The procedure described on this page applies only to organizations that are not yet onboarded to the Adobe Admin Console.
If your organization has been onboarded to the Adobe Admin Console, see Platform-based administration differences (Adobe Workfront/Adobe Business Platform).
As an Adobe Workfront administrator, you can configure the Workfront web and mobile applications to integrate with a Security Assertion Markup Language (SAML) 2.0 solution for single sign-on (SSO).
After you have configure SAML 2.0 in Workfront, as described in the following sections, you can maintain the configuration, as described in Update SAML 2.0 metadata in your identity provider.
You must have the following access to perform the steps in this article:
|Adobe Workfront plan||Any|
|Adobe Workfront license||Plan|
|Access level configurations||
You must be a Workfront administrator.
NOTE: If you still don't have access, ask your Workfront administrator if they set additional restrictions in your access level. For information on how a Workfront administrator can modify your access level, see Create or modify custom access levels.
Click the Main Menu icon in the upper-right corner of Adobe Workfront, then click Setup .
Click System > Single Sign-On (SSO).
In the Type drop-down list, click SAML 2.0.
Near the top of the options that appear, click Download SAML 2.0 Metadata to download the file on your computer.
Your SAML 2.0 Identity Provider requires an XML file with information generated in your Workfront instance. After the file is downloaded, you need to go to your SAML 2.0 Identity Provider server and upload the Workfront SAML 2.0 Metadata XML file there.
Specify the following information:
|Service Provider ID|| This URL, already populated for you, identifies Workfront to your identity provider. For example:
Select the method supported by your IDP server for sending authentication information:
|Populate fields from Identity Provider Metadata||In your SAML 2.0 Identity Provider solution, export a Service Provider Metadata XML file and save it to a temporary location on your computer. Select Choose File, then find and select the file you saved to add it to your Workfront configuration.|
|Login Portal URL||Specify your organization's common login portal. This is the URL where users log in to access Workfront and all other applications integrated with SAML 2.0.|
Specify the sign-out URL for the IDP server. Workfront sends an HTTP request to this URL before signing out of Workfront. This closes the user's session on the remote server when the Workfront session is closed.
NOTE: You are redirected to the sign-out URL only if you have the option Only Allow SAML 2.0 Authentication enabled in your user profile.
|Change Password URL||
Specify the URL where users will be redirected to change their passwords.
Because the SAML 2.0 credentials are used to access Workfront, users need to be redirected to a page where they can change their SAML 2.0 password instead of completing this activity through Workfront.
|Secure Hash Algorithm||
Select the Secure Hash Algorithm (SHA) that your IDP supports:
Automatically creates a user in the system when a new user with a directory username and password attempts to log in to Workfront for the first time.
In order to create users in Workfront, you need to map Workfront data attributes with the following user data attributes in your directory provider:
The following options display to allow you to do this:
Select the Workfront User Attribute that you want to map from the drop-down list, then specify the corresponding Directory Attribute in the user directory.
The Directory Attribute field should contain the Directory Attribute Name from the User Attribute table you saved when successfully testing your SAML 2.0 configuration.
You can set a Default Workfront Value in the Default Value field. You can also set rules based on the values from your SAML 2.0 Identity Provider.
WARNING: Workfront attempts to map the attributes listed below every time a user logs into the system. Because of this, we do not recommend mapping access levels. You can easily remove administrative access if an attribute is mapped incorrectly. Click Add Mapping to add additional rules.
You can map the following Workfront attributes:
Upload a valid SSL certificate to ensure a secure connection between the authentication service and Workfront. For OnDemand accounts, a certificate is always required. You can obtain this certificate from your SAML 2.0 system administrator.
Allows Workfront administrators to access Workfront using their Workfront login. If this option is not selected, Workfront administrators must use their SAML 2.0 username and password.
Workfront first attempts to log in to Workfront via SAML 2.0 for users with the Workfront System Administrator access level. If the SAML 2.0 authentication fails, Workfront uses local authentication for Workfront administrators.
We recommend that you always have this option selected so that your Workfront administrator can log in to Workfront if your SAML 2.0 provider is ever temporarily unavailable.
Activates SSO on the Workfront system. Ensure that you have communicated login instructions to your users.
After you enable your SSO configuration in Workfront, you must enable the Only Allow SAML 2.0 Authentication setting for all users so that they can use SSO.
For more information about updating users for SSO, see Update users for single sign-on.
For more information about user settings, see Edit a user's profile.
Click Test Connection to verify that Workfront and the SAML 2.0 Identity Provider can communicate with each other. This connection is successful only if you exchanged the XML files.
After you successfully test the link between your SAML 2.0 Identity Provider and Workfront, you see a screen similar to the one below.
NOTE: This screen is displayed in a browser pop-up, so ensure that you disable pop-up blockers in your browser.
Save the information displayed in the table for later use.
Click Save to save the SAML 2.0 configuration.