cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

Implementing 2-Factor authentication with Windchill

evacca
6-Contributor

Implementing 2-Factor authentication with Windchill

I got this request from a partner who asks if there is anyone in PTC or Partner community who implemented a 2 steps verification of Windchill authentication? The process is something like:

  1. The user submits his credentials
  2. The systems sends an SMS with a OTP or asks to enter one generated by a mobile app
  3. The system asks to enter the OTP before letting the user access the system
I don't think we support anything OOTB, but maybe someone integrated a third party solution workiing with Windchill or our SSO architecture supporting this process.
10 REPLIES 10
avillanueva
22-Sapphire I
(To:evacca)

We implemented two factor with a product called WikiD.  Not a big fan of it but it works.  Token is provided by a passcode generator registered to a user and PC pair.  We are looking at a replacement with Duo. My experience with Duo is that is supports RSA token and mobile phone, text or email verification.

We recently change to DUO for 2FA.  The first check is Active Directory. The ldap proxy then checks the DUO credentials and if not provided, does a push to mobile device or office phone.  Works well.  We will be testing form based authentication as an alternate if there are improvements in that manner.

Hi,

Can you please share some details around your implementation. We are planning to do the same.

Chris3
20-Turquoise
(To:Manav_Pampher)

FYI we are now moving away from Duo. The problem with Duo is that it is not application independent. If you launch Creo and type in a token number and then launch a browser and type in a different token number your Creo session becomes de-authenticated.

 

Also browsers may cache token values longer than your Duo expiration which leads to the browser trying a cached by expired token and either locking the user out or not notifying the user that something has gone wrong. These problems are only if you have key fobs that give you the token numbers.

avillanueva
22-Sapphire I
(To:Chris3)

We solved that problem at the webserver level but agree that it can be a pain for the user to understand. With a push notification, user just needs their AD creds which browser caches. You can set that cache limit for something like 12 hours. That works well on a days work basis. For users with tokens, since they are providing the token as part of their login, the webserver caches that too.  They need to use that SAME DUO  PIN for the 12 hour period. Once all the browsers (Chrome, Creo Parametric, Creo View) are in sync, there is no more issue you described. Unfortunately, it has users writing down their pin daily and so long as they use that same one if they close and reconnect, its all good. 

Look into DUO's ldap proxy but configuration is very similar to configuring Apache to authenticate to an LDAP server. You need to set that up first before you go further.

we already have our AD configured with Windchill. Just planning to implement 2FA for more security.

Thank you for sharing all that information.

I do not have much understanding of these concepts. I understand windchill though.

Can you share a diagram of the setup for 2 factor authentication with Windchill, that can server as a starting point for me. and the steps/things to be done to achieve this.

Hi,

 

I have recently setup DUO and in its protect application setup, it lists ADFS, ping federate and Shiboleth. Did you use one of these three to implement 2 factor authentication for Windchill. 

imendiola
12-Amethyst
(To:evacca)

Hi evacca,

 

please take a look at the following link: https://prambanan-it.com/en/products/windchill-2-factor-authentication/

 

 

Regards

http://www.prambanan-it.comIker Mendiola - Prambanan IT Services
Top Tags