Discussion of use cases and implementation experience integrating with Workday

[Tom Scavo <>]

On Sun, Nov 15, 2015 at 10:04 AM, Gary Chapman 
<>
 wrote:
>
> =============================================================
> High-Level Spec for Workday Support of Step-Up Authentication via SAML
>
> Step-up authentication is defined as an authentication process for end-users
> subsequent to primary username/password authentication, e.g. a 2nd-factor
> authentication step.
>
> For customers using SAML-based web SSO,  Workday would provide these
> capabilities:
>
> (1) An administrative interface for designating specific pages/functions,
> user roles, or users as requiring step-up authentication.
>
> (2) Workday would invoke a SAML authentication flow upon user access to
> one of the designated pages (or upon login by a designated user) asking the
> user's SAML IdP to perform the additional authentication step.  A successful
> secondary authentication would permit the desired access within Workday;

I think you need to break out the two use cases:

1) An unauthenticated user logging into the app
2) An authenticated user accessing an app resource that requires
further authorization

The former may be thought of as a special case of the latter. The
following workflow works in all cases:

1) SP issues ordinary AuthnRequest (no RequestedAuthnContext)
2) IdP authenticates the user with or without 2FA
3) IdP asserts 2FA AuthnContext iff user is authenticated with 2FA
4) SP processes response and creates a session
5) If the user is a privileged user, the SP issues a second
AuthnRequest with the designated RequestedAuthnContext

Later in the session, if the user attempts to perform a privileged
operation, the SP issues a second AuthnRequest with the designated
RequestedAuthnContext (or some other RequestedAuthnContext as
specified)

> a failed secondary authentication would yield an error message.

If the SP issues an AuthnRequest with a RequestedAuthnContext URI, the
IdP MUST assert that AuthnContext or return an error.

> (3) The SAML mechanism to be used involves Workday sending an
> AuthnRequest with the username (Subject) of the user and a defined
> RequestedAuthnContext telling the IdP to perform the secondary
> authentication.

One or more pre-defined RequestedAuthnContext URIs are definitely
needed, yes, but not all IdPs will need a Subject in the AuthnRequest.
It depends on how authentication is done at the IdP. If the IdP can
determine the principal from the SSO session, a Subject is not needed.
That is not always possible, however, given the wide range of primary
authentication methods at the IdP.

Tom