UseCase8_TOTP_WebIntegration - sandersdHES/PAMEmergingTech GitHub Wiki

This use case demonstrates how to configure and test Time-based One-Time Password (TOTP) authentication in PAM360, using Google Authenticator. You’ll integrate a demo web app hosted on Azure and connect it with PAM360 for credential and TOTP management.

Multi-factor authentication (MFA) adds a critical layer of security to sensitive accounts. In PAM360, TOTP-based 2FA enhances login protection by requiring a rotating time-based code—generated by apps like Google Authenticator.

In this example, we will:

• Deploy a Flask-based login demo with TOTP on Azure
• Secure its credentials using PAM360
• Use PAM360 to store and autofill login credentials + TOTP
• Validate the setup through real interaction

• Admin access to PAM360
• A GitHub account
• An Azure account (free tier available)
• Google Authenticator or compatible app on your phone

We have already created a small Flask app for you implementing a basic login page, with 2FA as a second criteria to login.

pam360_totp_demo-master.zip

• Download the TOTP demo app
• Extract the code and push it to your own GitHub repository
• On the Azure Portal:

  • Create a Web App

  • Use Free (F1) pricing tier

  • Select Python as the runtime (latest version recommended)

    

  • In the Deployment Center of the Web App:

    • Connect it to your GitHub repository
    • Deploy from the branch your code is hosted on

Ensure the application deploys correctly

If there are deployment issues, troubleshoot via Azure logs

1. Log in to PAM360 with an admin account
2. Go to Resources > Add Resource
   • DNS/IP Address: Use the Azure Web App Domain
   • Resource Type: Web Site Accounts
   • Resource URL: Use the Azure Web App URL
   • Session Recording: Enable both options

1. Use these credentials from the Flask app:

   • Username: admin
   • Password: pass123
   • TOTP Secret Key: JBSWY3DPEHPK3PXP

2. When entering the TOTP Secret, keep the default encryption settings

   ⚠️ Note: Once saved, the TOTP Secret cannot be retrieved

We will also install PAM browser Extension so that you can access, record website session and also fill up automatically pages with PAM360.

1. Open Edge > Extensions

2. Enable Allow extensions from other stores

   

3. Install the ManageEngine PAM360 Extension

4. Click on the extension icon and configure:

   • Server: http://localhost
   • Port: 8282

This extension will open up all resources currently available on PAM.

1. In the extension, select your Web App resource

2. Choose HTTPS Gateway Connection

   

• The extension will autofill the username, password, and TOTP
• The login form is submitted, and the session is recorded

💡 If autofill fails, you can manually access the Account Details in PAM360 to retrieve the password and TOTP code.

After correct autofill, the demo app authenticates and shows a successful login message. This proves that:

• PAM360 correctly stores and encrypts the TOTP secret
• PAM360 can generate valid time-based codes
• Login automation with PAM360 browser extension works as expected

This use case demonstrates how PAM360 can be used to manage 2FA credentials and TOTP secrets for web applications:

• TOTP integration adds stronger authentication
• PAM360 stores secrets securely and autofills login forms via browser extension
• Passwords and TOTP codes are centrally controlled, encrypted, and auditable

With this setup, PAM360 can manage secure access even for applications requiring two-factor authentication, combining usability with compliance.