Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All

FIDO Authentication

End-to-End Flow

Please Note:

SAS PCE
Get started
- System Requirements
- Installation
  - Install SafeNet Authentication Service
  - Prepare database
  - Configure SafeNet Authentication Service
  - Configure SafeNet Authentication Service for High Availability
  - Configure for MobilePASS and MobilePASS+ Enrollment
  - Onboarding for MobilePASS+ enrollment
  - SAS PCE Windows Services Startup Recommendations
  - Security and Compliance
- Upgrade
  - SafeNet Authentication Service pre-upgrade checklist
  - SafeNet Authentication Service upgrade - primary data center
  - SafeNet Authentication Service upgrade - secondary data center
  - SafeNet Authentication Service post-upgrade checklist
  - Additional Considerations
- System setup
  - Setup
  - Communications
  - Logging
Dashboard
- On-Boarding
- Virtual Servers
- Administration
Users and groups
- Configure individual users
- Manage tokens for a user
- Groups
- Containers
- Restrict access based on the time, day, or date
- User Policies
User synchronization
- LDAP sync server settings
- LDAP integration
- LDAP settings
Operators and roles
- Internal operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token types
  - Hardware tokens
    - OTP hardware token
    - KT-4 tokens
    - RB-1 tokens
  - Software tokens
    - GrIDsure
    - SMS OTP token
  - Third Party tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary Password Policy
- Token Passcode Processing Policy
- Configure server-side PINs
- Token synchronization
- Import SafeNet tokens
- Token inventory
- Deallocate inventory
- MobilePASS target and Push OTP settings
- SMS credits
- SMS/Email/Voice OTP Delivery Methods
- Quicklog authentication
- Initialize hardware tokens
Provisioning tokens to users
- Provision tokens
- Automate token provisioning
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for Push OTP
- Enable Push OTP and MobilePASS+
- Push OTP Rejection Policy
- Customize Push notifications and alerts
- Configure applications for Push OTP
- Token management and enrollment
- Push OTP authentications
FIDO Authentication
- Install and Configure SafeNet Access Exchange
- Install and Configure SAS PCE
- End-to-End Flow
RADIUS integration
- RADIUS third-party token support
- RADIUS attributes for users or groups
- Block RADIUS authentication
Server and agent settings
- Authentication Nodes
- Pre-authentication rules
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configure a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
- Display Device Information
- Download an encryption key for remote services
Self-service site
- Site appearance and default language
- Self-Service Modules
- Self-Enrollment pages
- Configure authorities, OOB enrollment, and policies
- Process requests and view reports
Branding the appearance
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Troubleshooting
- Authentication errors
- Error codes

SAS PCE documentation
SAS PCE
FIDO Authentication
End-to-End Flow

End-to-End Flow

The following section describes the complete process of authentication using FIDO2.

Admin Flow
End user Flow

Admin Flow

Token Management

Navigate to the Assignment tab and select the desired user to view their enrolled FIDO token. The tenant can manage the FIDO token using two available actions: View and Delete.

alt_text

Monitor Authentication Activity

For FIDO authentication, all authentication logs are stored and displayed under the Snapshot tab in the SAS Admin Console.

Log in as an operator and select the appropriate tenant to view user authentication logs.
Navigate to the Snapshot tab, where authentication logs for FIDO—similar to other token types—will be visible, as illustrated below for the user demouser.

Troubleshooting

For correct authentication activity logs on the SAS console, SafeNet Access Exchange (SAE) and FIDO Server must be deployed on servers in the same time zone.
If you are installing SafeNet Access Exchange for the first time, you can use the compose.yml file and update the IP Address for FIDO2_API_URL environment variable for SAE. If you are using existing SafeNet Access Exchange, then add a configuration FIDO2_API_URL under the environment variables.

FIDO2_API_URL=http://<<IP-Address>>:8080/fido2
If you encounter any issues related to FIDO enrollment, ensure that all the required prerequisites are complete as outlined in the documentation. Additionally, verify that SafeNet Access Exchange, FIDO server, and SAS PCE are up and running with correct configurations.
Since multiple FIDO token support is not available, users may experience issues if they use an incorrect FIDO token or PIN during authentication. In such cases, ensure to use the correct FIDO token and PIN to log in.
For existing SafeNet Access Exchange users utilizing existing realms, the FIDO Authentication Form must be manually added to their authentication flow.

On this page

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com