SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

Mobile app for API access management

The demo application is designed to demonstrate API access management through an API gateway. This demo includes a retail API (stores and warehouses) and an application that uses those APIs to allow a user to log in and view or move stock between stores and warehouses.

The application shows a proper user interface and consumes the back-end API. The application itself is not aware of any access constraints, but it is aware that some functions are public and require application authentication, which showcases the client credentials flow. The client credential flow is a machine-to-machine (M2M) flow and happens without user intervention.

Other functions require user authentication, using an OIDC authorization code flow with PKCE. For the authorization code flow, the user is redirected to the IDP in a webview to authenticate.

Source Code

Android

The application is designed using the MVVM pattern. The application language is Kotlin.

The application uses the AppAuth library for all OIDC communication and can be found here:

https://github.com/openid/AppAuth-Android

Rest APIs are managed through the Retrofit2 library.

iOS

The application is designed utilizing the MVVM pattern. The application language is Swift with SwiftUI for the UI side.

The application uses the AppAuth library for all OIDC communication and can be found here:

https://github.com/openid/AppAuth-iOS

Mobile app walkthrough

The mobile application includes a map screen. Tapping any marker on the map opens the retail location information card.

To switch to viewing warehouses, tap the tab at the top of the screen.

alt_text

Tap List to open the Location screen, where you can see the list of available locations on the map. This makes it easier to find a particular store if the markers are cluttered or spread out.

alt_text

Tap View Product List to view a retail location's list of products.

If you view the product list for a warehouse, you have the option of trying to move the item to a store location. This functionality is not available for stores, because you cannot move products from a store to another store.

alt_text

On Android, you can access the menu at the top-left of the map screen. From the menu, you can access the login process, where you log in to a STA instance and gain employee or manager permissions for the protected APIs. To go back, tap the back (or triangle) button on your Android device.

alt_text

On iOS, you can pull out the menu from the top-left button. The menu is displayed using a navigation view. The login flow is the same as on Android.

alt_text

Install the demo app

Android

This application is not hosted on the Play store, so you need to sideload it onto your device or emulator.

The precompiled demo app is available on GitHub:

https://github.com/ThalesGroup/sta-api-access-management/blob/master/releases/android/APIProtectionDemo-1.0-release.apk

If you use Genymotion, follow the Genymotion installation process first. After your emulator is running, drag and drop the Android Package (APK) file onto the emulator to trigger an installation.

If you are using a personal device, you need to sideload it. You can either email the application to your device, or sideload it via the Android Debug Bridge (adb). For some solutions for sideloading a device, follow a guide such as:

How to sideload apps on Android:

iOS

This application is not available on App Store, and because of the app signing limitations, there is no available iOS App (IPA) file that can be sideloaded. To install the app on a device, you need to pull the repo, build the project, and configure the relevant signing identities.

You can find the source code and build instructions on GitHub:

https://github.com/ThalesGroup/sta-api-access-management/tree/master/Mobile%20Application/iOS

Configure the demo app

The mobile application can be configured to work with your own server.

Create a JSON file using the following schema example. Make sure it ends in .json.

Email or send this file to your device and download it.
Share the file with the API access management app.
After the file is shared, confirm that the values have been read into the configuration screen.

Schema example

You can replace the values with values from STA to create your own schema.

{
   "apiUrl":"https://back.end.api/",
   "publicClientId":"client_credential_id",
   "publicClientSecret":"client_credential_secret",
   "publicClientWellknown":"https://{client-credential-hostname}/.well-known/openid-configuration",
   "retailClientId":"authorization_id",
   "retailClientSecret":"authorization_secret",
   "retailClientWellknown":"https://{authorization-hostname}/.well-known/openid-configuration"
}

Suggest A Change

Mobile app for API access management

Source Code

Android

iOS

Mobile app walkthrough

Install the demo app

Android

iOS

Configure the demo app

Schema example

On this page