OpenText™ Access Manager

MFA using OpenText Advanced Authentication

Version : 25.2
PDF Generated on : July 27, 2025

© Copyright 2025 Open Text

Table of Contents
1. MFA using OpenText Advanced Authentication 1

1.1. Prerequisites 2

1.2. Implementation approaches 3

1.3. Enabling multi-factor authentication through OpenText Advanced Authentication 5

1.4. Migrating from plug-in-based to OAuth-based integration 18

 Access Manager 25.2

1. MFA using OpenText Advanced

Authentication
OpenText Access Manager is a comprehensive access management solution that
provides secure access to enterprise and web applications. Using traditional one-
factor authentication, such as providing username and password, to access a
resource can have many vulnerabilities. Access Manager supports multi-factor
authentication to provide secure access from any device with minimal administration.
You can integrate OpenText Advanced Authentication with OpenText Access Manager
to use multi-factor authentication. OpenText Advanced Authentication delivers
various authentication mechanisms that enable identity assurance and proofing apart
from traditional username and password based authentication. You can authenticate
on diverse platforms by using various authenticators such as Fingerprint, OTP, and
Smartphone.
For more information about OpenText Access Manager, see Product overview.
For more information about OpenText Advanced Authentication, see OpenText
Advanced Authentication Overview.

This PDF was generated on July 27, 2025 Page 1 of 19

 Access Manager 25.2

1.1. Prerequisites
OpenText Access Manager is installed and configured.
See OpenText Access ManagerAccess Manager Appliance installation and
upgrade guide.
OpenText Advanced Authentication or OpenText Advanced Authentication as a
Service is installed and configured.
For information about how to install OpenText Advanced Authentication, see
Advanced Authentication Server Installation and Upgrade Guide.
For information about how to configure OpenText Advanced Authentication or
OpenText Advanced Authentication as a Service, see Advanced Authentication
Administration Guide.
An OpenText Access Manager administrator account is available.
An OpenText Advanced Authentication administrator account is available.

This PDF was generated on July 27, 2025 Page 2 of 19

 Access Manager 25.2

1.2. Implementation approaches

You can integrate OpenText Advanced Authentication with OpenText Access Manager
by using any one of the following approaches:
Plug-in-based approach: The OpenText Advanced Authentication functionality
is embedded in OpenText Access Manager.
OAuth-based approach: (Recommended) This is available in OpenText Access
Manager 4.4 and later versions. This approach uses the OAuth claims-based
authentication mechanism for secure and trusted communication. Any new
methods introduced in the OpenText Advanced Authentication server become
dynamically available in OpenText Access Manager without making any
modification in the product.
The following table lists the differences between Plug-in-based and OAuth-based
approaches:

This PDF was generated on July 27, 2025 Page 3 of 19

 Access Manager 25.2

Plug-in-based OAuth-based

Uses OpenText Advanced Uses OAuth protocol.

Authentication Rest API.

Requires configuring each method Requires configuring only the OpenText

separately. Advanced Authentication Generic
class. You can configure all OpenText
Advanced Authentication methods
using this class.

Any new method, which is added in If any new method is introduced in the
OpenText dvanced Authentication after OpenText Advanced Authentication
integration, is not available in OpenText server, it is available in OpenText
Access Manager. You might need to Access Manager automatically without
upgrade OpenText Access Manager to any upgrade.
a higher version to use that new
method.

Supports brand customization. OpenText Advanced Authentication 6.0

and later versions support branding
customization. See Customizing the
branding text.

This PDF was generated on July 27, 2025 Page 4 of 19

 Access Manager 25.2

1.3. Enabling multi-factor authentication

through OpenText Advanced
Authentication
Integrating OpenText Advanced Authentication
with OpenText Access Manager
To integrate both products, you must first configure OpenText Advanced
Authentication server and then configure OpenText Advanced Authentication server
details in OpenText Access Manager.
Configure the OpenText Advanced Authentication Server
1. Log in to OpenText Advanced Authentication as an administrator.
2. Verify that the NAM event is available in Events.

Note
The NAM event is created by default when you install OpenText
Advanced Authentication. In a rare scenario, the NAM event might
not get created by default. Re-installing OpenText Advanced
Authentication resolves the issue.

3. Set up a central user store that both OpenText Advanced Authentication and
OpenText Access Manager will use while authenticating a user. You can add a
new repository in OpenText Advanced Authentication server or configure details
of an existing OpenText Access Manager user store. If you add a new repository
in OpenText Advanced Authentication, configure the same repository when you
Configure the Advanced Authentication server details in OpenText Access
Manager.
For more information about how to add a repository, see Adding a repository.
4. Configure methods.
An OpenText Advanced Authentication method verifies the identity of a user
who tries to access resources. You can configure the methods depending on
your requirement. For example, in an Email OTP method, you can specify the
values of different parameters, such as OTP period, OTP format, subject, and
error message.

This PDF was generated on July 27, 2025 Page 5 of 19

 Access Manager 25.2

For more information, see Configuring methods.

5. Create a chain.
A chain is a combination of methods. A user needs to execute and succeed all
methods of a chain to be authenticated. While creating a chain, add the methods
in the order of priority of execution. In Roles and Groups, assign the chain to the
user group that is configured in the repository. For example, specify
XYZ\Allowed RODC Password Replication Group , where XYZ is the name of
the repository.
For more information about configuring chains, see Creating a chain.
6. (Required only for the OAuth-based approach) Configure an event.
OpenText Advanced Authentication provides authentication events for OpenText
Access Manager. An event leverages the OpenText Advanced Authentication
functionalities for OpenText Access Manager. OpenText Access Manager
triggers the respective authentication event when a user tries to access it.

Note
For plug-in based methods, you do not need to create the OAuth 2.0
event. A default NAM event is created when you install OpenText
Advanced Authentication. OpenText Access Manager uses the NAM
event if you integrate using the plug-in based approach and uses the
OAuth 2.0 event when you integrate using the OAuth-based
approach.

Perform the following steps to configure an event:

1. Click Events > Add.
2. Specify a name for the event.
3. Select OAuth2 from Event type.
4. Select the required chains.

This PDF was generated on July 27, 2025 Page 6 of 19

 Access Manager 25.2

Note
You need Client ID and Client secret while configuring the
OpenText Advanced Authentication server in OpenText Access
Manager. You cannot view Client secret later, therefore you
must make a note of this value.

5. In Redirect URIs, specify [Link] server-url>:

<port>/nidp/oauth/nam/callback .
For example, if the Identity Server URL is
[Link] , where [Link] is
the domain name and 8443 is the port, specify
[Link] .

Important
If your Identity Server base URL is on the standard SSL port
443, do not include the port number in the URI. For example,
[Link] .

7. (Required only for the Plug-in-based approach) Assign the created chain to the
NAM event in the OpenText Advanced Authentication server.
Configure the OpenText Advanced Authentication server details in OpenText
Access Manager
Before integrating OpenText Access Manager with OpenText Advanced
Authentication or OpenText Advanced Authentication as a Service, go to
/opt/novell/nam/idp/plugins/aa/ and ensure that the [Link] file does not exist
for any Identity Server node in this location.
1. On the Home page, click Identity Servers > IDP Global Settings > Advanced
Authentication.
2. Specify the following details:

This PDF was generated on July 27, 2025 Page 7 of 19

 Access Manager 25.2

Field Description

Server Domain Specify the scheme, domain name,

and port of the OpenText Advanced
Authentication server.

Tenant Name Specify the name of the tenant that

you want to use.
This field populates the TOP tenant
of OpenText Advanced
Authentication by default. You can
specify another tenant name that
you want to use.

Note
When using the Plug-in-based methods, skip to Step 5.

3. (Required only for OAuth-based approach) Select Integrate using OAuth under
OAuth Event Configuration.
4. (Required only for OAuth-based approach) Specify the following details:

This PDF was generated on July 27, 2025 Page 8 of 19

 Access Manager 25.2

Field Description

Event Name Specify an event name. This event

name must be identical to the event
name specified in the OpenText
Advanced Authentication
administration portal.

Client ID Specify the client ID that was

generated while creating the OAuth
2.0 event in the OpenText Advanced
Authentication administration portal.

Client Secret Specify the client secret that was

generated while creating the OAuth
2.0 event in the OpenText Advanced
Authentication administration portal.

OpenText Access Manager uses the endpoint links to retrieve token and user
details from the OpenText Advanced Authentication server. These are default
endpoint links. If the values of the URIs change because of modification of the
OpenText Advanced Authentication authorization server, then you can change
the values here.

This PDF was generated on July 27, 2025 Page 9 of 19

 Access Manager 25.2

Field Description

Authorization URL OpenText Access Manager uses this

URL to retrieve the authorization
code from the OpenText Advanced
Authentication server.

Token URL OpenText Access Manager uses this

URL to exchange the authorization
code with the access token.

User Info URL OpenText Access Manager sends

the access token to this URL to get
the user details from the OpenText
Advanced Authentication server.

The fields under Integration URLs are auto-populated after you specify the
server domain address.

Field Description

Enrollment Page URL If the user is not enrolled in the

OpenText Advanced Authentication
server, then OpenText Access
Manager uses this URL to redirect
the user to the enrollment page.

Sign Data URL OpenText Access Manager uses this

URL to retrieve the signed data from
the OpenText Advanced
Authentication server.

5. Click Apply.

This PDF was generated on July 27, 2025 Page 10 of 19

 Access Manager 25.2

6. Verify that the [Link] file is available in each Identity Server node in
/opt/novell/nam/idp/plugins/aa/ .
7. Verify that the endpoint has been created in the OpenText Advanced
Authentication server. Go to the OpenText Advanced Authentication
administration portal and verify that the hostname or domain name of the
Identity Server cluster is displayed as the endpoint under Endpoints.
8. In OpenText Access Manager, go to Dashboard and click Certificates > Trusted
Roots to verify if the OpenText Advanced Authentication server certificate is
available.
If the certificate is not available, then perform the following steps to import the
certificate:
1. Click Certificates > Trusted Roots > Auto-Import From Server.
2. Specify the server IP/DNS, port, and certificate name.
3. Click OK.
9. Configure the same user store or repository that you added in the OpenText
Advanced Authentication server. See Step 3.
1. Click Identity Servers > [cluster name] > User Stores > + icon.
2. Specify the details and click Save.
3. Update Identity Server.
Skip this step if you have configured an existing OpenText Access Manager user
store in the OpenText Advanced Authentication server.

Configuring multi-factor authentication

OpenText Access Manager performs the first factor authentication when you protect a
resource or an application using OpenText Access Manager. You can use OpenText
Advanced Authentication to perform the second or third factor authentication.
Configuring multi-factor authentication using the OAuth-based
approach:
1. Configure an OpenText Advanced Authentication Generic class.
1. On the Home page, click Identity Servers > Edit Cluster > Authentication
> Classes.
2. Click New and specify the following details:

This PDF was generated on July 27, 2025 Page 11 of 19

 Access Manager 25.2

Display name: Specify a name for the class.

Java class: Select Advanced Authentication Generic Class. The Java
class path is configured automatically.
3. Click Next > Finish.
2. Create a method for this class.
1. Click Identity Server > [cluster name] > Authentication > Methods > +
icon.
2. Select a chain in Advanced Authentication Chains. If you do not specify
any chain, the user is prompted to select the preferred chain for
authentication.

Note
If no chain is listed in Advanced Authentication Chains, create
a chain in the OpenText Advanced Authentication server. If a
chain is available in the OpenText Advanced Authentication
server, but the chain is not listed in Advanced Authentication
Chains, then assign the chain to the configured OpenText
Access Manager OAuth event in the OpenText Advanced
Authentication administration portal.

You can create multiple methods using the OpenText Advanced Authentication
Generic Class. You do not need to create a new class every time you create a
new method. You just need to add the new chain to the event in OpenText
Advanced Authentication Administration portal, as mentioned in the Step 6.d.
Then while creating the method, select the chain in Advanced Authentication
Chains.
3. Create a contract for the method.
1. On the Home page, click Identity Servers > [cluster name] >
Authentication > Contracts > + icon.
2. In URI, specify a value that uniquely identifies the contract from all other
contracts. This value is used to identify this contract for external providers
and is a unique path value that you create. For example, specify
/nam/AAgenericcontract or /mycompany/name/password/form .

This PDF was generated on July 27, 2025 Page 12 of 19

 Access Manager 25.2

3. In Methods, first add an OpenText Access Manager's authentication

method (for example, Secure Name/Password - Form) and then OpenText
Advanced Authentication method that you created in the preceding step.

Note
You can use more than one OpenText Advanced Authentication
methods.

4. Click Save.
5. Update Identity Server.

Note
For a seamless Identity Server redirection, configure a CSP header by
adding OpenText Advanced Authentication as an allowed source. For
more information, see Configuring a custom response header for an
Identity Server cluster and TID.

Configuring multi-factor authentication using the plug-in-based

approach:
1. Configure an OpenText Advanced Authentication class.
1. On the Home page, click Identity Servers > Edit Cluster > Authentication
> Classes.
2. Click New and specify the following details:
Display name: Specify a name for the class.
Java class: Select an OpenText Advanced Authentication class except
Advanced Authentication Generic Class . For example, select SMS Class.
The Java class path is configured automatically.
3. Click Next > Finish.
2. Create a method for this class.
1. Click Identity Server > [cluster name] > Authentication > Methods > +
icon.
2. Specify a name for this method.

This PDF was generated on July 27, 2025 Page 13 of 19

 Access Manager 25.2

3. Turn on Identifies User if you assign Advanced Authentication to perform

both first and second factor authentication. Do not select this option when
you create an Advanced Authentication method only for second factor
authentication.
For more information about creating a method, see Configuring
authentication methods.
3. Create a contract for the method.
1. Click Identity Server > [cluster name] > Authentication > Contracts > +
icon.
2. In URI, specify a value that uniquely identifies the contract from all other
contracts. This value is used to identify this contract for external providers
and is a unique path value that you create. For example, specify
/nam/AAplugincontract or /mycompany/name/password/form .
3. In Methods, first add an OpenText Access Manager's authentication
method (for example, Secure Name/Password - Form) and then the
Advanced Authentication method that you created in the preceding step.

Note
You can use more than one OpenText Advanced Authentication
methods.

4. Click Save.
5. Update Identity Server.
For more information about creating a contract, see Configuring
authentication contracts.

Important
End-users must enroll the methods for multi-factor authentication. See
End-users enrollment in the OpenText Advanced Authentication Self-
Service portal.

Verifying the integration

To verify that the integration is successful, create a dummy user account and enroll
one or more authenticators.

This PDF was generated on July 27, 2025 Page 14 of 19

 Access Manager 25.2

For information about how an end-user enrolls to authenticators, see End-users

enrollment in the OpenText Advanced Authentication Self-Service portal.
Use this user account to access a protected resource by executing the contract
created in OpenText Access Manager.
Verifying the plug-in-based integration
Perform the following steps in OpenText Access Manager:
1. Create an OpenText Advanced Authentication class. You can use a Dynamic
class or any other class except the Generic class.
2. Create a method and include the class created in the previous step, add a
repository, and add the OpenText Advanced Authentication Enrollment URL
property.
Specify the URL of OpenText Advanced Authentication portal for authenticator
enrollments.
For example:
URL of the portal when it is not protected by Access Gateway:
[Link] Authentication hostname or IP address>/account
URL of the portal when Access Gateway protects Identity Server and OpenText
Advanced Authentication: [Link] Gateway hostname>/account
3. Create a contract. First add an OpenText Access Manager-specific method that
supports LDAP credential-based authentication, such Secure Name/Password -
Form and Name/Password - Basic and then add the OpenText Advanced
Authentication method that you created in the previous step.
4. Using the dummy user’s account, access Identity Server or a protected resource
to which this contract has been assigned and execute this contract.
( [Link] server-url>:<port>/nidp )
The user must be able to authenticate to each method: first to OpenText Access
Manager's method and then to the OpenText Advanced Authentication’s method.
If authentication succeeds, the integration is successful.
Verifying the OAuth-based integration
Perform the following steps in OpenText Access Manager:
1. Create a class using OpenText Advanced Authentication Generic class.

This PDF was generated on July 27, 2025 Page 15 of 19

 Access Manager 25.2

2. Create a method with this class and select the required chain in Advanced
Authentication Chains.
3. Create a contract. First add an OpenText Access Manager-specific method that
supports LDAP credential-based authentication, such Secure Name/Password -
Form and Name/Password - Basic and then add the OpenText Advanced
Authentication method that you created in the previous step.
4. Using the dummy user’s account, access Identity Server or a protected resource
to which this contract has been assigned and execute this contract.
( https:// <identity server-url>:<port> /nidp )
Specify the user name and password for first factor authentication. And then
Identity Server redirects the login request to OpenText Advanced Authentication
OSP for chain execution.
On the OSP page, you can select the chain that you want to authenticate with. If
you have selected a chain while configuring the method, then you will be
prompted with the same chain on the OSP page.
If authentication succeeds on the OSP page and you are redirected to Identity
Server or protected resource, the integration is successful.

End-users enrollment in the OpenText Advanced

Authentication self-service portal
To perform authentication with OpenText Advanced Authentication, end-users must
enroll all methods of an authentication chain that they can use for authentication. A
method or an authenticator is a set of encrypted data that contains user's
authentication information. Users can use authenticators to log in to different
resources.
Users must perform the following steps to enroll authenticators:
1. Access the OpenText Advanced Authentication Self-Service portal.
URL of the portal when it is not protected by Access Gateway:
[Link] Authentication hostname or IP address>/account
URL of the portal when Access Gateway protects Identity Server and OpenText
Advanced Authentication: [Link] Gateway hostname>/account
2. Select a method from Add Authenticator to enroll.
For example, to enroll Email OTP method, select Email OTP, specify your email
ID, and click Save.

This PDF was generated on July 27, 2025 Page 16 of 19

 Access Manager 25.2

Email OTP is displayed in the Enrolled Authenticators section.

3. Verify that the enrolled authenticator is working.
1. Click Email OTP > Test.
2. Specify the OTP and click Next.
Authenticator enrollment is successful when you receive a confirmation
message.
Users can enroll multiple authenticators using the preceding procedure.

This PDF was generated on July 27, 2025 Page 17 of 19

 Access Manager 25.2

1.4. Migrating from plug-in-based to

OAuth-based integration
1. Log in to the OpenText Advanced Authentication administration portal as an
administrator.
2. Configure an OAuth 2.0 event.
1. Click Events > Add.
2. Specify a name for the event.
3. Select OAuth2 in Event type.
4. Select the required chains.

Note
You need Client ID and Client secret while configuring the
OpenText Advanced Authentication server in OpenText Access
Manager. You cannot view the Client secret later, therefore you
must make a note of this value.

5. Specify [Link] server-url>:<port>/nidp/oauth/nam/callback in

Redirect URIs.
For example, if the Identity Server URL is
[Link] , where [Link] is
the domain name and 8443 is the port, specify
[Link] .
3. Log in to OpenText Access Manager Administration Console and perform the
following steps:
1. On the Home page, click Identity Servers > IDP Global Settings >
Advanced Authentication.
2. Select Integrate using OAuth under OAuth Event Configuration.
3. Specify the following details:

This PDF was generated on July 27, 2025 Page 18 of 19

 Access Manager 25.2

Field Description

Event Name Specify an event name. This

event name must be identical to
the event name specified in the
OpenText Advanced
Authentication administration
portal.

Client ID Specify the client ID that was

generated while creating the
OAuth 2.0 event in the OpenText
Advanced Authentication
administration portal.

Client Secret Specify the client secret that was

generated while creating the
OAuth 2.0 event in the OpenText
Advanced Authentication
administration portal.

4. Click Apply.
4. Verify the integration. See Verifying the OAuth-based integration.

This PDF was generated on July 27, 2025 Page 19 of 19

 © Copyright 2025 Open Text

For more info, visit [Link]