Skip to main content

Add Multifactor Authentication to Workflow Processes

Adding multi-factor authentication (MFA) to workflows provides an extra layer of security for sensitive operations. Workflow Studio includes a RunMultifactorAuthentication activity that you can drag and drop onto the design surface of any stock or custom workflow. This activity forces the person using the workflow to undergo multi-factor authentication before the workflow continues—useful when additional caution is warranted, such as when a Person account is being deleted from EmpowerID.

What You'll Learn

In this tutorial, you'll enhance a workflow with multi-factor authentication by:

  • Adding the RunMultifactorAuthentication activity to an existing workflow
  • Adding the required assembly reference
  • Creating workflow properties to control MFA behavior
  • Binding properties to pass authentication requirements to the MFA activity
  • Publishing the MFA-enabled workflow
  • Configuring request workflow parameters for administrator control

Overview

To inject MFA into a workflow, you need to:

  1. Add the RunMultifactorAuthentication activity to the workflow
  2. Add a reference to the MultiFactorAuthenticator.dll assembly
  3. Create new properties on the workflow and bind those to the corresponding properties of the activity

These properties are dynamic workflow parameters whose values can be set in the UI by EmpowerID administrators.

Activity Properties

The RunMultifactorAuthentication activity supports the following properties:

PropertyDescriptionType
TargetUsePolicyMultifactorSpecifies whether to use the MFA options of the Password Manager Policy associated with the workflow initiator.Boolean
TargetUsePersonMultifactorSpecifies whether to use the MFA options preferred by the workflow initiator (set on the Person object).Boolean
TargetMinimumMultiFactorPointsSpecifies the minimum points required for the person to complete MFA.Int32
TargetMultiFactorAuthTypeIDsCollection of IDs for the MFA options.List<Int32>

Understanding MFA Property Configuration

These properties work together to determine how MFA is enforced:

  • Use Policy Settings: When TargetUsePolicyMultifactor is true, the system uses MFA options defined in the user's Password Manager Policy.
  • Use Personal Preferences: When TargetUsePersonMultifactor is true, the system uses the MFA methods the user has configured on their Person object.
  • Point-Based Requirements: TargetMinimumMultiFactorPoints allows you to require multiple forms of authentication.
  • Specific Methods: TargetMultiFactorAuthTypeIDs lets you restrict which MFA methods are acceptable for this workflow.

Tutorial: Adding MFA to DeleteMultiplePeopleWithOptions Workflow

This section demonstrates adding MFA to a workflow by adding the RunMultifactorAuthentication activity to a copy of the stock DeleteMultiplePeopleWithOptions workflow.

Best Practice

When altering a stock workflow, make a copy and modify the copy rather than the original.

Step 1: Create a Copy of the Workflow

  1. In Workflow Studio, search for and open the DeleteMultiplePeopleWithOptions workflow.
  2. From the Common toolbar, click Save As and save a copy of the workflow in the folder of your choice, naming it DeletePeopleWithOptionsMFA.
    Save workflow copy

Step 2: Add the RunMultifactorAuthentication Activity

Place the MFA activity early in the workflow to authenticate users before sensitive operations.

  1. Search for the RunMultifactorAuthentication activity and drag it onto the design surface of your workflow.
    Add MFA activity
  2. Rearrange the workflow so that RunMultifactorAuthentication is the first activity.
    Rearrange workflow

Step 3: Add Assembly Reference

To use the RunMultifactorAuthentication activity in your workflow, add a reference to the MultiFactorAuthenticator assembly.

  1. From the Code Tree pane of the Workflow Solution, right-click References and select Add Reference > Add Assembly Reference.
    Add reference
  2. Select MultiFactorAuthenticator and click Add selected items.
    Select assembly

Step 4: Create Workflow Properties

Workflow properties act as parameters that can be configured by administrators without modifying workflow code. Create properties that correspond to each MFA activity input.

  1. In the workflow designer, click the Properties tab for the workflow.
    Properties tab
  2. Right-click the top-level workflow node and select Add New Property.
    Add new property
  3. In the Add New Property dialog, add the TargetUsePolicyMultifactor property of type Boolean.
    Add property dialog
  4. Repeat to add the remaining required properties:
    • TargetUsePersonMultifactor (Boolean)
    • TargetMinimumMultiFactorPoints (Int32)
    • TargetMultiFactorAuthTypeIDs (System.Collections.Generic.List<Int32>)
Property Names Must Match

Property names are case-sensitive and must match exactly when creating request workflow parameters later.

Step 5: Bind Properties to the Activity

Property binding passes data values between workflow components. Bind the workflow properties you created to their corresponding properties on the MFA activity.

  1. Click the Bindings tab above the workflow.
    Bindings tab
  2. In the Workflow properties tree (left), locate the properties you created. In the MFA activity tree (right), locate the matching properties.
  3. Drag each workflow property onto its corresponding MFA activity property.
  4. From the Workflow properties tree, expand Base Properties > Workflow and locate the Initiator property.
    Initiator property
  5. Drag Initiator onto the TargetPerson property of the MFA activity. This specifies that MFA runs against the person initiating the workflow. When you have completed binding the workflow and activity properties, the trees should look like the image below.
    Completed bindings

Step 6: Compile and Publish the Workflow

  1. Return to the workflow designer and click Compile to check for any errors.
    Compile button
  2. Click Close to close the Operations log.
    Close operations log If you have errors, fix them and compile the workflow again before proceeding.
  3. Click Compile and Publish to publish the workflow.
    Compile and publish
  4. In the Publishing Wizard, click Next.
    Publishing wizard
  5. Click Yes when prompted about creating a request workflow.
    Create request workflow
  6. Click OK to accept defaults in the Request Workflow dialog and note the URL.
    Request workflow URL
  7. When prompted to restart services, click No.
  8. Reset IIS.
Required Configuration

For the workflow to execute with MFA, you must add Request Workflow Parameters that match the properties you created. The parameters set the values passed from the request workflow to the MFA activity.

Adding Parameters to the Request Workflow

After publishing your workflow, configure request workflow parameters in the EmpowerID Web interface. These parameters control MFA behavior and must match the workflow properties exactly.

Step 1: Access the Workflow Configuration

  1. From the navbar of the Web interface, expand Object Administration and click Workflows.
    This opens the Workflows page, where you can search for and manage settings for all published workflows.
    Workflows page
  2. Search for the workflow and click its Display Name link.
    Search for workflow
  3. On the Workflow Details page, expand Request Workflow Parameters.
    Request workflow parameters

Step 2: Add Required Parameters

  1. Click Add New Parameter.
    Add new parameter
  2. Enter the Name and Value for the parameter and click SAVE.
    Parameter configuration
  3. Add each required parameter (names must match exactly):
  • TargetUsePolicyMultifactor — Boolean value
  • TargetUsePersonMultifactor — Boolean value
  • TargetMinimumMultiFactorPoints — Integer value
  • TargetMultiFactorAuthTypeIDs — List of integers
  1. When finished adding parameters, recycle the EmpowerID app pools.