Additional TOTP step for federated authentication

Hello ​@Bartosz 

I have just tested Entra ID SAML provider with TOTP and that works without issue in 24.3

Regards,

John

Hi John,

Thank you for your response! But I guess it’s TOTP configured outside of password safe, not like in case of AD users where we can manage their MFA directly from users option in BT password safe, is it right? The case is that when we’re using SAML for users, we as PAM admins are losing control over MFA config but we don’t have 24.3 yet so maybe it’s been introduced in this update.

We have DUO MFA integrated with EntraID so that provides MFA for our SAML federation across all of our applications including BeyondInsight.

Now, with that being said, I have users who need to rotate passwords on service accounts every so often. They can only do this from the admin console so I have a separate URL for the admin console vs the non-admin cluster.

Because SAML is configured in the database in such a way that I cannot use SAML for both the admin console and the user console, I enable the ability for username and password with TOTP from within BeyondInsight for those who need to change passwords. 

So long story short, DUO MFA for SAML auth and TOTP via the DUO application (IOS and Android) for non-SAML auth. One application, multiple MFA options.

If a user logs into the user portal with their username and password, they get the TOTP prompt since they are skirting around the SAML protections.

In regards to 24.3 or something older, we’ve been using this method since we deployed last year (just hit our 1 year renewal).

You should be able to use whatever your company has set up for MFA in Azure for SAML authentication. For us, DUO provides some decent policy management to allow us to control MFA ourselves. I think you can set up MFA inside EntraID as well through the Microsoft Authenticator app. I know my Global Admin account gets a DUO push and I have to enter a TOTP code from Microsoft so they do support it to at least some extent.

I dunno why you want to do this.  Generally speaking, if you’re federating the logon (i.e., SAML), then the Identity provider controls MFA.  If you want to enforce MFA for all users of Password Safe and you’re configured with SAML, then re-configure your identity provider to require MFA for login.

The nice thing about BeyondInsight is that it does not force MFA on accounts when using SAML. If I set an account up to require TOTP, I only get the TOTP prompt when I use my username and password, not when I use SAML since EntraID handles that for us.

The use case for not using SAML is when you have the on-premises solution with an admin appliance. For admin level work, i.e. some of my users can rotate passwords for service accounts to keep them compliant with policy and not take down systems/services with an automatic password change, this work can only be done via the admin appliance and therefore, the user cannot use federation.