Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

SAS PCE documentation
- Explore Thales Docs

SAS PCE
Agents
MobilePASS+
SafeNet Access Exchange
BSIDCA API
- BSIDCA endpoints
- BSIDCA custom attributes
Integrations
Account management
Release Notes

All

All

FIDO Authentication

Install and Configure FIDO Server

Please Note:

SAS PCE
Get started
- System Requirements
- Installation
  - Install SafeNet Authentication Service
  - Prepare database
  - Configure SafeNet Authentication Service
  - Configure SafeNet Authentication Service for High Availability
  - Configure for MobilePASS and MobilePASS+ Enrollment
  - Onboarding for MobilePASS+ enrollment
  - SAS PCE Windows Services Startup Recommendations
  - Security and Compliance
- Upgrade
  - SafeNet Authentication Service pre-upgrade checklist
  - SafeNet Authentication Service upgrade - primary data center
  - SafeNet Authentication Service upgrade - secondary data center
  - SafeNet Authentication Service post-upgrade checklist
  - Additional Considerations
- System setup
  - Setup
  - Communications
  - Logging
Dashboard
- On-Boarding
- Virtual Servers
- Administration
Users and groups
- Configure individual users
- Manage tokens for a user
- Groups
- Containers
- Restrict access based on the time, day, or date
- User Policies
User synchronization
- LDAP sync server settings
- LDAP integration
- LDAP settings
Operators and roles
- Internal operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token types
  - Hardware tokens
    - OTP hardware token
    - KT-4 tokens
    - RB-1 tokens
  - Software tokens
    - GrIDsure
    - SMS OTP token
  - Third Party tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary Password Policy
- Token Passcode Processing Policy
- Configure server-side PINs
- Token synchronization
- Import SafeNet tokens
- Token inventory
- Deallocate inventory
- MobilePASS target and Push OTP settings
- SMS credits
- SMS/Email/Voice OTP Delivery Methods
- Quicklog authentication
- Initialize hardware tokens
Provisioning tokens to users
- Provision tokens
- Automate token provisioning
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for Push OTP
- Enable Push OTP and MobilePASS+
- Push OTP Rejection Policy
- Customize Push notifications and alerts
- Configure applications for Push OTP
- Token management and enrollment
- Push OTP authentications
FIDO Authentication
- Install and Configure SafeNet Access Exchange
- Install and Configure FIDO Server
- Install and Configure SAS PCE
- End-to-End Flow
RADIUS integration
- RADIUS third-party token support
- RADIUS attributes for users or groups
- Block RADIUS authentication
Server and agent settings
- Authentication Nodes
- Pre-authentication rules
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configure a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
- Display Device Information
- Download an encryption key for remote services
Self-service site
- Site appearance and default language
- Self-Service Modules
- Self-Enrollment pages
- Configure authorities, OOB enrollment, and policies
- Process requests and view reports
Branding the appearance
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Troubleshooting
- Authentication errors
- Error codes

SAS PCE documentation
SAS PCE
FIDO Authentication
Install and Configure FIDO Server

Install and Configure FIDO Server

The FIDO server can be deployed as a Single Node using either of the following:

Podman Deployment
Docker Deployment

Podman

For the FIDO server deployment in the Podman environment, refer the following:

Prerequisites

Ensure that you are using a system with a DNF-based package manager (for example, RHEL) and that you have sudo privileges.

Install Podman.

sudo dnf install -y podman
Install Podman Compose.

sudo dnf install -y python3-pip
pip3 install --user podman-compose
Install OpenSSL.
- For RHEL/CentOS: sudo dnf install -y openssl
- For Ubuntu: sudo apt-get install -y openssl
Verify if the podman installation is successful.

podman --version
Verify if the podman compose installation is successful.

podman-compose --version

Note

If the podman-compose command is not found after installation, you may need to add ~/.local/bin to your PATH environment variable.

Deployment steps

Ensure that the complete package named SafeNet Access Exchange v1.3.0.zip is downloaded/copied on the RHEL machine. This package includes the SAE and FIDO-server folders, which are required for deploying the SafeNet Access Exchange (SAE) and the FIDO server.
Unzip the package.
Create the FIDO network: Create a dedicated network for the FIDO containers to enable communication with each other using the following command:

podman network create fido_network

Verify it using the following command:

podman network ls
Set up Bitnami MariaDB (FIDO server database):
1. Navigate to the fido-mariadb folder under fido2-server-xxxxxx.xxxx.
2. Run the following commands to set up the Bitnami MariaDB for your FIDO server:
  
  podman-compose up -d
Note

Do not change the default database name fido2-server, as it is referenced in multiple places throughout the deployment.

Validate MariaDB container using the following command:

podman ps

To validate the creation of database for fido2-db, use the following command:

podman exec -it <<ContainerID>> mariadb -u root -p
show databases
Load the FIDO-Server image:
1. Navigate to the fido2-server-xxxxxx.xxxx folder.
2. Unzip and load the FIDO-Server container image using the following command:
  
  podman load --input fido2-server-240916.0838.tar
Verify the loaded images using the following command:

podman images

You should see the MariaDB, FIDO server images in the output.
Ensure that you are in the fido2-server-xxxxxx.xxxx directory and navigate to server > secrets. In this folder, open the application-secret.yaml file and update all the configurations marked as <<Update Me>> (as shown in the screenshot below) with the generated seed.

To generate the seed, use the following command:

openssl rand -base64 32

Run the same command four times to generate random secret and copy each unique output to replace the following entries in the file.
Navigate back to the server > tenants folder. Open the tenants-config.yaml file and update the key-ids and key-value marked as <<Update Me>> (as shown in the screenshot below):
- key-ids
  Replace <<Update Me>> with the Key ID obtained in the step Operator Realm setup for FIDO.
- key-value
  Replace <<Update Me>> with the Key Value obtained in the step Operator Realm setup for FIDO.
Start Services: The deployment process is automated using a script that handles all necessary setup and execution steps. Follow the instructions below to start all FIDO server services:
1. Make the script executable:
  
  chmod +x Fido_SingleDeployment/start_deployment.sh
2. Navigate to the fido2-server-xxxxxx.xxxx directory and execute the script to start all services:
  
  cd " fido2-server-xxx… "
  ./start_deployment.sh
Note

User must have all the privileges mentioned under start_deployment.sh or use sudo su to run the FIDO server.

The script will perform the following actions:
- Set the required execute permissions on the janitor's entry point script.
- Ensure the server's temporary directory is writable.
- Start all services in the correct order using podman-compose.
- Display the status of all running containers.
The services will start as follows:
- dbschemamgr: Runs once to prepare the database schema and exits after completion.
- fido2-server: Starts and runs continuously to handle FIDO operations.
- fido2-janitor: Starts and runs continuously in the background, performing an initial cleanup on startup and repeating the task every 24 hours.
After the script runs successfully, the FIDO server will be up and running with http://<<Internal IP Address>>:9080/fido2 if FIDO-server is running on internal IP.

Docker

For the FIDO server deployment in the Docker environment, refer the following:

Prerequisites

Ensure that you are using a system with a DNF-based package manager (for example, RHEL) and that you have sudo privileges.

Install Docker.

sudo dnf install -y docker
Install Docker Compose.

sudo dnf install -y python3-pip
pip3 install --user docker-compose
Install OpenSSL.
- For RHEL/CentOS: sudo dnf install -y openssl
- For Ubuntu: sudo apt-get install -y openssl
Verify if the docker installation is successful.

docker --version
Verify if the docker compose installation is successful.

docker-compose --version

Note

If the docker-compose command is not found after installation, you may need to add ~/.local/bin to your PATH environment variable.

Deployment steps

This section provides the instructions to deploy the FIDO server in the Docker environment:

Ensure that the complete package named SafeNet Access Exchange v1.3.0.zip is downloaded/copied on the RHEL machine. This package includes the SAE and FIDO-server folders, which are required for deploying the SafeNet Access Exchange (SAE) and the FIDO server.
Unzip the package.
Create the FIDO network: Create a dedicated network for the FIDO containers to enable communication with each other using the following command:

docker network create fido_network

Verify it using the following command:

docker network ls
Set up Bitnami MariaDB (FIDO server database):
1. Navigate to the fido-mariadb folder under fido2-server-xxxxxx.xxxx.
2. Run the following commands to set up the Bitnami MariaDB for your FIDO server:
  
  docker-compose up -d
Note

Do not change the default database name fido2-server, as it is referenced in multiple places throughout the deployment.

Validate MariaDB container using the following command:

docker ps

To validate the creation of database for fido2-db, use the following command:

docker exec -it <<ContainerID>> mariadb -u root -p
show databases
Load the FIDO-Server image:
1. Navigate to the fido2-server-xxxxxx.xxxx folder.
2. Unzip and load the FIDO-Server container image using the following command:
  
  docker load --input fido2-server-240916.0838.tar
Verify the loaded images using the following command:

docker images

You should see the MariaDB, FIDO server images in the output.
Ensure that you are in the fido2-server-xxxxxx.xxxx directory and navigate to server > secrets. In this folder, open the application-secret.yaml file and update all the configurations marked as <<Update Me>> (as shown in the screenshot below) with the generated seed.

To generate the seed, use the following command:

openssl rand -base64 32

Run the same command four times to generate random secret and copy each unique output to replace the following entries in the file.
Navigate back to the server > tenants folder. Open the tenants-config.yaml file and update the key-ids and key-value marked as <<Update Me>> (as shown in the screenshot below):
- key-ids
  Replace <<Update Me>> with the Key ID obtained in the step Operator Realm setup for FIDO.
- key-value
  Replace <<Update Me>> with the Key Value obtained in the step Operator Realm setup for FIDO.
Start Services: The deployment process is automated using a script that handles all necessary setup and execution steps. Follow the instructions below to start all FIDO server services:
1. Make the script executable:
  
  chmod +x Fido_SingleDeployment/start_deployment.sh
2. Navigate to the fido2-server-xxxxxx.xxxx directory and execute the script to start all services:
  
  cd " fido2-server-xxx… "
  ./start_deployment.sh
Note

User must have all the privileges mentioned under start_deployment.sh or use sudo su to run the FIDO server.

The script will perform the following actions:
- Set the required execute permissions on the janitor's entry point script.
- Ensure the server's temporary directory is writable.
- Start all services in the correct order using docker-compose.
- Display the status of all running containers.
The services will start as follows:
- dbschemamgr: Runs once to prepare the database schema and exits after completion.
- fido2-server: Starts and runs continuously to handle FIDO operations.
- fido2-janitor: Starts and runs continuously in the background, performing an initial cleanup on startup and repeating the task every 24 hours.
After the script runs successfully, the FIDO server will be up and running with http://<<Internal IP Address>>:9080/fido2 if FIDO-server is running on internal IP.

On this page

SafeNet Authentication Service Private Cloud Edition

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Customer Release Notes
- Customer Support Portal
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com