Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

STA documentation
- Explore Thales Docs

SafeNet Trusted Access
SafeNet Agents
SafeNet MobilePASS+
API references
Account management
Release notes

All

All

Access policies

Logon policies

SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

STA documentation
SafeNet Trusted Access
Access policies
Logon policies

Logon policies

The logon policy applies to every logon agent that is configured on the Applications tab in STA and deployed. The policy does not apply to SafeNet Agent for Windows Logon that are not configured on the Applications tab.

The logon policy is evaluated only when the user's machine is running the logon agent. It allows you to specify whether the user must provide their one-time password (OTP) on the lock screen.

If there is a machine that is shared by users from multiple virtual servers, you can share the Windows Logon agent from a parent virtual server to child virtual servers. In that case, the logon policy from the parent applies to the virtual servers that the agent is shared with.

Configure the global logon policy

By default, the global logon policy applies to all users and to every SafeNet Agent for Windows Logon that is configured on the Applications tab.

You can configure whether the user must provide their OTP for re-authentication.

On the STA Access Management console, select the Policies tab.
Select the Logon tab.
If this is your first time setting up a global logon policy, select Set Your Global Logon Policy.

After you save the global logon policy, this prompt no longer displays.
If the Set Your Global Logon Policy prompt doesn't display, on the Global Logon Policy for STA, select Edit.

By default, the global logon policy for STA applies to all users and all logon agents. When a logon or unlock attempt occurs, then access is granted after authenticating with the domain password and OTP. The Password and OTP for logon options are selected by default and you cannot clear these checkboxes. You can configure only the options under OTP for logon and the OTP for unlock option.
Under Authentication Methods, select the requirements for authenticating with OTP for logon:
- Every access attempt: Prompt users for their OTP every time they log on.
- Once every <amount of time>: After the selected amount of time passes, prompt users for their OTP. STA supports periods of: 1, 2, 3, 8, 9, 10, 11, or 12 hours; 1, 2, or 3 days; or 1 week.
To require an OTP at unlock, under Authentication Methods, select the OTP for unlock check box, and then select requirements for authenticating:
- Every access attempt: Prompt users for their OTP every time they unlock their machine.
- Once every <amount of time>: After the selected amount of time passes, prompt users for their OTP. STA supports periods of: 1, 2, 3, 8, 9, 10, 11, or 12 hours; 1, 2, or 3 days; or 1 week.
Select Save.
To add a scenario that checks the IP addresses of your users, continue with Specify IP addresses.

The logon policy has no effect until you configure SafeNet Agent for Windows Logon on the Applications tab and then deploy it.

Specify the IP addresses to synchronize with the policy or configure the SafeNet Agent for Windows Logon.

Specify IP addresses

The SafeNet Agent for Windows Logon allows you to base the unlock policy on the IP addresses of your users. The IP address condition checks whether the access attempt originates from inside or outside the IP address ranges that you specify.

The re-authentication time for Windows unlock is determined based on the public IP range that is specified in the policy. After the re-authentication time expires, users who are enabled with this policy are prompted for an OTP.

If you are still in the first configuration flow for the global logon policy, select Ok, let's add a scenario.
If the scenario prompt doesn't display, below the Global Logon Policy for STA, select Add Scenario.
Enter the Scenario name.
In the Conditions section, ensure that the IP Address condition is selected and expanded.
Select one of the following options:
- Inside these networks: Checks whether the access request originates from an IP address that is included in the network.
- Outside these networks: Checks whether the access request originates from an IP address that is not included in the network.
In the text box, enter each IP address or IP address range on a new line, and use these formats:
- Single IP address: 1.1.1.1
- Range of IP addresses: 1.1.1.1-1.1.1.255
Select Save.

The logon policy has no effect until you configure SafeNet Agent for Windows Logon on the Applications tab and then deploy it.

Set a passwordless logon policy or configure SafeNet Agent for Windows Logon.

Set the passwordless logon policy

The passwordless logon policy defines who can use Passwordless Windows Logon. Passwordless Windows Logon provides strong authentication and an enhanced user experience when accessing workstations. The passwordless logon policy does not support scenarios.

The passwordless logon policy applies to the selected user groups only if the requirements are met:

Passwordless authentication is enabled on the machine.
Version 4.0 and later of SafeNet Agent for Windows Logon is installed on the machine.
The user completes the passwordless enrollment.

By default, the global logon policy applies to all the users of a tenant. However, the passwordless logon policy takes precedence over global logon policy for the group/groups of users, if it is enabled for them. Also, for all fallback from passwordless to password scenarios, the global logon policy will be applicable.

You can set the scope of the passwordless logon policy to apply to all users or to specific user groups. The global logon policy applies to any users who are within the scope of the passwordless logon policy.

If you are still in the first configuration flow for the global logon policy, select Set Your Passwordless Logon Policy.
If the passwordless logon policy prompt doesn't display, select Passwordless Logon Policy.
Set the scope for the passwordless logon policy:
- All Users
- Any of these User Groups and then enter the user group names.
Select Save.
On the Congratulations screen, select I'm Done.
The passwordless logon policy has no effect until you enable it.

The logon policy has no effect until you configure SafeNet Agent for Windows Logon on the Applications tab and then deploy it.

On this page

SafeNet Trusted Access

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com