Map user attributes and auto-provision new users

Using single sign-on (SSO), you can pass attributes from your identity provider’s Active Directory to your Adobe Workfront users. You can also add new users to Workfront using the Auto-Provision option (also called Just In Time Provisioning or JIT).


This is not available if your organization has been onboarded to the Adobe Admin Console. See your network or IT administrator if you need more information.

Access requirements

You must have the following access to perform the steps in this article:

Adobe Workfront plan Any
Adobe Workfront license Plan
Access level configurations

You must be a Workfront administrator.

NOTE: If you still don't have access, ask your Workfront administrator if they set additional restrictions in your access level. For information on how a Workfront administrator can modify your access level, see Create or modify custom access levels.

Tips for mapping attributes

Keep the following in mind when mapping attributes:

  • Always test in a Preview sandbox or a Customer Refresh (CR) sandbox.
  • Test with both administrator and non-administrator accounts to confirm that you are mapping attributes correctly.
  • Attributes are mapped every time a user signs into Workfront via SSO, not just during Auto-Provisioning.

Map user attributes and auto-provision new users

  1. Click the Main Menu icon in the upper-right corner of Adobe Workfront, then click Setup .

  2. Click System > Single Sign-On (SSO).

  3. In the Type drop-down, click SAML 2.0.

  4. Click Map User Attributes.

  5. (Optional) If you want Workfront to create new users from your Active Directory automatically, click Auto-Provision User.

    This feature requires attribute mapping.

  6. In the row of options that appears, map the attributes you need for your Workfront users.

    You can map attributes such as Address, Manager, Job Role, Home Group, and so on.

    Attribute mappings work on a 1:1 Ratio. For example, you cannot set every group that a user belongs to; you can set only one per user.


    The following attributes are required for each user:

    • First Name
    • Last Name
    • Email Address

    We do not recommend mapping Access Levels in the Attribute Mappings. If you do, be careful when you are setting the default value to make sure that you don’t remove Admin Access inadvertently.

    The following table explains the fields you can use to map attributes:

    Workfront User Attribute Choose the name of the attribute you are mapping
    Directory Attribute Type the SSO attribute label you want to use./td>
    Default Value

    After you choose a Workfront User Attribute, if the value is NULL during the connection, this field fills in with the corresponding default value in the system. Type a value here only if you plan to apply attribute mapping rules (see step 7). The default value acts as an exception to those rules.

  7. (Optional) Click Rules to add a rule to the attribute.

    1. In the drop-down, choose the attribute modifier you want to use.

    2. In the 2 fields to the right, type the directory attribute value and the value you want to replace it with.

    You can click Add Rule to add more rules to the attribute.

  8. (Optional) To map more user attributes, click Add Mapping and repeat steps 6-7.

  9. Click Save.

On this page