cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Multiple Authentications before login

Highlighted
Newbie

Multiple Authentications before login

Hello,

We want to have a second level authentication (RSA) for a group of users.

Once, the user inserts username, password, they get authenticated against LDAP.

Now, at this point, we will check LDAP groups of the user.

If user belongs to certain groups, we will ask to insert RSA credentials to the user.

After this second authentication, Windchill will get launched.

If the user is not in those particular LDAP groups, Windchill will get launched without RSA authentication.

The help we need is, how can we plug all these new mechanism?

I have created a servlet which accepts username as input and does remaining things.

But, where can we put it in the configuration? (in between OOTB login and launch).

Thank you.

2 REPLIES 2

Re: Multiple Authentications before login

Interesting, I was about to start a discussion on this. We are on a similar path with our Windchill system and have a prototype working in our development environment.

First of all, customizing Windchill to achieve is a costly affair to design,develop and maintain. You can do only so much with basic authentication and to have better flexibility you will have to switch to a form based authentication. I am not sure how many of these authentication servlets are supported for customization. Needless to say, you are on your own for any upgrades or updates.

  1. Best option is to use an SSO/ADC solution to manage the application delivery and authentication. Netscaler has something called nFactor authentication which does exactly what you said. It extracts the group information from a directory service to determine the authentication policy. I have some notes on how to set this up which I can share if you are interested.  The downside of this is that you need to procure a SSO solution, most of the companies own some sort of SSO solution, look to see whether you can leverage this if you have one. By installing an agent on the Webserver you can control the authentication,
  2. Alternate option is to use Apache with radius server and a 2F authentication provider - RSA or WIKID or Google Authenticator, if you can configure a reverse proxy dedicated for this  group of  users, you can turn on authentication specific header variable from the reverse proxy. Radius server can be configured to read the header variable, and turn 2 factor authentication on or off.  Need a WiKID Secure Windchill System?‌ - LiveWorx16 this is a very good presentation on this by Shawn from Boston Engineering

Re: Multiple Authentications before login

Hi

Has anyone done successful 2 factor / dual  Authentication with Windchill 10 or Windchill 11?

thanks