Discussion of use cases and implementation experience integrating with Workday

[Gary Chapman <>]

It appears that HR at NYU is about to have some direct conversations with

Workday on the subject of "step-up" authentication, which I'll be involved in.

I'd like to go in with a slightly more detailed "spec" of what's sought.  Do folks

have suggestions regarding this rough draft?

=============================================================

High-Level Spec for Workday Support of Step-Up Authentication via SAML

Step-up authentication is defined as an authentication process for end-users

subsequent to primary username/password authentication, e.g. a 2nd-factor

authentication step.

For customers using SAML-based web SSO,  Workday would provide these

capabilities:

(1) An administrative interface for designating specific pages/functions, user 

roles, or users as requiring step-up authentication.

(2) Workday would invoke a SAML authentication flow upon user access to

one of the designated pages (or upon login by a designated user) asking the

user's SAML IdP to perform the additional authentication step.  A successful

secondary authentication would permit the desired access within Workday;

a failed secondary authentication would yield an error message.

(3) The SAML mechanism to be used involves Workday sending an

AuthnRequest with the username (Subject) of the user and a defined 

RequestedAuthnContext telling the IdP to perform the secondary authentication.

=============================================================

On Thu, Nov 12, 2015 at 10:28 AM, Belcher, C W <> wrote:

Hi folks, 

FYI UT Austin had a discussion with Workday yesterday about possible enhancements to authentication policies to allow specific tasks to be identified as “sensitive” that would require two-factor authentication. This would allow the enforcement of “step-up” authentication when specific tasks are being performed. 

My question for the group is: If you were to use this functionality, how would you prefer the two-factor authentication be accomplished? 

• Use OTP functionality in Workday (delivered via SMS or email, or perhaps using a TOTP app/token)
• Use SAML (using a different authentication context from your SAML-based first-factor authentication) to perform the 2FA at your IdP
• Use another process? 

Thanks, CW

——

C.W. BELCHER, Associate Director 

Identity & Access Management  |  Information Technology Services 

The University of Texas at Austin  |  512-232-6519  |  FAC 326R