Discussion of use cases and implementation experience integrating with Workday

["Belcher, C W" <>]

Hi all, 

There was a design partner conference call with Workday on 6/11/15. Archana Ramamoorthy from Workday led the discussion. The group’s topic is authentication in general, not MFA specifically. There are several universities (as well as other companies) I saw on the invite list to the design group: Cornell, Penn State, and UT Austin. 

Some notes: 

Most of the discussion on the call was about Workday authentication policies. There was a discussion about MFA options, but nothing beyond what we already know is available: Workday can provide OTP but only if you are not using SAML. 

Max Miller from Penn State pointed out that the “authentication” policies in Workday actually interact with authorization since the policies can include restrictions on allowed networks and allowed authentication types based on the security roles of the user. It’s a muddling of the line between authN and authZ. More info on authentication policies is here: https://community.workday.com/doc/sec/dan1370797845092_sh-15_sh-15. 

The brainstorm for adding step-up MFA authentication can be found here: https://community.workday.com/idea/90665. UT Austin’s use cases are documented in the comments. Please take a look at it and add your comments and vote-up. 

I would be interested in hearing from folks about how they are, in practice, accomplishing MFA authentication when using SAML with Workday. In UT Austin’s case we are going to need a workaround option to fall back on if we can’t get movement on enhancements on the Workday side. 

FYI I’ve asked Justin Czimskey from my team to help facilitate the discussions on this list and to provide liaison between this group and the Workday design partner group as needed. 

Thanks, CW

From: Steven Carmody
Date: Wednesday, July 15, 2015 at 10:55 AM
To: ""
Cc: "", CW Belcher
Subject: Re: [InC-Workday] Status of authN discussions with Workday ... ?

Sorry -- I should have been clearer.

I was hoping that C W could share an update on the discussions in the other 2FA group...... And, as you say, how they align with the needs Of higher Ed.

Sent from my iPad

On Jul 15, 2015, at 5:16 AM, Renee Shuey <> wrote:

Nothing yet and what concerns me a bit is that WorkDay has its own 2FA group that has nothing to do with InCommon and that group is active.  Hoping there is some alignment in these two efforts/solutions. 

Renee

Sent from my iPad

On Jul 14, 2015, at 7:13 PM, Nathan A. Dors <> wrote:

Hi Steven,

No discussion yet about authentication, nor other topics.

Let's see if CW is ready to kick off that discussion. We gave folks until June 5th to subscribe to the list.

-Nathan

On Tue, Jul 14, 2015 at 3:57 PM, Steven Carmody <> wrote:

Hi,

Jut curious -- has there been any progress in these discussions ? Anything to report back ?

Thanks!

Sent from my iPad