Discussion of use cases and implementation experience integrating with Workday

["Belcher, C W" <>]

Hi Renee, 

On the Feb 11th call Workday reviewed the approach for configuring authentication policies for step-up authentication and showed a mockup that had SAML as an option for the stepped up authentication. However, we haven’t seen much progress on the proof of concept with them for using authentication context to trigger 2FA via SAML. They have reviewed our sample SAML request and response showing how it would work with our test IdP and I think they are clear on what we are asking for. 

The UT Austin Workday implementation leads are heading out to Workday next week to discuss our go-live gaps with them and when the gaps will be closed. SAML-based 2FA is one of those gaps so I should have more news next week on what the results of that discussion are. 

Thanks, CW

From: <> on behalf of Renee Shuey <>
Reply-To: Renee Shuey <>
Date: Thursday, February 25, 2016 at 11:48 AM
To: "" <>
Subject: Re: [InC-Workday] Update on Workday MFA

Thank you CW.

Is there an update from the February 11 meeting?  Penn State is in the early stages of implementing Workday.  There is an executive level meeting next Thursday with Penn State and Workday.  Is there anything we can do to help?

Also, does anyone have a one page executive paper on why InCommon and or enterprise 2FA?  I've committed to writing something for next week but would love to steal your work if it already exists. ;-)  Ok, I could say want to represent a consistent message from the community. 

Thanks in advance!

Renee

---

From: "Belcher, C W" <>
To:
Sent: Tuesday, January 26, 2016 6:33:47 PM
Subject: [InC-Workday] Update on Workday MFA

Hi folks, 

I hope everyone’s year is getting off to a good start. It’s been a while since we have communicated about Workday and MFA! I wanted to give you some updates on UT Austin’s discussions with Workday: 

• Workday has designed an enhancement to authentication policies to require step-up authentication for specific functions / security groups. This enhancement may make the cut for WD27 (still trying to get confirmation on that). 
• However, the proposed step-up authentication would use internal Workday two-factor (SMS or email OTP), which is unacceptable to UT Austin (and to many of your institutions, based on our prior email thread). We have communicated to Workday our requirement for the step-up authentication to be deferred to our SAML IdP. 
• With the help of the write-up from NYU (thanks Gary Chapman and Scott Koranda!) Workday now understands what we want in terms of SAML-based MFA. 
• Chris Co’s team at Workday is analyzing what would be required to implement SAML-based step-up authentication. They have asked us (UT Austin) to help with a proof-of-concept, which we will be working on over the next two weeks. 
• The next Workday authentication design partner call is February 11th and Workday is supposed to indicate then whether the SAML-based stepped-up authentication feature will make it into WD27. 
• As a reminder, the Workday brainstorm for step-up authentication is https://community.workday.com/idea/90665 

I’ll be providing an update on the IAM Online call tomorrow 1/27 at 1PM CT so please let me know if you have Workday MFA news to share from your campuses or feel free to join the discussion live :) 

Thanks, CW

——

C.W. BELCHER, Associate Director 

Identity & Access Management  |  Information Technology Services 

The University of Texas at Austin  |  512-232-6519  |  FAC 326R

Attachment: smime.p7s
Description: S/MIME cryptographic signature