Discussion of use cases and implementation experience integrating with Workday

[Gary Chapman <>]

Please see the linked write-up re potential SAML/MFA support for Workday.  At NYU, our HR

folks propose to take this to the higher education Workday constituent group for discussion/

endorsement and (presumably) present to Workday so as to lead to a definitive resolution 

of the question of Workday's willingness to implement a SAML-based approach.  

I imagine Workday "Brainstorm" endorsements would be called for in due course.

https://docs.google.com/document/d/1OV9pbXt1OmB2EOclwjFx2UIi1YnIYn2cZpJRrl5gowY/edit?usp=sharing

This write-up was largely authorized at NYU's request by Scott Koranda with some additions by me. 

Comments and suggestions would be much appreciated.

- Gary Chapman, NYU

On Thu, Nov 19, 2015 at 7:46 PM, Gary Chapman <> wrote:

We at NYU had a phone call with Workday on Tuesday.  They described to us as what Workday has

decided to this point:

(1) to not support Duo directly

(2) to not support a SAML-oriented solution

but in a future release (fall 2016-ish) support this:

(a) - for designated functions, Workday would send an SMS text message to the end user;

        the user would type the received code into Workday in order to proceed. 

or

(b) - for designated functions, users would be prompted for a "time-sensitive" one-time

        passcode, which Workday folks claimed could be generated by the Duo mobile app,

        or by Google Authenticator or by other tools. 

We will be conferring in-house next week to decide on next steps, but I'm recommending here

that we (NYU) present Workday with a clear, basic spec of the sort of thing we think is possible

via SAML -- I'd like a clear, unequivocal "no" from Workday, or an answer indicating their

willingness to work with us and the higher-ed community on a SAML solution.

- Gary Chapman, NYU IT

On Thu, Nov 19, 2015 at 6:34 PM, Belcher, C W <> wrote:

Hi all,

Workday has updated the step-up authentication brainstorm with their proposal: https://community.workday.com/idea/90665 (see Archana’s comment posted 11/18/2015). Note that they are proposing that two-factor authentication happen via Workday’s "OTP framework, or eventually via a TOTP app of your choice..." and not via SAML.  Please review the proposal and provide feedback on the brainstorm asap.  We are pushing for SAML support for two-factor authentication, but unless they hear from more universities about the need to support it it’s unlikely to be prioritized.

Thanks, CW





On 11/16/15, 3:28 PM, " on behalf of Steven Carmody" < on behalf of > wrote:

>There are some notes from long ago discussions with WD found here:
>
>https://docs.google.com/document/d/1c8GbnISNO1VEKb0cEpkeq5qbHMZWrs55x4VMFvmVuJI/edit#
>
>Those notes mention:
>
>> Access Restrictions feature (in product as of W21 -
>> https://community.workday.com/doc/itadmin/ala1377540590379), it's
>> configurable by security group and network location (e.g. source IP)
>> and applies to all Workday applications (not just Financials or HR).
>> In other words, you could configure your tenant to grant specific
>> groups of users a different set of access depending on what network
>> they are signing in from.
>
>the GUI for Access Restrictions may already provide the "administrative
>interface" mentioned in your #1 below.
>
>I think we'll get further if we can build on their existing functionality.
>
>On 11/15/15 10:04 AM, Gary Chapman wrote:
>> It appears that HR at NYU is about to have some direct conversations with
>> Workday on the subject of "step-up" authentication, which I'll be
>> involved in.
>>
>> I'd like to go in with a slightly more detailed "spec" of what's
>> sought.  Do folks
>> have suggestions regarding this rough draft?
>>
>> =============================================================
>> High-Level Spec for Workday Support of Step-Up Authentication via SAML
>>
>> Step-up authentication is defined as an authentication process for end-users
>> subsequent to primary username/password authentication, e.g. a 2nd-factor
>> authentication step.
>>
>> For customers using SAML-based web SSO,  Workday would provide these
>> capabilities:
>>
>> (1) An administrative interface for designating specific
>> pages/functions, user
>> roles, or users as requiring step-up authentication.
>>
>> (2) Workday would invoke a SAML authentication flow upon user access to
>> one of the designated pages (or upon login by a designated user) asking the
>> user's SAML IdP to perform the additional authentication step.  A successful
>> secondary authentication would permit the desired access within Workday;
>> a failed secondary authentication would yield an error message.
>>
>> (3) The SAML mechanism to be used involves Workday sending an
>> AuthnRequest with the username (Subject) of the user and a defined
>> RequestedAuthnContext telling the IdP to perform the secondary
>> authentication.
>> =============================================================
>>
>>
>>
>> On Thu, Nov 12, 2015 at 10:28 AM, Belcher, C W
>> < <mailto:>> wrote:
>>
>>     Hi folks,
>>
>>     FYI UT Austin had a discussion with Workday yesterday about possible
>>     enhancements to authentication policies to allow specific tasks to
>>     be identified as “sensitive” that would require two-factor
>>     authentication. This would allow the enforcement of “step-up”
>>     authentication when specific tasks are being performed.
>>
>>     My question for the group is: If you were to use this functionality,
>>     how would you prefer the two-factor authentication be accomplished?
>>
>>       * Use OTP functionality in Workday (delivered via SMS or email, or
>>         perhaps using a TOTP app/token)
>>       * Use SAML (using a different authentication context from your
>>         SAML-based first-factor authentication) to perform the 2FA at
>>         your IdP
>>       * Use another process?
>>
>>     Thanks, CW
>>
>>     *——*
>>
>>     *
>>     *
>>
>>     *C.W. BELCHER*, Associate Director ____
>>
>>     Identity & Access Management  |  Information Technology Services ____
>>
>>     The University of Texas at Austin| 512-232-6519 <tel:512-232-6519>
>>     |  FAC 326R
>>
>>
>