workday - Re: [InC-Workday] Question about 2FA and Workday
Subject: Discussion of use cases and implementation experience integrating with Workday
List archive
- From: Gary Chapman <>
- To: "Belcher, C W" <>
- Cc: "" <>
- Subject: Re: [InC-Workday] Question about 2FA and Workday
- Date: Thu, 17 Dec 2015 16:08:04 -0500
On Wed, Dec 16, 2015 at 5:46 PM, Belcher, C W <> wrote:
Gary,There is a Workday brainstorm posted that gets at the enhancements we’re trying to get them to make. It’s located here: https://community.workday.com/idea/90665Would you mind posting your proposal on that brainstorm? If your HR folks can ask other universities to vote that brainstorm up that would also be helpful.Thanks, CWFrom: Gary Chapman <>
Reply-To: Gary Chapman <>
Date: Wednesday, December 16, 2015 at 1:58 PM
To: CW Belcher <>
Cc: "" <>
Subject: Re: [InC-Workday] Question about 2FA and WorkdayWe've had no further discussion with Workday. I just learned that there was discussiona week ago with the higher ed Workday customers, and there was general support for theproposed approach. Our HR folks were going to share the link with that group.I gather that the sanctioned process is for a "Brainstorm" to be created which universitiescan then vote on... I've suggested to our HR folks that they do this around this specificwrite-up, but I'm not sure when that'll happen. Is this something I need to do?(I should say that here at NYU it seems fairly likely that we'll roll out MFA for all employeeaccess to Workday long before Workday itself would augment their current capabilities.After all, they've been talking about fall 2016 for executing their current plans.)- GaryOn Tue, Dec 15, 2015 at 2:57 PM, Belcher, C W <> wrote:Gary,I think the write-up is great. Have you had any more discussions with Workday? Have you shared the writeup with them yet? I would like to know how many universities would be willing to sign on to the writeup as a shared position statement. The more voices we can coalesce around a coherent “ask” of Workday the better off we’ll be, in my opinion.FYI we have some folks from UT Austin meeting with Workday later this week and they are going to bring up SAML/MFA support as a major gap that needs to be addressed for our go-live.Thanks, CWFrom: <> on behalf of Gary Chapman <>
Reply-To: Gary Chapman <>
Date: Wednesday, November 25, 2015 at 7:11 PM
To: "" <>
Subject: Re: [InC-Workday] Question about 2FA and WorkdayPlease see the linked write-up re potential SAML/MFA support for Workday. At NYU, our HRfolks propose to take this to the higher education Workday constituent group for discussion/endorsement and (presumably) present to Workday so as to lead to a definitive resolutionof the question of Workday's willingness to implement a SAML-based approach.I imagine Workday "Brainstorm" endorsements would be called for in due course.This write-up was largely authorized at NYU's request by Scott Koranda with some additions by me.Comments and suggestions would be much appreciated.- Gary Chapman, NYUOn Thu, Nov 19, 2015 at 7:46 PM, Gary Chapman <> wrote:We at NYU had a phone call with Workday on Tuesday. They described to us as what Workday hasdecided to this point:(1) to not support Duo directly(2) to not support a SAML-oriented solutionbut in a future release (fall 2016-ish) support this:(a) - for designated functions, Workday would send an SMS text message to the end user;the user would type the received code into Workday in order to proceed.or(b) - for designated functions, users would be prompted for a "time-sensitive" one-timepasscode, which Workday folks claimed could be generated by the Duo mobile app,or by Google Authenticator or by other tools.We will be conferring in-house next week to decide on next steps, but I'm recommending herethat we (NYU) present Workday with a clear, basic spec of the sort of thing we think is possiblevia SAML -- I'd like a clear, unequivocal "no" from Workday, or an answer indicating theirwillingness to work with us and the higher-ed community on a SAML solution.- Gary Chapman, NYU ITOn Thu, Nov 19, 2015 at 6:34 PM, Belcher, C W <> wrote:Hi all,
Workday has updated the step-up authentication brainstorm with their proposal: https://community.workday.com/idea/90665 (see Archana’s comment posted 11/18/2015). Note that they are proposing that two-factor authentication happen via Workday’s "OTP framework, or eventually via a TOTP app of your choice..." and not via SAML. Please review the proposal and provide feedback on the brainstorm asap. We are pushing for SAML support for two-factor authentication, but unless they hear from more universities about the need to support it it’s unlikely to be prioritized.
Thanks, CW
On 11/16/15, 3:28 PM, " on behalf of Steven Carmody" < on behalf of > wrote:>There are some notes from long ago discussions with WD found here:
>
>https://docs.google.com/document/d/1c8GbnISNO1VEKb0cEpkeq5qbHMZWrs55x4VMFvmVuJI/edit#
>
>Those notes mention:
>
>> Access Restrictions feature (in product as of W21 -
>> https://community.workday.com/doc/itadmin/ala1377540590379), it's
>> configurable by security group and network location (e.g. source IP)
>> and applies to all Workday applications (not just Financials or HR).
>> In other words, you could configure your tenant to grant specific
>> groups of users a different set of access depending on what network
>> they are signing in from.
>
>the GUI for Access Restrictions may already provide the "administrative
>interface" mentioned in your #1 below.
>
>I think we'll get further if we can build on their existing functionality.
>
>On 11/15/15 10:04 AM, Gary Chapman wrote:
>> It appears that HR at NYU is about to have some direct conversations with
>> Workday on the subject of "step-up" authentication, which I'll be
>> involved in.
>>
>> I'd like to go in with a slightly more detailed "spec" of what's
>> sought. Do folks
>> have suggestions regarding this rough draft?
>>
>> =============================================================
>> High-Level Spec for Workday Support of Step-Up Authentication via SAML
>>
>> Step-up authentication is defined as an authentication process for end-users
>> subsequent to primary username/password authentication, e.g. a 2nd-factor
>> authentication step.
>>
>> For customers using SAML-based web SSO, Workday would provide these
>> capabilities:
>>
>> (1) An administrative interface for designating specific
>> pages/functions, user
>> roles, or users as requiring step-up authentication.
>>
>> (2) Workday would invoke a SAML authentication flow upon user access to
>> one of the designated pages (or upon login by a designated user) asking the
>> user's SAML IdP to perform the additional authentication step. A successful
>> secondary authentication would permit the desired access within Workday;
>> a failed secondary authentication would yield an error message.
>>
>> (3) The SAML mechanism to be used involves Workday sending an
>> AuthnRequest with the username (Subject) of the user and a defined
>> RequestedAuthnContext telling the IdP to perform the secondary
>> authentication.
>> =============================================================
>>
>>
>>
>> On Thu, Nov 12, 2015 at 10:28 AM, Belcher, C W
>> < <mailto:>> wrote:
>>
>> Hi folks,
>>
>> FYI UT Austin had a discussion with Workday yesterday about possible
>> enhancements to authentication policies to allow specific tasks to
>> be identified as “sensitive” that would require two-factor
>> authentication. This would allow the enforcement of “step-up”
>> authentication when specific tasks are being performed.
>>
>> My question for the group is: If you were to use this functionality,
>> how would you prefer the two-factor authentication be accomplished?
>>
>> * Use OTP functionality in Workday (delivered via SMS or email, or
>> perhaps using a TOTP app/token)
>> * Use SAML (using a different authentication context from your
>> SAML-based first-factor authentication) to perform the 2FA at
>> your IdP
>> * Use another process?
>>
>> Thanks, CW
>>
>> *——*
>>
>> *
>> *
>>
>> *C.W. BELCHER*, Associate Director ____
>>
>> Identity & Access Management | Information Technology Services ____
>>
>> The University of Texas at Austin| 512-232-6519 <tel:512-232-6519>
>> | FAC 326R
>>
>>
>
- Re: [InC-Workday] Question about 2FA and Workday, Belcher, C W, 12/15/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 12/16/2015
- Re: [InC-Workday] Question about 2FA and Workday, Belcher, C W, 12/16/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 12/17/2015
- Re: [InC-Workday] Question about 2FA and Workday, Belcher, C W, 12/16/2015
- Re: [InC-Workday] Question about 2FA and Workday, Gary Chapman, 12/16/2015
Archive powered by MHonArc 2.6.16.