SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

Quicklog authentication

Quicklog authentication ensures that the OTP of one of the tokens assigned to a user is accepted by STA even if a challenge is triggered. When Quicklog is not enabled, STA accepts only the OTP of the challenge-triggered token. This feature works only when pre-authentication rules are configured with [LDAP/AD password validation].

To enable Quicklog authentication:

On the STA Token Management console, select the Comms tab, expand the Authentication Processing module, and then select Multi-Mode Authentication Settings.
Select the Allow Quicklog authentication when Challenge-Response or Push OTP is triggered checkbox.
Click Apply.

alt_text

Example: Quicklog and pre-authentication rules

The following sample shows the effect of Quicklog mode when pre-authentication rules are applied, including challenge-response (CR) mode and Quicklog (QL) mode.

Always validate the LDAP/AD password. If LDAP/AD authentication fails, reject the authentication. If LDAP/AD authentication succeeds, enforce a challenge prompt for a manual trigger.

Authentication Case	Quicklog disabled	Quicklog enabled
With Pre-Auth Rule
User has AD pwd and SMS (CR) token	Challenge after AD validation	Challenge after AD validation
User has AD pwd and MPP (QL)	Error after AD validation	Challenge after AD validation
User has AD pwd and Push MPP (QL) *1 (Automatic trigger)	Push received after AD validation	Push received after AD validation
User has AD pwd and SMS (CR) and Push MPP (QL) (Automatic trigger)	Push received after AD validation	Push received after AD validation
User has AD pwd and Push MPP (QL) *1 (Manual trigger)	Empty challenge received, enter OTP from MPP or trigger PUSH	Empty challenge received, enter OTP from MobilePASS+ or trigger Push. The challenge can be processed through existing valid SMS token.
User has AD pwd and SMS (CR) and Push MPP (QL) (Manual trigger)	Empty challenge received, enter OTP from MPP or trigger PUSH. The SMS feature doesn't work.	Empty challenge received, enter OTP from MPP or trigger PUSH. The challenge can be processed through new or existing valid SMS token.
User has AD pwd and SMS (CR) and non-Push MPP (QL)	Challenge after AD validation but AUTH fails with MPP passcode	Challenge after AD validation and AUTH succeeds with MPP passcode
Without Pre-Auth Rule (Authentication triggers on blank passcode field)
SMS (CR) token	Challenge	Challenge
MPP (QL)	Error	Error
Push MPP (QL)	Push received	Push received
SMS (CR) and Push MPP (QL)	Push received	Push received
SMS (CR) and non-Push MPP (QL)	Challenge but AUTH fails with MPP passcode	Challenge and AUTH succeeds with MPP passcode

*1: Push is sent on providing AD password, on approving the request authentication is successful. The NtRadping tool, in this case, does not show a challenge, but waits for authentication to complete.

Suggest A Change

Quicklog authentication

Example: Quicklog and pre-authentication rules

On this page