The external IDP (Microsoft Entra ID) is now an authentication method that you can add in STA policies and authentication scenarios.

Perform the following steps to add Microsoft Entra ID as an authentication method in a STA policy:

1. On the STA Management console, click the Policies tab.

2. Click on the icon to add a new policy or a scenario.

3. Enter the name and description of the policy.

4. Under Scope, select the users and applications on which you want to apply the policy.

5. Under Decision, under Authentication methods, select the authentication method as per your preferred configuration.

6. Under External identity provider, select the Microsoft Entra ID (Password) as the external IDP which you have created in the above steps.

7. Click Save.

   

   For more information, refer to Add an exception policy.

Verify Authentication

Using STA Console

Navigate to the end application SSO URL.

You will be redirected to your STA sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Microsoft Entra ID sign-in page. Enter your Microsoft Entra ID login credentials and you should be redirected to the application dashboard.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the end application icon, you should be redirected to the Microsoft Entra ID sign-in page. Enter your Microsoft Entra ID login credentials and you should be redirected to the application dashboard.