We successfully deployed MFA enforcement across our Factorytalk MES advanced planning module (FT 12.0) with Azure AD integration. Project took 6 weeks covering MFA enforcement policies, IdP integration setup, and audit compliance requirements.
Our implementation focused on three critical areas: enforcing MFA for all planning users without disrupting production workflows, seamless Azure AD SAML integration with existing user base, and meeting SOC2 audit requirements for access logging.
Key challenge was balancing security with usability - planning users needed quick access during shift changes while maintaining strict authentication. We implemented conditional access policies, configured session timeouts appropriately, and established comprehensive audit trails.
Happy to share our approach, configuration examples, and lessons learned for others planning similar rollouts.
How did you handle the audit compliance piece? We’re facing similar SOC2 requirements and need to demonstrate MFA enforcement with proper logging. What specific events did you capture for audit trails?
Session management was definitely tricky. We configured SAML token lifetime to 8 hours matching our shift patterns, with idle timeout at 60 minutes. The key was synchronizing MES session handling with Azure AD refresh tokens.
For Okta you’ll want to configure the SAML assertion consumer service URL properly and map user attributes correctly. We had initial issues with group memberships not syncing until we adjusted the attribute mappings.
Also implement proper session validation on the MES side - check token expiry before critical operations in advanced planning workflows. We added middleware that validates tokens every 15 minutes to catch expired sessions gracefully.
What was user adoption like? We’re worried about resistance from shop floor supervisors who need quick access during production issues. How did you handle the training and change management aspect of the MFA rollout?
This is exactly what we need to implement. What was your biggest challenge during the IdP integration phase? We’re using Okta as our identity provider and concerned about user session management between MES and the IdP.