Defining MFA per User or Group

If you want to enable different MFA providers for different users or groups, please review the following guide for configuration steps.

A common scenario, would be that you want internal users to use your default Duo MFA provider (or no MFA requirement at all), while external contractors are forced to use a free alternative like Google Authenticator.

 

To Configure Unique MFA Provider Requirements

For the purposes of this article, it is assumed that you have already configured the required Federated Sign-in Module and integrated with your MFA provider(s). If you have not yet performed these required steps, please read the appropriate articles and return here when ready.

 

  1. Login to PAM with a System Administrator account.

  2. Navigate to Administration > MFA.

  3. Configure your user and group mapping as required. Use the Add, Edit and Delete option to manage the list of users or groups. For each user or group, select the desired MFA option from the dropdown. For ease of use, if you wish to apply the same MFA provider for all users, simply check the Default option and then your single Provider.

  4. Note that the System pre-populates this table with all current system administrators (users or groups) with Provider: none meaning that system admins will not require MFA. You might want to change or retain this default configuration depending on your requirements.

  5. Login to PAM host server and open the file $PAM_HOME/web/conf/catalina.properties in a text editor.
  6.  

  7. Locate and comment out (put a # before the line) all the line(s) that begin with the below:
  8. Please note that this may include several lines.

    Copy
    cas.authn.mfa.globalProviderId=mfa-

     

  9. Enable granular MFA configuration in the $PAM_HOME/web/conf/catalina.properties by uncommenting the line for parameter:
    1. for Federated Sign in v5.2x:
    2. Copy
      cas.authn.mfa.groovyScript=.../web/webapps/pam/WEB-INF/mfa/xtam-mfa.groovy
    3. for Federated Sign in v6.5:

    Copy
    cas.authn.mfa.groovyScript.location=.../web/webapps/pam/WEB-INF/mfa/xtam-mfa.groovy
  10. Depending on PAM host server, the path above (shortened to …) will be different.

     

  11. Save and close the file $PAM_HOME/web/conf/catalina.properties
  12. Restart the PamManagement service (Windows) or the pammanager service (Linux) to complete the configuration.