SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

MobilePASS target and push OTP settings

Select the targets (operating system and device type combinations) where users can self-enroll MobilePASS+ and MobilePASS8 tokens. Enrolled and active tokens cannot be transferred between the two MobilePASS apps. The settings apply to the current virtual server.

You can also select which type of software token is available on the allowed targets, to ensure consistent behavior across multiple targets.

You can control the availability of push based on the target. For example, you can enable push on mobile devices but not on desktop devices, such as Windows 10, due to the complexity of push in a desktop environment.

Configure targets and push notifications for MobilePASS tokens

On the STA Token Management console, select Policy > Token Policies > Software Token & Push OTP Setting.

Each row represents a target. Configure the settings for each target:

Setting	Description
Allowed	Indicates whether an operating system and device type is available for enrollment. For example, if Android is not allowed, enrollment fails on all mobile devices and tablets running any version of the Android™ platform. If an operating system and device type is not allowed, the row is inactive. When you select Allowed, the default token for that target is enabled.
MobilePASS+ MobilePASS8	You can select only one MobilePASS application per operating system and device type. For Android, iOS, and Windows 10, select either MobilePASS+ or MobilePASS8. For Windows 10 Mobile, only MobilePASS+ is available. For all other systems, MobilePASS 8 is available. If neither the MobilePASS+ nor the MobilePASS8 check box is selected, the corresponding Allowed check box is also not selected, and the row is inactive.
Push Notifications	Determines whether a push message is triggered, based on the operating system and the push capability of the user's enrolled tokens.

Setting

Description

Allowed

Indicates whether an operating system and device type is available for enrollment. For example, if Android is not allowed, enrollment fails on all mobile devices and tablets running any version of the Android™ platform.

If an operating system and device type is not allowed, the row is inactive.

When you select Allowed, the default token for that target is enabled.

MobilePASS+

MobilePASS8

You can select only one MobilePASS application per operating system and device type.

For Android, iOS, and Windows 10, select either MobilePASS+ or MobilePASS8.
For Windows 10 Mobile, only MobilePASS+ is available.
For all other systems, MobilePASS 8 is available.

If neither the MobilePASS+ nor the MobilePASS8 check box is selected, the corresponding Allowed check box is also not selected, and the row is inactive.

Push Notifications

Determines whether a push message is triggered, based on the operating system and the push capability of the user's enrolled tokens.

The following are the default settings for new virtual servers:

Operating System	Device Type	Allowed	Token	Push Notifications
Android	Mobile/Tablet	Enabled	MobilePASS+	Enabled
Chrome OS	Mobile/Tablet	Enabled	MobilePASS+	Enabled
iOS	Mobile/Tablet	Enabled	MobilePASS+	Enabled
macOS	Mobile/Tablet	Enabled	MobilePASS+	Enabled
Windows 10 Mobile	Mobile	Disabled	MobilePASS+	Enabled
Windows 10	Desktop/Tablet	Enabled	MobilePASS8	Disabled
Windows	Desktop	Enabled	MobilePASS8	Unavailable
Mac OS X	Desktop	Enabled	MobilePASS8	Unavailable
BlackBerry 10	Mobile/Tablet	Disabled	MobilePASS8	Unavailable
BlackBerry Java	Mobile/Tablet	Disabled	MobilePASS8	Unavailable
Windows Phone	Mobile/Tablet	Disabled	MobilePASS8	Unavailable
Windows RT	Mobile/Tablet	Disabled	MobilePASS8	Unavailable

Select Apply.

For a list of supported operating systems and devices, see the MobilePASS+ and MobilePASS 8 Release Notes.

Accelerate push OTP approval for MobilePASS+

The enhanced approval workflow significantly accelerates the authentication process for MobilePASS+ tokens, and enables users to manage push login requests without unlocking their mobile device.

It is highly recommended that you either enforce a device PIN or enable a PIN setting in the MobilePASS token template, so that only the device owner or token assignee can approve a push request.

If the enhanced approval workflow is enabled, users with incompatible versions of MobilePASS+ receive an error message when the application opens. The enhanced approval workflow can be disabled at any time, restoring full functionality with earlier MobilePASS+ versions.

On the STA Token Management console, select Policy > Token Policies > Software Token & Push OTP Setting.
Select the Enhanced approval workflow check box.
Select Apply.

Push with number matching

Number matching makes push notifications more secure. Adding number matching to push notifications can protect against push fatigue or push bombing attacks, where the user is spammed with multiple push notifications until they eventually approve a notification just to make them stop. Number matching also prevents users from approving push notifications by mistake.

Number matching forces the user to match the number on the login screen with the number in their SafeNet MobilePASS+ authenticator push notification.

On the STA Token Management console, select Policy > Token Policies > Software Token & Push OTP Settings.
Select the Secure Push authentication with numerical challenge check box.
Select Apply.

Users must match a two-digit number on their push notification with the number that is displayed on the application login screen.

Suggest A Change

MobilePASS target and push OTP settings

Configure targets and push notifications for MobilePASS tokens

Accelerate push OTP approval for MobilePASS+

Push with number matching

On this page