I got this request from a partner who asks if there is anyone in PTC or Partner community who implemented a 2 steps verification of Windchill authentication? The process is something like:
We implemented two factor with a product called WikiD. Not a big fan of it but it works. Token is provided by a passcode generator registered to a user and PC pair. We are looking at a replacement with Duo. My experience with Duo is that is supports RSA token and mobile phone, text or email verification.
We recently change to DUO for 2FA. The first check is Active Directory. The ldap proxy then checks the DUO credentials and if not provided, does a push to mobile device or office phone. Works well. We will be testing form based authentication as an alternate if there are improvements in that manner.
FYI we are now moving away from Duo. The problem with Duo is that it is not application independent. If you launch Creo and type in a token number and then launch a browser and type in a different token number your Creo session becomes de-authenticated.
Also browsers may cache token values longer than your Duo expiration which leads to the browser trying a cached by expired token and either locking the user out or not notifying the user that something has gone wrong. These problems are only if you have key fobs that give you the token numbers.
We solved that problem at the webserver level but agree that it can be a pain for the user to understand. With a push notification, user just needs their AD creds which browser caches. You can set that cache limit for something like 12 hours. That works well on a days work basis. For users with tokens, since they are providing the token as part of their login, the webserver caches that too. They need to use that SAME DUO PIN for the 12 hour period. Once all the browsers (Chrome, Creo Parametric, Creo View) are in sync, there is no more issue you described. Unfortunately, it has users writing down their pin daily and so long as they use that same one if they close and reconnect, its all good.
Look into DUO's ldap proxy but configuration is very similar to configuring Apache to authenticate to an LDAP server. You need to set that up first before you go further.
Thank you for sharing all that information.
I do not have much understanding of these concepts. I understand windchill though.
Can you share a diagram of the setup for 2 factor authentication with Windchill, that can server as a starting point for me. and the steps/things to be done to achieve this.
I have recently setup DUO and in its protect application setup, it lists ADFS, ping federate and Shiboleth. Did you use one of these three to implement 2 factor authentication for Windchill.
please take a look at the following link: https://prambanan-it.com/en/products/windchill-2-factor-authentication/
|Iker Mendiola - Prambanan IT Services|