Add Multifactor Authentication to Workflow Processes
Workflow Studio includes an activity named RunMultifactorAuthentication that you can drag and drop onto the design surface of any stock or custom workflows to force the person using the workflow to undergo multi-factor authentication (MFA) before the workflow continues. This allows you to add an extra layer of security to processes where more caution is warranted, such as when a person account is being deleted from EmpowerID, for example.
To inject MFA into a workflow, you only need to do the following:
Add the RunMultifactorAuthentication activity to the workflow
Add a reference to the MultiFactorAuthenticator.dll to the workflow
Create new properties on the workflow and bind those to the corresponding properties of the activity. These properties are dynamic workflow parameters whose values can be set in the UI by EmpowerID administrators.
Property | Description | Type |
---|---|---|
TargetUsePolicyMultifactor | Specifies whether to use the MFA options of the Password Manager Policy associated with the workflow initiator | Boolean |
TargetUsePersonMultifactor | Specifies whether to use the MFA options preferred by the workflow initiator (set on the Person object) | Boolean |
TargetMinimumMultiFactorPoints | Specifies the minimum points required for the person to complete MFA | Int32 |
TargetMultiFactorAuthTypeIDs | Collection of IDs for the MFA options | Collections.Generic.List<System.Int32> |
Â
This article demonstrates adding MFA to a workflow by adding the RunMultiFactorAuthentication activity to a copy of the stock DeleteMultiplePeopleWithOptions workflow.
When altering a stock workflow, it’s good practice to make a copy of the workflow and alter it.
To add multifactor authentication to a workflow
In Workflow Studio, search for and open the DeleteMultiplePeopleWithOptions workflow.
From the Common toolbar, click Save As and then save a copy of the workflow in the folder of your choice, naming it DeletePeopleWithOptionsMFA.
Â
Search for the RunMultiFactorAuthentication activity and then drag it onto the design surface of your workflow.
Â
Rearrange the workflow so that RunMultiFactorAuthentication is the first activity.
Â
From the Code Tree pane of the Workflow Solution, right-click References and select Add Reference > Add Assembly Reference.
Â
Select MultiFactorAuthenticator and click Add selected items.
Â
Back in the workflow designer, click the Properties tab for the workflow.
Â
From the Workflow Properties tab, right-click the top-level workflow node and select Add New Property.
Â
In the Add New Property dialog that opens, add the TargetUsePolicyMultifactor property of type Boolean (as mentioned in the above table).
Â
Repeat steps 8 and 9 to add to the workflow the rest of the required properties (as mentioned in the above table).
Click the Bindings tab above the workflow. We will use this tab the bind the workflow properties you just created to their corresponding properties on the MFA activity.
Â
From the Bindings tab, expand the Workflow properties tree on the left and the MFA activity properties tree on the right.
Drag the properties you just added to the workflow from the Workflow properties tree onto their corresponding MFA activity properties.
From the Workflow properties tree, click the Base Properties node to expand it and then click the Workflow node.
Locate the Initiator property.
Â
Drag the Initiator property onto the TargetPerson property of the MFA activity. This specifies that MFA be run against the person initiating the workflow.
When you have completed binding the workflow and activity properties, the trees should look like the below image.Â
Return to the workflow designer and click the Compile button. Compiling allows you to check for any errors.
Â
Click Close to close the Operations log.
If you have errors, fix them and then compile the workflow again.When ready, click the Compile and Publish button to publish the workflow.
Â
From the Publishing Wizard that appears, click Next to begin the process.
Â
Click Yes when prompted about creating a request workflow.
Â
Click OK to accept the default values presented by the Request Workflow dialog.
Take note of the URL as that where you can access the workflow.Â
When prompted to restart services, click No.
Reset IIS.
In order for the workflow to execute, the properties you added must be added to the request workflow as parameters. The parameters set the property values that are passed from the workflow to the MFA activity. The parameters must match the properties exactly. You add the parameters to the workflow in the Web interface. Typically, this is done by EmpowerID administrators, but is included below for your reference.
Â
To add parameters to the request workflow
From the navbar of the Web interface, expand Object Administration and click Workflows.
This takes you to the Workflows page, where can search for and manage settings for all published workflows.Â
Search for the workflow and then click the Display Name link for it.
Â
On the Workflow Details page that appears, click the Request Workflow Parameters accordion.
Â
From the expanded accordion, click the Add New Parameter button.
Â
Enter the name and value for the parameter and then click SAVE.
Â
Add each required parameter, specifying their values. Be sure the names match the workflow property names exactly.
When finished adding parameters, recycle the EmpowerID app pools.
IN THIS ARTICLE