Does OpenAM provide the full TOTP UI flow automatically when using SAML + Google Authenticator?

[EkaLinMan]

Hi, I am evaluating the integration of OpenAM with Google Authenticator by following this guide:

https://www.openidentityplatform.org/blog/2025-09-12-using-google-authenticator-with-openam

The article explains how to configure the Authenticator (OATH) module and add it to an authentication chain.

I would like to confirm the expected behavior when OpenAM is used as a SAML IdP for an external application.

Assume the application is a SAML Service Provider, and OpenAM is configured as the SAML Identity Provider. Also assume that the OpenAM authentication chain used for login contains username/password authentication followed by the Authenticator (OATH) TOTP module.

In this case, should the user experience be fully handled by OpenAM as follows?

1. The user accesses a SAML SP application.
2. The application redirects the user to OpenAM through the SAML login flow.
3. OpenAM displays the username/password login page.
4. After successful username/password authentication, OpenAM automatically displays the TOTP verification code page.
5. The user enters the one-time password from Google Authenticator.
6. After successful verification, OpenAM sends the SAMLResponse back to the application.
7. The user is redirected back to the application.

Is it correct that the application does not need to implement the QR code registration page, the verification code page, or the TOTP validation logic itself, and ONLY needs to implement the normal SAML SP mechanism?

Any clarification would be greatly appreciated. Thank you!

[maximthomas]

Hi @EkaLinMan,
OpenAM handles complete authentication functionality such as username/password authentication, QR registration and code verification etc, you only need to implement SAML SP mechanism.