Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Authentication

External FIDO management

search

External FIDO management

External FIDO management

If you manage FIDO authenticators in an external Credential Management System (CMS), you can use the REST API for STA to export those authenticators into SafeNet Trusted Access (STA).

Using STA with an external CMS, such as vSEC:CMS from Versasec, enables you to manage the lifecycle of your FIDO authenticators in the CMS, and to provide strong user authentication with STA. You retain control over the enrollment process and can follow your approved security procedures to ensure secure access to protected resources.

After you export the authenticators into STA, the authenticators are in the pending state. When the user confirms their identity and activates their assigned authenticator, the state changes to active.

Authentication flow with an external CMS

When you use STA with an external CMS to manage your FIDO authenticators, authentication flows as follows:

  1. In STA, allow FIDO authenticators to be imported.

  2. In the external CMS, enroll the FIDO authenticators.

  3. The external CMS uses the authenticator management API POST method to export the FIDO authenticators to STA.

  4. In STA and on the user portal, the imported FIDO authenticators appear in the pending state.

  5. The user tries to authenticate to a resource that is protected with a FIDO policy.

  6. The user proceeds through activation for their pending FIDO authenticator.

  7. The FIDO authenticator is activated in STA and the state changes to active.

  8. You manage the FIDO authenticator lifecycle in the external CMS. Any updates to the FIDO authenticator are synchronized to STA.

Allow authenticator import

On the STA Access Management console, specify whether FIDO authenticators are allowed to be imported.

  1. Select Settings > FIDO-Based Authentication.

    Fido-Based Authentication

  2. Select Edit.

    Authenticator import via API is enabled

  3. Turn on the toggle so that Authenticator import via API is enabled.

  4. Select Save.

FIDO activation for users

The activation flow for imported FIDO authenticators is triggered only if the user has a pending FIDO authenticator.

In the activation flow, a separate, additional identification factor is validated to ensure that the user is in possession of the authenticator.

Pending authenticators

When the authenticator was imported via the API, but the user has not yet confirmed their identity, they must activate their authenticator before they can log in:

  1. The user tries to access a resource that is protected with a FIDO policy.

  2. STA detects that there is at least one pending FIDO authenticator that is associated with this user.

  3. The login page asks the user to activate a pending authenticator.

    Activate FIDO token

  4. After the user clicks Activate Authenticator, they confirm their identity by entering their password or the verification code that was emailed to them.

  5. Finally, the user logs in with their activated FIDO authenticator.

Imported FIDO authenticators on the STA console

On the STA Access Management console, on the Users tab, the Authenticators list shows the status (Pending or Active) of FIDO tokens.

Authenticator states

The pending state identifies FIDO authenticators that were imported into STA using the API, but that the user has not yet activated. Active FIDO authenticators were either imported authenticators that users activated, or authenticators that were created in STA.

Each user in STA can have multiple FIDO authenticators that are managed externally and imported using the API.

The option to delete authenticators is not available for imported FIDO tokens, because they are managed externally in vSEC:CMS.

Imported FIDO authenticators on the user portal

Users can see the status of their FIDO authenticators on the user portal. Pending authenticators include a tip that informs the user to activate the authenticator the next time that they log in to a resource that is protected with a FIDO policy.

Imported FIDO tokens on the user portal

Active and pending FIDO authenticators

If the user has both an active and a pending FIDO authenticator, the login screen includes an option to skip the activation flow:

Skip FIDO activation

When the user clicks Not now, they proceed to log in with their existing, active FIDO authenticator.

Authenticator activation flow

Users activate their externally managed FIDO authenticators, and then use them to log in.

After a user activates their FIDO authenticator, the authenticator's status changes from pending to active.

  1. The user accesses a login page, such as the user portal login page, and enters their Username.

    Username on login page

  2. The user selects Activate Authenticator.

    Activate authenticator

  3. Thee user enters the Verification code that the system sent to their email.

    Verification code

  4. The user follows the browser instructions for their FIDO authenticator. For example, they enter the security key PIN and then touch the authenticator.

    Security key pin

  5. The user enters or verifies the Authenticator Nickname.

    Authenticator nickname

  6. The user follows the browser instructions to log in with their activated FIDO authenticator.

Imported FIDO authenticators in the audit logs

The audit logs identify the import and activate actions.

Audit logs with import and activate