workday - Re: [InC-Workday] Question about 2FA and Workday
Subject: Discussion of use cases and implementation experience integrating with Workday
List archive
- From: Tom Scavo <>
- To: Gary Chapman <>
- Cc:
- Subject: Re: [InC-Workday] Question about 2FA and Workday
- Date: Sun, 15 Nov 2015 12:18:59 -0500
On Sun, Nov 15, 2015 at 10:04 AM, Gary Chapman
<>
wrote:
>
> =============================================================
> High-Level Spec for Workday Support of Step-Up Authentication via SAML
>
> Step-up authentication is defined as an authentication process for end-users
> subsequent to primary username/password authentication, e.g. a 2nd-factor
> authentication step.
>
> For customers using SAML-based web SSO, Workday would provide these
> capabilities:
>
> (1) An administrative interface for designating specific pages/functions,
> user roles, or users as requiring step-up authentication.
>
> (2) Workday would invoke a SAML authentication flow upon user access to
> one of the designated pages (or upon login by a designated user) asking the
> user's SAML IdP to perform the additional authentication step. A successful
> secondary authentication would permit the desired access within Workday;
I think you need to break out the two use cases:
1) An unauthenticated user logging into the app
2) An authenticated user accessing an app resource that requires
further authorization
The former may be thought of as a special case of the latter. The
following workflow works in all cases:
1) SP issues ordinary AuthnRequest (no RequestedAuthnContext)
2) IdP authenticates the user with or without 2FA
3) IdP asserts 2FA AuthnContext iff user is authenticated with 2FA
4) SP processes response and creates a session
5) If the user is a privileged user, the SP issues a second
AuthnRequest with the designated RequestedAuthnContext
Later in the session, if the user attempts to perform a privileged
operation, the SP issues a second AuthnRequest with the designated
RequestedAuthnContext (or some other RequestedAuthnContext as
specified)
> a failed secondary authentication would yield an error message.
If the SP issues an AuthnRequest with a RequestedAuthnContext URI, the
IdP MUST assert that AuthnContext or return an error.
> (3) The SAML mechanism to be used involves Workday sending an
> AuthnRequest with the username (Subject) of the user and a defined
> RequestedAuthnContext telling the IdP to perform the secondary
> authentication.
One or more pre-defined RequestedAuthnContext URIs are definitely
needed, yes, but not all IdPs will need a Subject in the AuthnRequest.
It depends on how authentication is done at the IdP. If the IdP can
determine the principal from the SSO session, a Subject is not needed.
That is not always possible, however, given the wide range of primary
authentication methods at the IdP.
Tom
- [InC-Workday] Question about 2FA and Workday, Belcher, C W, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, David Langenberg, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, Steven Carmody, 11/12/2015
- RE: [InC-Workday] Question about 2FA and Workday, Michael W. Brogan, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, Linda Pruss, 11/13/2015
- Re: [InC-Workday] Question about 2FA and Workday, Michael R Gettes, 11/13/2015
- RE: [InC-Workday] Question about 2FA and Workday, Michael W. Brogan, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, Steven Carmody, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, David Langenberg, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, Tom Scavo, 11/13/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/15/2015
- Re: [InC-Workday] Question about 2FA and Workday, Tom Scavo, 11/15/2015
- Re: [InC-Workday] Question about 2FA and Workday, Steven Carmody, 11/16/2015
- Re: [InC-Workday] Question about 2FA and Workday, Linda Pruss, 11/16/2015
- Re: [InC-Workday] Question about 2FA and Workday, Belcher, C W, 11/19/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/20/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/26/2015
- Re: [InC-Workday] Question about 2FA and Workday, Cantor, Scott, 11/30/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/26/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/20/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/12/2015
Archive powered by MHonArc 2.6.16.