Your suggested change has been received. Thank you.

STA documentation
- Explore Thales Docs

SafeNet Trusted Access
SafeNet Agents
SafeNet MobilePASS+
API references
Account management
Release notes

All

All
CipherTrust Manager
CipherTrust Application Data Protection (CADP)
CipherTrust Application Key Management (CAKM)
CipherTrust Batch Data Transformation (BDT)
CipherTrust Cloud Key Management (CCKM)
CipherTrust Data Discovery and Classification (DDC)
CipherTrust Data Protection Gateway (DPG)
CipherTrust Database Protection (CDP)
CipherTrust Intelligent Protection (CIP)
CipherTrust Integrations
CipherTrust Migrations
CipherTrust RESTful Data Protection (CRDP)
CipherTrust Transparent Encryption (CTE)
CipherTrust Transparent Encryption Userspace (CTE-U)
CipherTrust Secrets Management (CSM)
CipherTrust Vaulted Tokenization (CT-V)
CipherTrust Vaultless Tokenization (CT-VL)
CTE-Linux
CTE-Windows
CTE-AIX
CTE-K8s
CTE-U
Crypto Command Center
Data Protection on Demand
Luna Cloud HSM
Luna Network HSM
Luna PCIe HSM
Luna USB HSM
OneWelcome Identity Platform
ProtectApp LUKS
ProtectServer 2 HSM
ProtectServer 3 HSM
SafeNet Trusted Access (STA)
SafeNet MobilePASS+
SafeNet MobilePASS+ for Android
SafeNet MobilePASS+ for Chrome
SafeNet MobilePASS+ for macOS
SafeNet MobilePASS+ for iOS
SafeNet MobilePASS+ for WatchOS
SafeNet MobilePASS+ for Windows
SafeNet Synchronization Agent
SafeNet Logging Agent
SafeNet Agent for FreeRADIUS
SafeNet Agent for NPS
SafeNet Agent for Windows Logon
SafeNet Authentication Service Private Cloud Edition (SAS PCE)
SafeNet Remote Logging Agent
SafeNet Keycloak Agent
SafeNet IDPrime Virtual (IDPV)
SafeNet FIDO Key Manager
SafeNet FIDO Key Manager for Android
SafeNet FIDO Key Manager for iOS
SafeNet FIDO Key Manager for Windows

Push OTP

Enable push OTP and MobilePASS+

SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

STA documentation
SafeNet Trusted Access
Push OTP
Enable push OTP and MobilePASS+

Enable push OTP and MobilePASS+

For push OTP to be permitted during authentication, the push OTP feature must be enabled, and the user must have a token on the MobilePASS+ application. To receive push notifications on their mobile devices, the user must have permitted MobilePASS+ push notifications.

Enable the allowed targets and push notifications

Push OTP functionality is enabled by default for newly created accounts, and disabled by default for upgraded accounts. Push OTP is independent per virtual server and can be enabled (or disabled) at any time. When push OTP is disabled on the virtual server side, the MobilePASS+ application does not ask the user to grant push permissions.

For push OTP to be permitted during authentication, the user must have a token enrolled in the MobilePASS+ application. The settings that you enable in this policy determine which targets are presented to users during the self-enrollment of MobilePASS tokens. You can restrict the OS types on which MobilePASS tokens are allowed to be activated or enrolled.

The enhanced approval workflow significantly accelerates the authentication process for MobilePASS+ (version 1.4 or higher) tokens. It enables users to manage push login requests without unlocking their mobile device.

alt_text

Complete these steps on any virtual server that should support push OTP:

On the STA Token Management console, select Policy > Token Policies.
Select Software Token & Push OTP Settings.
Select Enhanced approval workflow.

If Enhanced approval workflow is enabled, users with incompatible versions of MobilePASS+ receive an error message when the application opens. You can disable the enhanced approval workflow at any time, to restore full functionality with earlier MobilePASS+ versions.
For each Operating System and Device Type platform, select a MobilePASS application.

For iOS, Android, and Windows 10 Desktop/Tablet, you can choose between MobilePASS 8 and MobilePASS+. You can select one MobilePASS application per OS type. For example, you can enable either MobilePASS+ or MobilePASS 8 for iOS, but not both.
For each platform that uses MobilePASS+, in the Push Notifications column, select either Enabled or Disabled.

Note
It is highly recommended that you either enforce a device PIN or enable a PIN setting in the MobilePASS token template, so that only the device owner or token assignee can approve a push request.
Click Apply.

Note
You can enroll a new MobilePASS+ token in parallel to an existing MobilePASS 8 token.

Set the push OTP rejection policy (optional)

Push notifications are sent to only registered devices with currently active, push-enabled tokens. You can set this user policy so that, if a user receives a push notification that they did not initiate and rejects the notification, they are sent a push notification rejection alert (see the example below). If the user’s account gets locked due to this push OTP rejection, the body of the push notification rejection alert is appended to the user lockout alert that is sent to the user.

Note

You can customize the contents of the alert email in Comms > Communications > Email Messages. See Customize the rejection alert for the user.

On the STA Token Management console, select Policy > User Policies.
Select Push OTP Rejection Policy.
Select Alert user on OTP push notification rejected, and then click Apply.

The following is an example of a push notification rejection alert that is sent to a user:

Set the operator policy

You can optionally send a push notification rejection alert to the operator if a user rejects a push notification that they did not initiate. The operator can then investigate the log files if necessary.

Note

You can customize the contents of the alert email in Comms > Communications > Email Messages. See Customize the rejection alert for the internal operator.

On the STA Token Management console, select Policy > Role Management > Alert Management.
Click the corresponding Edit hyperlink for a role.
Select Push Notification Rejection Operator Alert for the desired delivery methods, and then click Apply.

The following is an example of a push notification rejection alert that is sent to an operator:

On this page

Enable the allowed targets and push notifications
Set the push OTP rejection policy (optional)
Set the operator policy

SafeNet Trusted Access

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Print

Suggest An Edit

Download this Page

Download Project

Copy Link

Copy Link

Copy Link