SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- Access risk score
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM

Users on the STA Access Management console

On the STA Access Management console, the Users tab allows you to view information about the users that are configured on the STA Token Management console. On the Users tab, you can search for users and view user details, statistics, and recent access activity.

On the STA Access Management console, select the Users tab.
To filter the list of users, enter a first or last name, user ID, alias, or email address in the search box.

STA filters the list of users as you type.

A match occurs when the characters that you enter match the first characters in the list of users. For example, if Ashton is in the list of users and you type ash, then Ashton is included in the results. However, if you type sh, then Ashton is not included in the results, unless that user has a name, user ID, alias, or email address that begins with sh.

To view a user's details, groups, and applications, select the user and then select the Overview tab.

alt_text

User details:

The Name, User ID, Aliases, and Email are defined in the user details on the STA Token Management console, in the Assignment tab.
The Source is one of the following:
- Synchronized when obtained by a SafeNet Synchronization Agent.
- Internal when provisioned in STA.
Account state is either Locked or Unlocked.
Authentication State is listed in the following order:
- Locked: Authentication failures exceed the account lockout or unlock policy.
- Active: The user can authenticate against the service.
- Assigned: The user has not yet authenticated with the assigned token.

Group Membership shows the total number and names of the groups to which the user is assigned.

Assigned Applications shows the total number and names of the applications to which the user is assigned.

To view a user's access details, select the user and then select the Access Attempts tab.

alt_text

Access Attempts Summary (last 30 days):

Total Access Attempts
Failed Access Attempts
Percent Success or Failed

Access Attempts Recent Activity displays the access activity for web applications that are configured on the Applications tab. Expand a row to display the associated authentication activity.

The Access Attempts Recent Activity displays the same information as the access logs:

Column	Description
Timestamp	The time of the request is based on the time zone that is configured on the web server that hosts the STA Access Management console.
User ID	The identity of the user making the request is defined on the STA Token Management console, on the Users tab.
Result / Reason	The result can be Success, Failure, or Denied. For failed or denied requests, the reason is indicated.
Application	The application can be either an application name that is specified on the Applications tab, or the resource name that is configured for an auth node. The access type is also identified. The type can be SAML, OIDC, Agent, or a string that is mapped to an agent ID for auth nodes. The application icon is displayed for SAML, OIDC, and agents that are configured on the Applications tab. A generic icon is used for RADIUS and auth nodes.
Policy / Scenario	The access policy and scenario, which determined the access requirements based on scope and policy matching, and rank, are identified.
Credentials	The credentials that were required or used can include OTP, Password, Kerberos, Certificate, and so on. If the credential requirements are met by an existing SSO session, rather than by the user entering their credentials, this is denoted by (Session). For example, OTP (Session) or Password (Session).
IP Address	The public IP address from which the user initiated the access attempt is identified.

If an access attempt was followed by authentication events, then the logs also include each associated authentication event as a child of the access attempt.

To view an associated authentication event, expand the access attempt entry. You can expand multiple access event entries at the same time.

You can also view the authentication events in the Authentication Activity module in the STA Token Management console.
To view all the authentication events for the user, in the Extended Features menu, select Snapshot > Authentication Activity.

To view a user's authenticator details, select the user and then select the Authenticators tab.

Authenticators include eToken, FIDO, GrIDSure, MobilePASS+, Password, and more.

If you use a global catalog, you must copy the AD maxPwdAge and pwdLastSet attributes to the global catalog. For more information, see https://www.ntweekly.com/2017/10/12/add-attributes-global-catalog-server-windows-server-2016/.

The authenticator states are:
- Assigned: The token is no longer in inventory. It has either been manually assigned to a user but not activated, or is part of a bulk provisioning operation and has not yet been enrolled by a user.
- Active: The account is in service.
- Suspended: The token can be used to authenticate. It is assigned to a user and has been enrolled or used to authenticate.
- Locked: The token cannot be used to authenticate until the unlock policy is triggered or until the token is reactivated by an operator. This state occurs when a user exceeds the maximum consecutive failed logon attempts threshold. The automatic locking and unlocking of tokens is controlled by the Account Lockout/Unlock Policy.
- Unavailable: May be used for the expiry date of synchronized passwords.
STA allows users to authenticate using their AD domain password, if configured in the applicable policy, to access cloud applications unless their password is locked, expired, or not synchronized with the AD. When the STA policy requires an AD domain password and the password has expired, STA prompts for the password but denies the access request. The access logs display the outcome as:
- Result=Failed
- Reason=Expired password
- Credentials=Password
To delete a FIDO authenticator, select the icon for the FIDO authenticator and then select Delete.
To manage non-FIDO authenticators, select the icon for the authenticator and then select Manage.

The Authentication Methods module for the user displays.

See Manage tokens for a user for details about managing authenticators.

Suggest A Change

Users on the STA Access Management console

On this page