Educause Security Discussion mailing list archives
Re: 2fa for PeopleSoft
From: "Wiltzius, Robert L" <Robert.Wiltzius () GOTOLTC EDU>
Date: Fri, 2 Jun 2017 18:30:33 +0000
Greg, GreyHeller has an ERP Firewall<http://www.greyheller.com/products/erp-firewall/>, which installs on the PeopleSoft web server and can force 2FA on pretty much what ever you want within PeopleSoft. In order for 2FA to work properly though, you'll need to also couple the ERP Firewall with a 2FA delivery service, like Duo.com<http://duo.com>, which can increase the overall cost of the service. GreyHeller's option will work pretty much right out of the box, but it comes at a cost. The GreyHeller ERP Firewall is also modular, which means you can include the ability to apply rules based on their geographic area. The Duo option offers the flexibility to choose which 2FA delivery option you would like to make available (phone call, text, soft token, etc). Another option that will require a little bit more time to setup, but will ultimately save you a ton (from a licensing and maintenance support perspective) in the end is to leverage a PeopleSoft 2FA project that was created by Colton, which was published on his site, PeopleSoftMods.com. A link to his project can be found here<http://www.peoplesoftmods.com/2fa/two-factor-authentication-in-peoplesoft-part-1/>. This is the option that we've went down. We are already successfully testing it in development and working on some enhancements. This option leverages Google Authenticator and we can even assign this as a role and apply the role to certain users. Depending on the user and the purpose behind it, some users are in AD and some are locally authenticated. This solution works with both. We even have been able to white-list certain IP addresses so users are only prompted for 2FA when they are coming in or performing a certain action from an un-trusted network. One thing to make note of is the Google Authenticator option requires the user to have a smart phone. <http://www.duo.com> Thank you and have a great day, Robert Wiltzius WILM Network/Security Administrator Lakeshore Technical College 1290 North Avenue Cleveland, WI 53015 (920) 693-1755 Would you like to know more?<http://www.google.com/> ________________________________ From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Greg Jackson <gjackson () SDCCD EDU> Sent: Friday, June 2, 2017 11:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] 2fa for PeopleSoft (Resending, since first try apparently bounced.) I knew this at one time, but knowledge is fleeting (at least at my age) and often obsolete. So I’d appreciate help from anyone with current wisdom. Here’s the question: What are the options to enable 2fa for PeopleSoft applications on a user-by-user basis (that is, some users are forced to use 2fa, for others it’s offered optionally, and neither of the above for the rest)? For example, I’m wondering about native PS functionality, native functionality in the authenticating AD, third-party products associated with PS, ditto with AD. And, if you have used one or more of these options, recommendations as to which works best? Many thanks in advance for any public or private guidance you can provide! Greg Jackson sdccd.edu ● gjackson.us ● 1-619-388-6868 ● gjackson () sdccd edu
Current thread:
- 2fa for PeopleSoft Greg Jackson (Jun 02)
- Re: 2fa for PeopleSoft Wiltzius, Robert L (Jun 02)