Discussion of use cases and implementation experience integrating with Workday

["Belcher, C W" <>]

Gary, 

I think the write-up is great. Have you had any more discussions with Workday? Have you shared the writeup with them yet? I would like to know how many universities would be willing to sign on to the writeup as a shared position statement. The more voices we can coalesce around a coherent “ask” of Workday the better off we’ll be, in my opinion. 

FYI we have some folks from UT Austin meeting with Workday later this week and they are going to bring up SAML/MFA support as a major gap that needs to be addressed for our go-live. 

Thanks, CW

From: <> on behalf of Gary Chapman <>
Reply-To: Gary Chapman <>
Date: Wednesday, November 25, 2015 at 7:11 PM
To: "" <>
Subject: Re: [InC-Workday] Question about 2FA and Workday

Please see the linked write-up re potential SAML/MFA support for Workday.  At NYU, our HR

folks propose to take this to the higher education Workday constituent group for discussion/

endorsement and (presumably) present to Workday so as to lead to a definitive resolution 

of the question of Workday's willingness to implement a SAML-based approach.  

I imagine Workday "Brainstorm" endorsements would be called for in due course.

https://docs.google.com/document/d/1OV9pbXt1OmB2EOclwjFx2UIi1YnIYn2cZpJRrl5gowY/edit?usp=sharing

This write-up was largely authorized at NYU's request by Scott Koranda with some additions by me. 

Comments and suggestions would be much appreciated.

- Gary Chapman, NYU

On Thu, Nov 19, 2015 at 7:46 PM, Gary Chapman <> wrote:

We at NYU had a phone call with Workday on Tuesday.  They described to us as what Workday has

decided to this point:

(1) to not support Duo directly

(2) to not support a SAML-oriented solution

but in a future release (fall 2016-ish) support this:

(a) - for designated functions, Workday would send an SMS text message to the end user;

        the user would type the received code into Workday in order to proceed. 

or

(b) - for designated functions, users would be prompted for a "time-sensitive" one-time

        passcode, which Workday folks claimed could be generated by the Duo mobile app,

        or by Google Authenticator or by other tools. 

We will be conferring in-house next week to decide on next steps, but I'm recommending here

that we (NYU) present Workday with a clear, basic spec of the sort of thing we think is possible

via SAML -- I'd like a clear, unequivocal "no" from Workday, or an answer indicating their

willingness to work with us and the higher-ed community on a SAML solution.

- Gary Chapman, NYU IT

On Thu, Nov 19, 2015 at 6:34 PM, Belcher, C W <> wrote:

Hi all,

Workday has updated the step-up authentication brainstorm with their proposal: https://community.workday.com/idea/90665 (see Archana’s comment posted 11/18/2015). Note that they are proposing that two-factor authentication happen via Workday’s "OTP framework, or eventually via a TOTP app of your choice..." and not via SAML.  Please review the proposal and provide feedback on the brainstorm asap.  We are pushing for SAML support for two-factor authentication, but unless they hear from more universities about the need to support it it’s unlikely to be prioritized.

Thanks, CW





On 11/16/15, 3:28 PM, " on behalf of Steven Carmody" < on behalf of > wrote:

>There are some notes from long ago discussions with WD found here:
>
>https://docs.google.com/document/d/1c8GbnISNO1VEKb0cEpkeq5qbHMZWrs55x4VMFvmVuJI/edit#
>
>Those notes mention:
>
>> Access Restrictions feature (in product as of W21 -
>> https://community.workday.com/doc/itadmin/ala1377540590379), it's
>> configurable by security group and network location (e.g. source IP)
>> and applies to all Workday applications (not just Financials or HR).
>> In other words, you could configure your tenant to grant specific
>> groups of users a different set of access depending on what network
>> they are signing in from.
>
>the GUI for Access Restrictions may already provide the "administrative
>interface" mentioned in your #1 below.
>
>I think we'll get further if we can build on their existing functionality.
>
>On 11/15/15 10:04 AM, Gary Chapman wrote:
>> It appears that HR at NYU is about to have some direct conversations with
>> Workday on the subject of "step-up" authentication, which I'll be
>> involved in.
>>
>> I'd like to go in with a slightly more detailed "spec" of what's
>> sought.  Do folks
>> have suggestions regarding this rough draft?
>>
>> =============================================================
>> High-Level Spec for Workday Support of Step-Up Authentication via SAML
>>
>> Step-up authentication is defined as an authentication process for end-users
>> subsequent to primary username/password authentication, e.g. a 2nd-factor
>> authentication step.
>>
>> For customers using SAML-based web SSO,  Workday would provide these
>> capabilities:
>>
>> (1) An administrative interface for designating specific
>> pages/functions, user
>> roles, or users as requiring step-up authentication.
>>
>> (2) Workday would invoke a SAML authentication flow upon user access to
>> one of the designated pages (or upon login by a designated user) asking the
>> user's SAML IdP to perform the additional authentication step.  A successful
>> secondary authentication would permit the desired access within Workday;
>> a failed secondary authentication would yield an error message.
>>
>> (3) The SAML mechanism to be used involves Workday sending an
>> AuthnRequest with the username (Subject) of the user and a defined
>> RequestedAuthnContext telling the IdP to perform the secondary
>> authentication.
>> =============================================================
>>
>>
>>
>> On Thu, Nov 12, 2015 at 10:28 AM, Belcher, C W
>> < <mailto:>> wrote:
>>
>>     Hi folks,
>>
>>     FYI UT Austin had a discussion with Workday yesterday about possible
>>     enhancements to authentication policies to allow specific tasks to
>>     be identified as “sensitive” that would require two-factor
>>     authentication. This would allow the enforcement of “step-up”
>>     authentication when specific tasks are being performed.
>>
>>     My question for the group is: If you were to use this functionality,
>>     how would you prefer the two-factor authentication be accomplished?
>>
>>       * Use OTP functionality in Workday (delivered via SMS or email, or
>>         perhaps using a TOTP app/token)
>>       * Use SAML (using a different authentication context from your
>>         SAML-based first-factor authentication) to perform the 2FA at
>>         your IdP
>>       * Use another process?
>>
>>     Thanks, CW
>>
>>     *——*
>>
>>     *
>>     *
>>
>>     *C.W. BELCHER*, Associate Director ____
>>
>>     Identity & Access Management  |  Information Technology Services ____
>>
>>     The University of Texas at Austin| 512-232-6519 <tel:512-232-6519>
>>     |  FAC 326R
>>
>>
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature