XTAM MFA Configuration Options


XTAM supports RADIUS for authentication which most MFA providers utilize in their own solutions, therefore many MFA products can be successfully integrated with XTAM.

If you have a specific MFA or 2FA provider that you would like to inquire about, please contact us for more information.

XTAM integrates with your existing MFA provider, it does not provide its own service. Therefore, you will need to follow the configuration guides below before you can configure your MFA usage in XTAM. This includes deploying the required XTAM Federated Sign-In Module as well as having an Administrative account with your MFA provider.

For specific MFA providers, please review the links below:

Duo Security MFA – How to Configure (Admin)

Duo Security MFA – How to Login (Users)

Google Authenticator (or other TOTP providers) – How to Configure (Admin)

Google Authenticator (or other TOTP providers) – How to Login (Users)

RADIUS – How to Configure (Admin)

Configuration Options

The MFA Configuration Options allows an XTAM System Administrator to determine which users or groups will have to authenticate using their MFA provider in order to login.

The following options are available:


Please first read our enabling granular control over MFA configuration for different users or groups of users article to configure XTAM to support this feature.

Add: Select a user or group that will be added to the XTAM MFA configuration.

Edit: Modify the XTAM MFA configuration of the selected user or group.

Delete: Remove the selected user or group from the XTAM MFA configuration.


Default: When selected, this specific configuration becomes the default MFA provider for all users or groups. In turn, the specific users or groups added then become exceptions to this default.

Principal: The user or group that will be bound to this configuration. Principal is removed when the Default option is enabled because default applies to all principals.

MFA Provider: The selected provider that will be bound to this principal. The list of providers is populated based on the MFA integration(s) that have been established with XTAM. Select the none option, if you want the principal to login without requiring MFA authentication.


The mfa-generic provider option enforces the requirement of a mfa token when a user establishes a desktop client SSH Proxysession only; it does not generate mfa tokens for any other login or connection purposes. These mfa generic tokens are generated in Management > My Profile > Preferences > MFA Code and have a 3 minute expiration time.


By default, all principals with the System Administrator role are added with no (none) MFA provider configured. This is done to prevent accidental lock out if the MFA integration or configuration is mis-configured. You may change this default behavior if needed.