Hello ​@Bartosz 

I have just tested Entra ID SAML provider with TOTP and that works without issue in 24.3

Regards,

John

Hi John,

Thank you for your response! But I guess it’s TOTP configured outside of password safe, not like in case of AD users where we can manage their MFA directly from users option in BT password safe, is it right? The case is that when we’re using SAML for users, we as PAM admins are losing control over MFA config but we don’t have 24.3 yet so maybe it’s been introduced in this update.

We have DUO MFA integrated with EntraID so that provides MFA for our SAML federation across all of our applications including BeyondInsight.

Now, with that being said, I have users who need to rotate passwords on service accounts every so often. They can only do this from the admin console so I have a separate URL for the admin console vs the non-admin cluster.

Because SAML is configured in the database in such a way that I cannot use SAML for both the admin console and the user console, I enable the ability for username and password with TOTP from within BeyondInsight for those who need to change passwords. 

So long story short, DUO MFA for SAML auth and TOTP via the DUO application (IOS and Android) for non-SAML auth. One application, multiple MFA options.

If a user logs into the user portal with their username and password, they get the TOTP prompt since they are skirting around the SAML protections.

In regards to 24.3 or something older, we’ve been using this method since we deployed last year (just hit our 1 year renewal).

You should be able to use whatever your company has set up for MFA in Azure for SAML authentication. For us, DUO provides some decent policy management to allow us to control MFA ourselves. I think you can set up MFA inside EntraID as well through the Microsoft Authenticator app. I know my Global Admin account gets a DUO push and I have to enter a TOTP code from Microsoft so they do support it to at least some extent.