Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

STA documentation
- Explore Thales Docs

SafeNet Trusted Access
SafeNet Agents
SafeNet MobilePASS+
API references
Account management
Release notes

All

All

Previews

Configure STA for API access management

SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

STA documentation
SafeNet Trusted Access
Previews
Configure STA for API access management

Configure STA for API access management

This scenario includes application templates that are preview features. Contact Thales Customer Support to request access to preview features.

In the API access management demo, SafeNet Trusted Access (STA) is responsible for the actual authentication of the mobile application and users. Roles are mapped to the access tokens using the user's group membership. This separates the management of the authentication and authorization decision from the actual application or business logic.

User and group setup

The policy enforcement point enforces a role-based access model that depends on a user's group membership. To support the API access management use case, create the following two groups in STA, which represent application roles:

employee
manager

Map some example users to these groups:

employee
manager

Application authentication using the client credential flow

The Generic Template - OIDC Client Credentials, Apigee - API Access Management, and Amazon API Gateway - API Access Management application templates are preview features. Contact Thales Customer Support to request access to preview features.

Only authorized applications are proposed to have access to the API functions. The policy enforcement point validates whether an access token that is transmitted as a bearer token in the API request's authorization header was issued from the trusted IDP.

Using the client credential flow, the demo application can request an access token from the IDP, which ensures that only applications with the correct credentials can access the back-end API.

To create a new client credential flow application in STA, use one of the following application templates:

Generic Template - OIDC Client Credentials
Apigee - API Access Management third-party API gateway template
Amazon API Gateway - API Access Management third-party API gateway template

For the application configuration you need to copy the following information into the configuration file:

Client ID
Client Secret
Well Known Configuration URL

alt_text

No additional claim is required.You cannot assign users or groups for client credential applications.

alt_text

User authentication using the authorization code flow with PKCE

The Generic Template - OIDC Client Credentials, Apigee - API Access Management, and Amazon API Gateway - API Access Management application templates are preview features. Contact Thales Customer Support to request access to preview features.

Users can authenticate using the interactive IDP flow with the authorization code flow with PKCE. A short-lived access token and longer-lived refresh token are generated. To access the back-end API, the application uses the refresh token to acquire access tokens on demand.

Similar to application authentication, the access token is transmitted as a bearer token in the API request's authorization header.

To create a new confidential OIDC application in STA, use one of the following application templates:

Generic Template
Apigee - API Access Management third-party API gateway template
Amazon API Gateway - API Access Management third-party API gateway template

Configure the authorization code flow with S256 PKCE enforced.

For the application configuration you need to copy the following information into the configuration file:

Client ID
Client Secret
Well Known Configuration URL

alt_text

For simplification, the application is assigned to all users.

alt_text

The valid redirect URL is set to the wildcard "*". A group claim is also required, and must be mapped to the groups value. This ensures that the user's groups are included in the access token, which ultimately determines the user's access rights during policy enforcement.

alt_text

Use the Apigee or Amazon API gateway application template

When you use the Apigee or Amazon API Gateway template, you can combine both flows (client credential flow and the authorization code flow with PKCE) into a single application.

alt_text

alt_text

On this page

SafeNet Trusted Access

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com