Symantec Privileged Access Management

Expand all | Collapse all

CA PAM - two step authentication (google authenticator)

Jump to Best Answer
  • 1.  CA PAM - two step authentication (google authenticator)

    Posted 09-13-2017 11:28 AM

    Hi all,

    I'd like to know if it's possible to configure CA PAM in order to have a two-step authentication with a tool like google authenticator or others OTP tools.


    Thanks in advance.


  • 2.  Re: CA PAM - two step authentication (google authenticator)

    Posted 09-14-2017 01:07 AM

    HI Ilaria,


    Using AWS Management Console with user account that has MFA enabled as an example:


    Using the default 'AWS AWS Management Console SSO' TCP/UDP service will enable user login seamlessly to the console without getting prompt got MFA code.


    Setup TCP/UDP service with 'Xsuite HTML WebSSO' auto-login method will enable you to associate the Target Account to get through the first login page and user will land on the Multi-factor Authentication page to enter the MFA code manually. If you want user to enter the username/ password and MFA code manually, you can choose "Disabled" as the auto-login method.


    However, I discovered that with  'Xsuite HTML WebSSO' auto-login method, user needs to login twice, which I am engaging Sustaining Engineering to look into it.


    Thank you.

  • 3.  Re: CA PAM - two step authentication (google authenticator)
    Best Answer

    Broadcom Employee
    Posted 09-15-2017 09:37 AM

    Hello Ilaria,


    I am assuming you would like to have another authentication step to the CA PAM UI, right?


    For this you can integrate CA PAM with CA SSO which offers a wide variety of authentication methods in addition.

    Please see:

    CA Single Sign-On Integration - CA Privileged Access Manager - 2.8.3 - CA Technologies Documentation 



    You could also use LDAP+Radius, LDAP+TACACS or PKI which also can be configured to enter a PIN in addition to the certificate.


    Best Regards,


  • 4.  RE: Re: CA PAM - two step authentication (google authenticator)

    Posted 04-02-2020 11:31 AM
    Hi Andreas,

    I am trying to implement multifactor authentication for PAM, so trying to integrate CA SSO (Siteminder) with PAM before integrating SSO with Advance/Strong Authentication.
    I have completed the integration steps for CA SSO(Siteminder) and CA PAM production as given in below support url /link.

    CA Single Sign-On Integration
    Broadcom remove preview
    CA Single Sign-On Integration
    Before you set up Layer7 SiteMinder (formerly CA Single Sign-On) on PAM, configure these objects in the SiteMinder Administrative UI. As a security administrator, you can integrate Privileged Access Manager with (formerly CA Single Sign-On). You can use as a second layer of protection for Privileged Access Manager .
    View this on Broadcom >

    I am also able to get SSO page/prompt for authentication while trying PAM application url.

    But the issue is after SSO login successful, I am again getting PAM login page where I have to login again, which is not SSO behavior. Could you please help me for this to get a proper SSO configuration for PAM, where once I login to SSO get access to PAM Admin UI directly on

    I am using Active Directory as user store and integrated Active directory with PAM properly as given for PAM LDAP integration.

    Thank you,

  • 5.  RE: Re: CA PAM - two step authentication (google authenticator)

    Broadcom Employee
    Posted 04-03-2020 02:59 AM
    What you see is expected behaviour.

    Integration of CA SSO into CA PAM does not replace PAM's authentication - it is merely another authentication layer to PAM

  • 6.  RE: Re: CA PAM - two step authentication (google authenticator)

    Posted 04-05-2020 09:13 AM
    Hi Andreas,

    Thank you for the reply.

    Here after we have SSO(Siteminder) integrated with CA PAM, once user try to we browse PAM URL, and then login through SSO(siteminder) login page using LADP/AD credential (which is integrated as user store with siteminder).

    Then when PAM login page appears, here user can use any other user login/ username (which username was not used in SSO login step mentioned above)  and respective password and login to PAM.

    My Question here is can we restrict user at PAM login page to use the same username login name, which he/she had used in the SSO(Siteminder) login page.

    Thank you,
    Samarendra Routray

  • 7.  RE: Re: CA PAM - two step authentication (google authenticator)

    Broadcom Employee
    Posted 04-06-2020 01:05 AM

    Hello Samarendra,


    SiteMinder authentication and PAM authentication are separate to each other.


    Best Regards,



  • 8.  RE: Re: CA PAM - two step authentication (google authenticator)

    Posted 06-02-2020 06:02 PM
    Hi Andreas,

    Thank you. we have configured MFA (LDAP+RADIUS) for PAM and it is working using CA mobile OTP application  (available in google playstore for android phones).  Here we are using CA Strong authentication server for MFA and RADIUS for mobile OTP based authentication and register CA mobile OTP application in device for OTP generation for arcot based OTP.

    Question: Is there any option so that, can we able to configure (register) and generate OTP  using other mobile OTP software apps like "google authenticator" or "okta verify" , with CA Strong authentication server for MFA ?

    Thank you,
    Samarendra Routray