workday - Re: [InC-Workday] Question about 2FA and Workday
Subject: Discussion of use cases and implementation experience integrating with Workday
List archive
- From: Linda Pruss <>
- To: "" <>
- Subject: Re: [InC-Workday] Question about 2FA and Workday
- Date: Mon, 16 Nov 2015 21:45:47 +0000
- Accept-language: en-US
- Authentication-results: spf=pass (sender IP is 198.150.12.48) smtp.mailfrom=madisoncollege.edu; incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=bestguesspass action=none header.from=madisoncollege.edu;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:23
Madison College has used the location-based restrictions successfully to
limit off campus users to self-service functionality. Privileged use must
be from an on-campus ip address either locally or remotely via our 2factor
VDI. Not the step-up authentication being talked about, but worth taking
a look at in the meantime.
Linda
Linda Pruss
Chief Information Security Officer
Technology Services
Madison College | 1701 Wright Street | Madison, WI 53704
(+1 (608) 246-6199 | *
On 11/16/15, 3:28 PM,
"
on behalf of Steven
Carmody"
<
on behalf of
>
wrote:
>There are some notes from long ago discussions with WD found here:
>
>https://docs.google.com/document/d/1c8GbnISNO1VEKb0cEpkeq5qbHMZWrs55x4VMFv
>mVuJI/edit#
>
>Those notes mention:
>
>> Access Restrictions feature (in product as of W21 -
>> https://community.workday.com/doc/itadmin/ala1377540590379), it's
>> configurable by security group and network location (e.g. source IP)
>> and applies to all Workday applications (not just Financials or HR).
>> In other words, you could configure your tenant to grant specific
>> groups of users a different set of access depending on what network
>> they are signing in from.
>
>the GUI for Access Restrictions may already provide the "administrative
>interface" mentioned in your #1 below.
>
>I think we'll get further if we can build on their existing functionality.
>
>On 11/15/15 10:04 AM, Gary Chapman wrote:
>> It appears that HR at NYU is about to have some direct conversations
>>with
>> Workday on the subject of "step-up" authentication, which I'll be
>> involved in.
>>
>> I'd like to go in with a slightly more detailed "spec" of what's
>> sought. Do folks
>> have suggestions regarding this rough draft?
>>
>> =============================================================
>> High-Level Spec for Workday Support of Step-Up Authentication via SAML
>>
>> Step-up authentication is defined as an authentication process for
>>end-users
>> subsequent to primary username/password authentication, e.g. a
>>2nd-factor
>> authentication step.
>>
>> For customers using SAML-based web SSO, Workday would provide these
>> capabilities:
>>
>> (1) An administrative interface for designating specific
>> pages/functions, user
>> roles, or users as requiring step-up authentication.
>>
>> (2) Workday would invoke a SAML authentication flow upon user access to
>> one of the designated pages (or upon login by a designated user) asking
>>the
>> user's SAML IdP to perform the additional authentication step. A
>>successful
>> secondary authentication would permit the desired access within Workday;
>> a failed secondary authentication would yield an error message.
>>
>> (3) The SAML mechanism to be used involves Workday sending an
>> AuthnRequest with the username (Subject) of the user and a defined
>> RequestedAuthnContext telling the IdP to perform the secondary
>> authentication.
>> =============================================================
>>
>>
>>
>> On Thu, Nov 12, 2015 at 10:28 AM, Belcher, C W
>> <
>>
>> <mailto:>>
>> wrote:
>>
>> Hi folks,
>>
>> FYI UT Austin had a discussion with Workday yesterday about possible
>> enhancements to authentication policies to allow specific tasks to
>> be identified as ³sensitive² that would require two-factor
>> authentication. This would allow the enforcement of ³step-up²
>> authentication when specific tasks are being performed.
>>
>> My question for the group is: If you were to use this functionality,
>> how would you prefer the two-factor authentication be accomplished?
>>
>> * Use OTP functionality in Workday (delivered via SMS or email, or
>> perhaps using a TOTP app/token)
>> * Use SAML (using a different authentication context from your
>> SAML-based first-factor authentication) to perform the 2FA at
>> your IdP
>> * Use another process?
>>
>> Thanks, CW
>>
>> *‹‹*
>>
>> *
>> *
>>
>> *C.W. BELCHER*, Associate Director ____
>>
>> Identity & Access Management | Information Technology Services
>>____
>>
>> The University of Texas at Austin| 512-232-6519 <tel:512-232-6519>
>> | FAC 326R
>>
>>
>
- Re: [InC-Workday] Question about 2FA and Workday, (continued)
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, David Langenberg, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, Steven Carmody, 11/12/2015
- RE: [InC-Workday] Question about 2FA and Workday, Michael W. Brogan, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, Linda Pruss, 11/13/2015
- Re: [InC-Workday] Question about 2FA and Workday, Michael R Gettes, 11/13/2015
- RE: [InC-Workday] Question about 2FA and Workday, Michael W. Brogan, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, Steven Carmody, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, David Langenberg, 11/12/2015
- Re: [InC-Workday] Question about 2FA and Workday, Tom Scavo, 11/13/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/15/2015
- Re: [InC-Workday] Question about 2FA and Workday, Tom Scavo, 11/15/2015
- Re: [InC-Workday] Question about 2FA and Workday, Steven Carmody, 11/16/2015
- Re: [InC-Workday] Question about 2FA and Workday, Linda Pruss, 11/16/2015
- Re: [InC-Workday] Question about 2FA and Workday, Belcher, C W, 11/19/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/20/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/26/2015
- Re: [InC-Workday] Question about 2FA and Workday, Cantor, Scott, 11/30/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/26/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/20/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 11/12/2015
Archive powered by MHonArc 2.6.16.