Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

STA documentation
- Explore Thales Docs

SafeNet Trusted Access
SafeNet Agents
SafeNet MobilePASS+
API references
Account management
Release notes

All

All

Access policies

Global access policy

SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

STA documentation
SafeNet Trusted Access
Access policies
Global access policy

Global access policy

An account must have a global access policy. The single global policy is, in effect, the default or fallback policy that is evaluated only if no exception policies match the scope of the access request. The scope of the global policy applies to all user groups and applications by default, and you cannot change the scope. You can configure only the default access requirements that apply to all users and applications.

STA is delivered with a global policy that is configured with the following access requirements by default: domain password once per session and OTP every access attempt.

alt_text

Access policies apply strictly to traffic from applications that are configured on the STA Access Management console, on the Applications tab. Access policies do not apply to traffic that comes through the authentication nodes that are configured on the STA Token Management console (including RADIUS).

The first time that you access the Policies tab, STA prompts you to set your global policy and (optionally) a scenario. After you save a global policy, these prompts no longer display. However, you can edit the global policy at any time.

On the STA Access Management console, select the Policies tab.

Select the credentials with which all users must authenticate:
- Password: Require users to authenticate with their domain password at specified times.
  
  To use the domain password, you must use the SafeNet Synchronization Agent to synchronize the domain password from Active Directory (AD) with the STA server.
  
  If you use password authentication, you can also select the following option:
- Allow Integrated Windows Authentication (Kerberos): When you select this option, STA accepts the Kerberos ticket that was acquired when the user logged in to their current Windows session. Users do not have to re-enter their password each time they access an application that is secured by STA access policies. However, the user might still be prompted for an OTP if the policy requires it.
  
  This option is available only if integrated Windows authentication is configured on the Settings tab. It also requires that the AD and STA establish a trust relationship.
- OTP: Require users to authenticate with a one-time password (OTP) at specified times.
- Password and OTP: When both a password and an OTP are required for authentication, STA prompts the user for the password first.
- FIDO: Users must log in with their built-in authenticator or security key, such as Windows Hello for Business and FIDO2 authenticators. FIDO cannot be used in combination with an OTP or with CBA. This option is available only if FIDO authentication is enabled on the Settings tab.
- Certificate-based authentication (CBA): Users authenticate with a software or hardware certificate, such as a smart card, that is issued by a certificate authority (CA). This option is available only if at least one issuing CA is configured on the Settings tab.
  
  CBA is available with only the STA Premium subscription plan.
- External IDP: STA orchestrates the use of secondary, external IDPs, such as SAS PCE or Microsoft Entra ID. Each external IDP can be either the only authentication method or the second factor of authentication. It cannot be the first factor in multi-factor authentication.
  
  IDP orchestration is available with the STA and STA Premium subscription plans.
Select how often users must provide their credentials:
- Once per session: Prompt the user to authenticate once per STA SSO session within a browser.
- If not verified in the last [number of minutes or hours]: Prompt the user to authenticate at least every N minutes or hours. Select the value that meets your organization's requirements. The values supported by STA are: 5, 10, 15, 30, 45, or 60 minutes; as well as 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, or 12 hours.
  
  Use this option to provide a presence check for sensitive applications by requiring users to re-authenticate if the specified number of minutes or hours have elapsed since they last accessed the application.
  
  Between this setting and the single sign-on session timeout, the shortest setting takes precedence.
- Every access attempt: Prompt the user to authenticate regardless of whether they previously authenticated in the current STA SSO session.
  
  If you use CBA, some certificates and their drivers might have their own session, apart from the STA SSO session, and might not prompt a user for authentication. For example, the user might not be prompted to authenticate as long as a smart card is inserted in a computer.
Click Save.
(Optional) Add a scenario.

On this page

SafeNet Trusted Access

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com