Discussion of use cases and implementation experience integrating with Workday

[Steven Carmody <>]

There are some notes from long ago discussions with WD found here:

https://docs.google.com/document/d/1c8GbnISNO1VEKb0cEpkeq5qbHMZWrs55x4VMFvmVuJI/edit#

Those notes mention:

> Access Restrictions feature (in product as of W21 -
> https://community.workday.com/doc/itadmin/ala1377540590379), it's
> configurable by security group and network location (e.g. source IP)
> and applies to all Workday applications (not just Financials or HR).
> In other words, you could configure your tenant to grant specific
> groups of users a different set of access depending on what network
> they are signing in from.

the GUI for Access Restrictions may already provide the "administrative 
interface" mentioned in your #1 below.

I think we'll get further if we can build on their existing functionality.

On 11/15/15 10:04 AM, Gary Chapman wrote:
> It appears that HR at NYU is about to have some direct conversations with
> Workday on the subject of "step-up" authentication, which I'll be
> involved in.
>
> I'd like to go in with a slightly more detailed "spec" of what's
> sought.  Do folks
> have suggestions regarding this rough draft?
>
> =============================================================
> High-Level Spec for Workday Support of Step-Up Authentication via SAML
>
> Step-up authentication is defined as an authentication process for end-users
> subsequent to primary username/password authentication, e.g. a 2nd-factor
> authentication step.
>
> For customers using SAML-based web SSO,  Workday would provide these
> capabilities:
>
> (1) An administrative interface for designating specific
> pages/functions, user
> roles, or users as requiring step-up authentication.
>
> (2) Workday would invoke a SAML authentication flow upon user access to
> one of the designated pages (or upon login by a designated user) asking the
> user's SAML IdP to perform the additional authentication step.  A successful
> secondary authentication would permit the desired access within Workday;
> a failed secondary authentication would yield an error message.
>
> (3) The SAML mechanism to be used involves Workday sending an
> AuthnRequest with the username (Subject) of the user and a defined
> RequestedAuthnContext telling the IdP to perform the secondary
> authentication.
> =============================================================
>
>
>
> On Thu, Nov 12, 2015 at 10:28 AM, Belcher, C W
> <
>  
> <mailto:>>
>  wrote:
>
>     Hi folks,
>
>     FYI UT Austin had a discussion with Workday yesterday about possible
>     enhancements to authentication policies to allow specific tasks to
>     be identified as “sensitive” that would require two-factor
>     authentication. This would allow the enforcement of “step-up”
>     authentication when specific tasks are being performed.
>
>     My question for the group is: If you were to use this functionality,
>     how would you prefer the two-factor authentication be accomplished?
>
>       * Use OTP functionality in Workday (delivered via SMS or email, or
>         perhaps using a TOTP app/token)
>       * Use SAML (using a different authentication context from your
>         SAML-based first-factor authentication) to perform the 2FA at
>         your IdP
>       * Use another process?
>
>     Thanks, CW
>
>     *——*
>
>     *
>     *
>
>     *C.W. BELCHER*, Associate Director ____
>
>     Identity & Access Management  |  Information Technology Services ____
>
>     The University of Texas at Austin| 512-232-6519 <tel:512-232-6519>
>     |  FAC 326R