SafeNet Trusted Access

SafeNet Trusted Access (STA) is Thales’s cloud-based access management and MFA service, acting as an Identity Provider (IdP) for SAML 2.0 and OpenID Connect/OAuth 2.0. It offers policy-based “smart SSO,” context-aware MFA, RADIUS integration, and SCIM-based inbound provisioning to streamline user lifecycle automation.

Key Capabilities

• Standards-based SSO: Acts as an IdP for SAML 2.0 and OIDC/OAuth 2.0, with app setup guides for both OIDC clients and SAML SPs (e.g., Microsoft 365).

• MFA & passwordless: Supports FIDO2/WebAuthn (passkeys and security keys), push notifications, and OTP methods. Thales documents multiple FIDO-compliant hardware and device options.

• RADIUS integrations: Enables secure access for VPNs, Wi-Fi, and network appliances via RADIUS—without requiring on-prem RADIUS servers.

• Access policies & app catalog: “Smart SSO” implements adaptive, policy-based step-up authentication with pre-integrated app templates and SAML/OIDC connectors.

• Directory & provisioning: Supports inbound SCIM 2.0 APIs to import users/groups from HRIS or directory systems. Agents synchronize identities from Active Directory, LDAP, or SQL.

Limitations

• Advanced OAuth profiles: Public documentation emphasizes core OAuth/OIDC; not enough data to confirm support for PAR, DPoP, mTLS-bound tokens, or FAPI compliance.

• OIDC console controls: Some legacy documentation (Access Exchange) notes limited OAuth flow and openid scope configurability; confirm current tenant features for pure OAuth integrations.

• SCIM directionality: Inbound SCIM into STA is confirmed, but outbound SCIM provisioning to third-party services is not clearly documented.

• SaaS model: STA is cloud-only; while RADIUS/VPN integrations are available, desktop MFA and network enforcement typically require local agents or device configuration.