Integration with TOTP (MFA) Authentication

If you are already a user of Google Authenticator Multi-factor or Two-factor authentication and would like to configure PAM to use Google Auth, then please perform the following steps.

Please note that you will need to be able to access and modify files on the PAM host computer.

Contact your PAM System Administrator for assistance.

Pre-requisite: PAM must be deployed with and configured to use its Federated Sign-In component in order to integrate with multi-factor authentication providers.

  1. Log on to the PAM host computer.
  2. Open the file $PAM_HOME/web/conf/catalina.properties
  3. Uncomment the following line only when a single global MFA for the entire PAM is desired:

    4. Copy 
    #cas.authn.mfa.globalProviderId=mfa-gauth

    If you wish to enable different MFA providers for individual users or group, please read this article for additional information.

  4. If you are using your own Database and not the PAM internal database, then modify the following lines. If you are using PAM’s internal database, then skip this step.

    Copy 
    cas.authn.mfa.gauth.jpa.database.driverClass=org.apache.derby.jdbc.ClientDriver
    cas.authn.mfa.gauth.jpa.database.dialect=org.hibernate.dialect.DerbyTenSevenDialect

    You can find the values that need to be replaced in bold above from this same /catalina.properties file in the #PAM Database section. In this example, we would copy the SQL database parameters below and use them to replace those of the Derby database above.

    Copy 
    hibernate.dialect=org.hibernate.dialect.SQLServer2012Dialect
    hibernate.connection.driver_class=com.microsoft.sqlserver.jdbc.SQLServerDriver

  5. Optionally, you may modify the following lines to customize the branding of the Authentication page. Update the parameters; numbers and letters only, no spaces are allowed.

    Copy 
    cas.authn.mfa.gauth.issuer=Imprivata
    cas.authn.mfa.gauth.label=ImprivataPAM

  6. When complete, save and close this file.

  7. Restart the service PamManagement.

Once configured, refer to the following article Google Authenticator – How to Login as a User for steps on how to use Google Authenicator MFA with PAM from an end user’s perspective.