SafeNet Trusted Access
Getting started
- Subscription plans
- Log in to the STA consoles
- STA consoles
- Provision tokens
- Enroll a token
- Access your first application
- Protect cloud applications
Users and groups
- Configure individual users
- Manage tokens for a user
- Users on the STA Access Management console
- Groups
- Containers
- Restrict access based on the time, day, or date
- Account lockout and unlock policies
User provisioning
- Microsoft Entra ID synchronization
- User Provisioning through Identity Management Framework
  - Bi-directional Synchronization
  - Identity Management Framework Deployment
  - Using CSV as Identity Source
  - Using Active Directory (AD) as Identity Source
  - Using Microsoft Entra ID as Identity Source
  - SafeNet Trusted Access IdM Connector
  - Identity Management Framework - Frequently Asked Questions
- Add immutable IDs to users in Microsoft Entra ID
- User Provisioning through miniOrange using SCIM
- User Provisioning through Okta using SCIM
- Multi-role accounts
Operators and roles
- Operators
- External operators
- Provision roles automatically
- Alerts
Tokens
- Token allocations
- Token templates
- Token restrictions
- Temporary password policy
- Token passcode processing policy
- Configure server-side PINs
- Token synchronization
- Token authentication
- Import SafeNet tokens
- MobilePASS target and push OTP settings
- MobilePASS+ token self-provisioning
- SMS credits
- SMS, email, and voice OTP delivery
- GrIDsure
- Quicklog authentication
- Initialize hardware tokens
- Import YubiKey tokens
Provisioning tokens to users
- Automate token provisioning
- Self-provisioning rules for groups
- Provisioning tasks
- Assign a hardware token to a user
- Bulk assign third-party tokens
Push OTP
- Requirements and considerations for push OTP
- Enable push OTP and MobilePASS+
- Push OTP rejection policy
- Customize push notifications and alerts
- Configure applications for push OTP
- Token management and enrollment
- Push OTP authentications
Access policies
- Global access policy
- Add a policy
- Scenarios and conditions
- Grant or deny access to groups of users
- Logon policies
- Pre-authentication rules
Applications
- User portal
- SAML applications
- Custom SAML applications
- OIDC applications
- Custom OIDC applications
- SafeNet agents
- Share your applications
- SafeNet Application Gateway for Amazon Elastic Beanstalk
- Windows Logon app sharing
- Legacy SAML configurations
- Microsoft Office 365 federation
Authentication
- Integrated Windows Authentication (Kerberos)
- Certificate-based authentication
- Delegated password validation
- FIDO authentication
- External FIDO management
- IDP orchestration
  - ADFS as an external identity provider
  - Microsoft Entra ID as an external identity provider
  - Okta as an external IDP
  - OneWelcome as an external IDP
- STA Hybrid Access Management Add-On
  - Balancing Security and Flexibility with Hybrid IAM
  - STA Access Continuum
- Source IP address validation
- Flexible Passwordless Authentication Journeys
RADIUS integrations
- RADIUS attributes for users or groups
- RADIUS third-party token support
- Block RADIUS authentication
Server and agent settings
- Authentication nodes
- Single sign-on session timeout
- Restrict IP range
- Email server settings
- SMS settings
- Voice OTP settings
- Configuring a voice provider
- FTP/SFTP/SCP settings
- Time zone offset
- Data collection
- Download an encryption key for agents
- Language
- Migrate SafeNet authentication servers
User self-service
- Self-service site
  - Site appearance and default language
  - Self-service modules
  - Self-enrollment pages
  - Configure authorities, OOB enrollment, and policies
  - Process requests and view reports
- Prefill the user name
Branding the appearance
- Customize user and operator login pages
- Customize email messages
- Customize SMS messages
- Customize voice OTP messages
Language customization
- Languages on the user login pages
- Languages on self-provisioning pages
- Languages on the user portal
Dashboard
- Access logs
- Authentication activity
- Authentication metrics
- Access and authentication log fields
- Audit logs of operator activity
- Log Streaming
- SafeNet MobilePASS+ authenticators
- Usage report
Reports
- Billing reports
- Compliance reports
- Inventory reports
- Security policy reports
Identity governance and administration
- STA Identity Governance with SailPoint IdentityIQ
- Solution Overview
- Generate STA Authentication API key
- Create and Configure a Web Services Application in SailPoint IdentityIQ
- Running the Solution
- Certification
- Rules
Security integrations
- Security Orchestration with Cortex XSOAR
Compliance and standards
Community content
- Authentication with AD Federation Services
- Protecting Remote Desktop Services
Previews
- API access management
- Mobile app for API access management
- Configure STA for API access management
- Policy enforcement using an API gateway
- Back-end API for the mobile app
- STA integration with Entra ID EAM
- SafeNet Agent for Windows Logon - Preview
  - System Requirements
  - Pre-installation
  - Registry Settings
  - Running the Solution
  - Troubleshooting and Advanced Configurations

SafeNet Agent for Windows Logon - Preview

This is a preview feature. Contact Thales Customer Support to request access to preview features.

Product Description

SafeNet Agent for Windows Logon is designed to help Microsoft enterprise customers ensure that valuable resources are accessible only by authorized users. It delivers a simplified and consistent user login experience, virtually eliminates help desk calls related to password management, and helps organizations comply with regulatory requirements.

The use of Two-Factor Authentication (2FA) instead of just traditional static passwords to access a Windows environment is a critical step for information security.

For information about the released features, see: SafeNet Agent for Windows Logon.

For a list of existing issues as of the latest release, refer to Known Issues.

Release Description

SafeNet Agent for Windows Logon v4.2.1 supports FIDO2 authenticators.

Preview Release Disclaimer

Release intent: Thales preview releases are short-lived and made available to customers “On Demand”, allowing them to provide feedback and explore upcoming feature/s specific to the preview release.
Release caveats:
- Non-production usage: Preview releases are not intended for use in production environments and Thales will not provide support for the production use of preview releases.
- Limited functionality: Preview releases may have limited or restricted functionality and there are no warranties for such releases.
- Support: Preview releases may be changed or discontinued. Upgrades from previous and upgrade to upcoming GA versions of the product are not supported.

FIDO2 token

This release supports FIDO2 (Fast IDentity Online) authenticators. It is a set of open standards designed to provide phishing-resistant and strong authentication. FIDO authentication in the Windows Logon Agent aims to eliminate passwords for online authentication, offering a more secure and user-friendly experience.

FIDO support in this release is tested with Thales FIDO tokens.

Two registry settings, PasswordlessEnabled and PasswordlessGroup, have been added to support passwordless logon along with FIDO authenticators. For more details, see registry settings.

While authenticating with passwordless logon using a FIDO token, ensure that you configure the registry settings as they are in passwordless logon policy for other tokens.

For additional information about the preview features, see: system requirements, pre-installation, running the solution, and troubleshooting.

Limitations of authentication using a FIDO2 token with WLA

Lack of support for platform authenticators: Platform-based authenticators such as Windows Hello and biometric sensors are not compatible.
No support for offline authentication: Offline authentication is not supported. Users must possess an offline supported authenticator, however, at least one online authentication must be performed using this authenticator.
Unsupported scenarios: Remote Desktop Protocol (RDP), Outgoing RDP connections, and Credential User Interface (CredUI) operations are not supported.
Multi-language feature is not supported. The text will be displayed in English by default.

Known Issues

Issue	Synopsis
SASNOI-22603	Summary: If Allow Outgoing RDP without OTP in the WLA management console is disabled, then FIDO authentication does not work. Workaround: None. Ensure to enable the setting always.
SAS-74515	Summary: While performing logon using the FIDO security key, user is redirected to the Passcode screen. Workaround: None. Report and share logs with the Thales support team.
SASNOI-22590	Summary: The Security key option does not appear on the list of authenticators at the login screen. This is an intermittent issue and will be resolved in a future release. Workaround: Close the list of authenticators screen, switch to a different user tile, and then continue the authentication.
SASNOI-22519	Summary: While enrolling a user for passwordless using FIDO token, the Windows security pop-up displays an untrusted app warning for SafeNet Desktop Logon.exe. Workaround: None. It will be resolved in a future release.

Suggest A Change

SafeNet Agent for Windows Logon - Preview

Product Description

Release Description

Preview Release Disclaimer

FIDO2 token

Limitations of authentication using a FIDO2 token with WLA

Known Issues

On this page