Defining MFA per User or Group
If you want to enable different MFA providers for different users or groups, please review the following guide for configuration steps.
A common scenario, would be that you want internal users to use your default Duo MFA provider (or no MFA requirement at all), while external contractors are forced to use a free alternative like Google Authenticator.
To Configure Unique MFA Provider Requirements
For the purposes of this article, it is assumed that you have already configured the required Federated Sign-in Module and integrated with your MFA provider(s). If you have not yet performed these required steps, please read the appropriate articles and return here when ready.
-
Login to PAM with a System Administrator account.
-
Navigate to Administration > MFA.
-
Configure your user and group mapping as required. Use the Add, Edit and Delete option to manage the list of users or groups. For each user or group, select the desired MFA option from the dropdown. For ease of use, if you wish to apply the same MFA provider for all users, simply check the Default option and then your single Provider.
- Login to PAM host server and open the file $PAM_HOME/web/conf/catalina.properties in a text editor.
- Locate and comment out (put a # before the line) all the line(s) that begin with the below:
- Enable granular MFA configuration in the $PAM_HOME/web/conf/catalina.properties by uncommenting the line for parameter:
- for Federated Sign in v5.2x:
for Federated Sign in v6.5:
Copycas.authn.mfa.groovyScript=.../web/webapps/pam/WEB-INF/mfa/xtam-mfa.groovy
Copycas.authn.mfa.groovyScript.location=.../web/webapps/pam/WEB-INF/mfa/xtam-mfa.groovy
- Save and close the file $PAM_HOME/web/conf/catalina.properties
- Restart the PamManagement service (Windows) or the pammanager service (Linux) to complete the configuration.
Note that the System pre-populates this table with all current system administrators (users or groups) with Provider: none meaning that system admins will not require MFA. You might want to change or retain this default configuration depending on your requirements.
Please note that this may include several lines.
cas.authn.mfa.globalProviderId=mfa-
Depending on PAM host server, the path above (shortened to …) will be different.