Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Push OTP

Configure applications for push OTP

search
printsuggest an editpdf paneldownload

Configure applications for push OTP

Any application that is integrated through SafeNet RADIUS Service (FreeRADIUS), SafeNet SAML Service, SafeNet Agent for AD FS, or SafeNet Agent for NPS 2.0 can support push OTP. The agents provide two user interaction models:

  • Rich user experience, which is provided by the SafeNet SAML Service and SafeNet Agent for AD FS

  • Simple mode, which is provided by the SafeNet RADIUS Service

    note

    Note

    Some of the web-based RADIUS clients (for example, F5, NetScaler, Citrix, etc.) require application integration. Refer to the appropriate integration guide for details (see the list in Application integration).

copy link to clipboardAgents with rich user experience

SafeNet SAML Service and agents such as AD FS provide a rich user experience, compared to the simple mode in the RADIUS integration.

With the rich user experience, logging into a protected application redirects the user to a modified login screen, which presents options to choose between push or manual passcode entry. In addition, users have the ability to cancel a push notification.

note

Note

The passcode triggers to override push OTP apply to the push behavior for AD FS Agent and SAML login. The passcode triggers are described in Triggering push notifications in the agent.

copy link to clipboardSafeNet SAML Service configuration

A SAML service can be customized to change how push OTP is displayed on the SAML login page.

In the STA Token Management console, enable and customize push OTP text for the SAML login page.

  1. On the STA Token Management console, select Comms > SAML Service Providers.

  2. Select SAML 2.0 Settings.

  3. To display controls on the SAML login page for selecting between push OTP and manually entering the OTP, under User Login Settings, select the Enable Push/Manual OTP Selector check box.

  4. To customize the SAML login page, modify the following descriptors under Login UI Customizations:

    • Push/Manual OTP Selector Text: Enter the text to replace “I want to:.”

    • Push OTP Button Text: Enter the text to display for the option to use push OTP.

    • Manual OTP Button Text: Enter the text to display for the option to use a manual OTP.

  5. Customize the remaining push OTP processing, cancellation, and authentication descriptors, as needed.

    note

    Note

    If the Enable Push/Manual OTP Selector option is disabled, the user can still trigger push or another challenge and response method with an empty passcode. Refer to Triggering push notifications in the agent for details.

copy link to clipboardSafeNet Agent for AD FS configuration

  1. Install the new SafeNet Agent for AD FS v2.0 with push OTP support.

  2. Configure the SafeNet Agent for AD FS to use push OTP.

    1. Select Start > All Programs > SafeNet > Agents > ADFS Agent (run as administrator).

    2. On the MFA Plug-In Manager window, click the Policy tab.

    3. Under Default OTP Policy, click Push Challenge, and then click Apply.

    note

    Note

    By choosing the Push Challenge option, the AD FS integration automatically promotes push. The user is presented with the option to use either push or manual passcode entry.

    alt_text

copy link to clipboardSafeNet RADIUS Service

This type of application integration presents a simple user experience, which cannot be modified. Note the following behavioral changes:

  • Unlike the AD FS Agent, the login screen cannot be modified. Therefore, users are not presented with options to either select push or use manual passcode entry. To trigger push OTP, users need to be instructed to leave the password field empty, or type any 1-character passcode on the login screen.

  • When deploying push OTP (and it is enabled for the virtual server), if your users previously used GrIDsure or SMS, after they enroll a token on MobilePASS+, they have the option to authenticate either with push OTP or with another authentication method by using a passcode trigger. Refer to Triggering push notifications in the agent for details.

note

Note

Passcode triggers are not case-sensitive.

copy link to clipboardRADIUS configuration

The only configuration requirement to support the SafeNet RADIUS Service is to set the RADIUS timeout value to at least 60 seconds on the client machine.

copy link to clipboardAgents with simple mode user experience

This type of application integration presents a simple user experience, which cannot be modified. Note the following behavioral changes:

  • Unlike the AD FS Agent, the login screen cannot be modified. Therefore, users are not presented with options to either select push or use manual passcode entry. To trigger push OTP, users need to be instructed to leave the password field empty or to type any 1-character passcode on the login screen.

  • When deploying push OTP (and it is enabled for the virtual server), if your users previously used GrIDsure or SMS, after they enroll a token on MobilePASS+, they have the option to authenticate either with push OTP or with another authentication method by using a passcode trigger. Refer to Triggering push notifications in the agent for details.

note

Note

Passcode triggers are not case-sensitive.

copy link to clipboardSafeNet Agent for NPS 2.0 configuration

  1. Install SafeNet Agent for NPS 2.0 with push OTP support.

  2. Configure the SafeNet Agent for NPS 2.0 to use push OTP.

    1. In the STA Token Management console, in Policy > Token Policies, enable push notifications.

    2. In Policy > Token Policies, set MobilePASS+ as an allowed target.

  3. Set the NPS 2.0 timeout value on the client machine such that the product of ((time-out) x (number of retransmissions)) is at least 60 seconds.

    For example, if retransmissions is set to 6, then set time-out to 10 seconds or greater.

On this page