Has anyone implemented two factor authentication for Lawson?

The short answer is - yes, we have done two-factor authentication, in our specific case - PhoneFactor, but it was not really specific to that solution.
Depending on your authentication mechanism, you have multiple ways to accomplish that.
1. If you use LSasSTS with BIND, the easiest way would be a custom LDAP server that can handle your authentication via API.
2. If you use ADFS, it has built-in capabilities for two-factor authentication, though you will be limited by the capabilities of that feature.
3. You can also build a custom login screen that deals with two-factor authentication. Note that in such case the real passwords in the system would need to be different from the ones a user types on the login screen.
4. Finally, you can simply require all users to use VPN or other means (e.g. Proxy via F5) that has two-factor authentication capabilities.

Personally I have done 3 out of the 4 methods listed above.

Thank you Alex. I will pass this on to our Security Group and see if they have any other questions.

We just tested using DUO for mulit factor authentication. Our DUO administrator set up DUO as a Radius server. We just had to go in to ssoconfig, and change the SSOP service. The only thing we had to change is the answer to "Enter the LDAP provider url to access" to be the DUO server. So instead of the request going to our domain controller for a normal bind to active directory, it goes to DUO, which then sends the request to the mobile device, and once you accept it, your login to portal will continue. We tried it as a proof of concept and it worked fine. Of course this means that anyone that logs in to Lawson would need to do this, I believe. If anyone knows of a way that you could have your internal site not use multi-factor authentication, and an external one use it, please let me know!

We did this same concept with Kronos, which was a better experience, because we could implement it on a server by server basis, so we only put it in place for our internet facing servers. Hope that helps. Feel free to email me if you have further questions on this...lisa.hodges@rivhs.com

Thank you Lisa.  I will pass this information on.  We are using DUO so it may also work for us.

Hi Lisa,
Can you give me the exact steps that you went through in ssoconfig to get to the point where you changed it? Thank you.

Sure...after getting in to ssoconfig, I chose option 5 (Manage Lawson Services), then option 2 to change an existing service, then entered SSOP for the service to be modified. Ssoconfig will tell you what the existing values are for SSOP, so just pick all the same values. For us it was option 1, Form, then the next 4 I just hit enter to have no value where it is asking about a comma-separated list. Then just keep whatever value you have for HTTPS/HTTP, then 1 for ldap bind (assuming you are using this), then on the next one "the LDAP provider url" is where you put your DUO IP, so something like ldap://123.456.123.456:389. I hit enter through the rest of them, or entered the same values that were there. Our DUO admin said we didn't actually need the root DN of the user tree or the LDAP naming attribute, but I left it in there. He set up DUO to do all that, as far as the search and the root DN, and the LDAP attribute to use.

 

I know sometimes numbered options in ssoconfig can change based on your release, so keep that in mind, in case yours don't exactly match mine. But once you get in to the SSOP service, most should be similar. And really I only changed that one setting and kept the others as they were. Hope that helps!

Thanks Lisa. This is a big help.