Smart Configuration - Workday Authentication Policies
Kainos Smart recommends an authentication policy be implemented in order to deny an active Kainos Smart integration system user or Professional Services/Smart Support named account access to a customer’s Production Workday tenant. Following the recommendation as described in this article allows Kainos Smart Professional Services to re-provision non-Production tenants weekly without requiring a new password to be sent each week by the customer.
Authentication Policy Overview & Justification
Authentication policies provide a degree of control over how users can sign into Workday by allowing or denying the use of specified authentication types the methods by which a user may attempt to sign in to Workday. These types include the following:
- Mobile PIN
- OpenID Connect
- User Name / Password
- User Name / Password + Challenge Questions
- User Name / Password + One Time Passcode
Using an authentication policy, it is possible to explicitly allow or deny the use of any of the aforementioned authentication types on a per security group basis. Put in context, Kainos Smart recommends that access to all of these authentication types is explicitly denied for the kainossmart-intsysuser and all Professional Services/Smart Support named accounts within a customer’s Production Workday tenant, while these accounts are allowed to remain active.
When configured correctly, this will not allow the Kainos user accounts to be used on the customer’s Production Workday tenant despite being active, because they lack the permissions required to authenticate themselves using any authentication type, even the standard username & password combination.
Where this benefits the customer is during the weekly Sandbox refresh. Prior to the use of authentication policies, customers would have to provide a new password for the Kainos user accounts to Kainos Smart Professional Services/Smart Support for provisioning Smart. Implementing an authentication policy as described in section 3 of this document will render this step obsolete, as when the Production authentication policy is copied to the Sandbox tenant during the weekly refresh of Workday tenants, it does not apply to the Sandbox tenant. This mirrors the tenant scope of proxy access policies.
- The authentication policy implemented applies to a Production Workday tenant
- It prevents the use of any authentication type by the Kainos user accounts, therefore preventing them from signing into the customer’s Production Workday tenant
- The Kainos user accounts are active on the Production Workday tenant, but cannot sign in as a result of being denied access to all authentication types in this environment
- When Workday’s weekly refresh occurs, the Kainos user accounts can sign into Sandbox tenants because the Production authentication policy no longer applies.
- As the Kainos user account passwords on Production are known by Kainos Smart Professional Services, the customer does not need to provide a new password each week for Smart tenant provisioning to take place.
- For emphasis: if the authentication policy is configured as described in this document, the Kainos user accounts cannot sign into Production tenants
Authentication Policy Configuration
Search for and run the Manage Authentication Policies task:
The Manage Authentication Policies screen is shown, if no Production authentication policy currently exists, click on the Add Authentication Policy button:
The Add Authentication Policy screen below shows:
- The environment(s) the authentication policy applies to
- A flag showing whether or not the authentication policy is enabled
- The network blacklist a list of IP ranges which are blocked by the Workday tenant.
- The authentication whitelist a list of security groups and related authentication types which the security groups listed are permitted to use in order to sign into the specified environments.
- The default rule for All Users a catch all rule to allow non configured security groups to access the environments in question as if there was no authentication policy applied i.e. unrestricted.
To configure an authentication policy as required for Kainos Smart, create and flag as enabled a Production environment policy:
Create the authentication rule shown below. This rule explicitly denies access to any method of authentication to the Kainos user accounts, even if the accounts are enabled. This rule therefore prevents the Kainos user accounts from logging into the Production tenant. This rule should always be the first rule in the authentication whitelist:
The default rule for all users shown below prevents the authentication policy from restricting access to users not specified in the authentication whitelist. This rule can be left blank, as this will result in no restrictions being placed on the users not previously matched in the authentication whitelist.
A user is matched by only the first rule in the list which concerns a security group they are a member of. This mirrors the operation of the proxy access policy, and is why the aforementioned security rule is placed at the top of the list if other authentication rules are currently in place.
The final step in implementing this authentication policy is to activate it, in a similar manner as security domain changes are activated. To do this, run the Activate All Pending Authentication Policy Changes task within Workday, and enter a comment.
Click OK to proceed to the confirmation screen. Check the Confirm check box, then click OK.