I'd like to know if it's possible to configure CA PAM in order to have a two-step authentication with a tool like google authenticator or others OTP tools.
Thanks in advance.
Using AWS Management Console with user account that has MFA enabled as an example:
Using the default 'AWS AWS Management Console SSO' TCP/UDP service will enable user login seamlessly to the console without getting prompt got MFA code.
Setup TCP/UDP service with 'Xsuite HTML WebSSO' auto-login method will enable you to associate the Target Account to get through the first login page and user will land on the Multi-factor Authentication page to enter the MFA code manually. If you want user to enter the username/ password and MFA code manually, you can choose "Disabled" as the auto-login method.
However, I discovered that with 'Xsuite HTML WebSSO' auto-login method, user needs to login twice, which I am engaging Sustaining Engineering to look into it.
I am assuming you would like to have another authentication step to the CA PAM UI, right?
For this you can integrate CA PAM with CA SSO which offers a wide variety of authentication methods in addition.
CA Single Sign-On Integration - CA Privileged Access Manager - 2.8.3 - CA Technologies Documentation
You could also use LDAP+Radius, LDAP+TACACS or PKI which also can be configured to enter a PIN in addition to the certificate.
SiteMinder authentication and PAM authentication are separate to each other.