Defining MFA per User or Group

If you want to enable different MFA providers for different users or groups, please review the following guide for configuration steps.

A common scenario, would be that you want internal users to use your default Duo MFA provider (or no MFA requirement at all), while external contractors are forced to use a free alternative like Google Authenticator.

 

To Configure Unique MFA Provider Requirements

 

1. Login to PAM with a System Administrator account.

2. Navigate to Administration > MFA.

3. Configure your user and group mapping as required. Use the Add, Edit and Delete option to manage the list of users or groups. For each user or group, select the desired MFA option from the dropdown. For ease of use, if you wish to apply the same MFA provider for all users, simply check the Default option and then your single Provider.

Note that the System pre-populates this table with all current system administrators (users or groups) with Provider: none meaning that system admins will not require MFA. You might want to change or retain this default configuration depending on your requirements.

4. Login to PAM host server and open the file $PAM_HOME/web/conf/catalina.properties in a text editor.

 

5. Locate and comment out (put a # before the line) all the line(s) that begin with the below:

Please note that this may include several lines.

Copy

1
cas.authn.mfa.globalProviderId=mfa-

 

6. Enable granular MFA configuration in the $PAM_HOME/web/conf/catalina.properties by uncommenting the line:
Copy

1
cas.authn.mfa.groovyScript=.../web/webapps/pam/WEB-INF/mfa/xtam-mfa.groovy

 

Depending on PAM host server, the path above (shortened to …) will be different.

 

7. Save and close the file $PAM_HOME/web/conf/catalina.properties
8. Restart the PamManagement service (Windows) or the pammanager service (Linux) to complete the configuration.