MFA Configuration Options

Integration

Access Manager supports RADIUS for authentication which most MFA providers utilize in their own solutions, therefore many MFA products can be successfully integrated with Access Manager.

If you have a specific MFA or 2FA provider that you would like to inquire about, have questions or need guidance, please contact us using the information provided in our documentation site.

If questions remain or issues arise while using PAM, please contact the Support team using this link: https://support.imprivata.com/communitylogin.

Access Manager integrates with your existing MFA provider, it does not provide its own service. Therefore, you will need to follow the configuration guides below before you can configure your MFA usage in Access Manager. This includes deploying the required Federated Sign-In Module as well as having an Administrative account with your MFA provider.

For specific MFA providers, please review the links below:

Duo Security MFA – How to Configure (Admin)

Duo Security MFA – How to Login (Users)

Google Authenticator (or other TOTP providers) – How to Configure (Admin)

Google Authenticator (or other TOTP providers) – How to Login (Users)

RADIUS – How to Configure (Admin)

Configuration Options

The MFA Configuration Options allows an Access Manager System Administrator to determine which users or groups will have to authenticate using their MFA provider in order to login.

The following options are available:

To start using MFA, please first read enabling granular control over MFA configuration for different users or groups of users article to configure the System to support this feature.

Add: Select a user or group that will be added to the System MFA configuration.

Edit: Modify the System MFA configuration of the selected user or group.

Delete: Remove the selected user or group from the System MFA configuration.

 

Default: When selected, this specific configuration becomes the default MFA provider for all users or groups. In turn, the specific users or groups added then become exceptions to this default.

Principal: The user or group that will be bound to this configuration. Principal is removed when the Default option is enabled because default applies to all principals.

MFA Provider: The selected provider that will be bound to this principal. The list of providers is populated based on the MFA integration(s) that have been established with the System. Select the none option, if you want the principal to login without requiring MFA authentication.

MFA-Add.png

The mfa-generic provider option enforces the requirement of a mfa token when a user establishes a desktop client SSH Proxysession only; it does not generate mfa tokens for any other login or connection purposes. These mfa generic tokens are generated in Management > My Profile > Preferences > MFA Code and have a 3 minute expiration time.

 

By default, all principals with the System Administrator role are added with no (none) MFA provider configured. This is done to prevent accidental lock out if the MFA integration or configuration is mis-configured. You may change this default behavior if needed.