Update SAML 2.0 metadata in your IDP when using enhanced authentication

IMPORTANT

The procedure described on this page applies only to organizations that are not yet onboarded to the Adobe Admin Console.

If your organization has been onboarded to the Adobe Admin Console, see Platform-based administration differences (Adobe Workfront/Adobe Business Platform).

As an Adobe Workfront administrator, you can integrate Workfront single sign-on (SSO) with any identity provider that supports the Security Assertion Markup Language (SAML) 2.0 protocol.

The following sections describe the integration process when your Workfront account has been upgraded to the enhanced authentication experience (not yet available to all organizations). For more information about the enhanced authentication experience, see Enhanced Authentication overview.

For information about configuring SAML prior to your migration to the enhanced authentication experience, see Update SAML 2.0 metadata in your identity provider.

Access requirements

You must have the following access to perform the steps in this article:

Adobe Workfront plan Any
Adobe Workfront license Plan
Access level configurations

You must be a Workfront administrator.

NOTE: If you still don't have access, ask your Workfront administrator if they set additional restrictions in your access level. For information on how a Workfront administrator can modify your access level, see Create or modify custom access levels.

Use Okta as your identity provider

Okta is an example of an identity provider that supports SAML 2.0. This section describes how to use Okta as your identity provider. Similar steps would be required when configuring another identity provider that supports SAML 2.0.

NOTE

Users are mapped based on their email address. In order to log in to Workfront using Okta, you must have a user with the same (case-insensitive) email address created in your Workfront customer.

Complete the following sections to configure Okta as your identity provider in Workfront.

Create a Workfront app in Okta

  1. Log in to your Okta environment.

  2. Ensure that Classic UI is selected in the upper-left corner of the Okta interface.

  3. In the menu, click Applications > Applications.

  4. Click Add Application, then click Create New App.

  5. In the Create a New Application Integration dialog box, select SAML 2.0, then click Create.

  6. Specify a name for your Workfront app, then click Next.

  7. In the SAML Settings page that displays, locate information required for the SAML Settings page:

    1. Without exiting the browser tab where the Okta interface is displayed, open a separate browser tab or window.

    2. Specify the following URL in the browser:

      https://[your_customer_subdomain].my.workfront.com/auth/saml2/metadata

    3. In the resulting XML file, identify the values for entityID and Location.

      sso-okta.png

    4. Copy the value from the entityID field to your system clipboard. Do not close this browser tab.

  8. Go back to the SAML Settings page that you opened in Step 6.

  9. Paste the value from the entityID field into the Audience URI (SP Entity ID) field.

  10. In the XML file in your other browser tab, copy the value from the Location field.

  11. Paste the value from the Location field into the Single sign on URL field.

  12. Scroll to the Attribute Statements (Optional) section.

  13. In the Name field, specify email.

  14. In the Value field, specify user.email.

  15. (Optional) Add any advanced values.

  16. Click Next.

  17. Select, I’m an Okta customer adding an internal app, then click Finish.

Add your Okta instance as an identity provider in Workfront

This procedure provides essential information for configuring Okta as an identity provider in Workfront. For additional information about other mappings or configuration options, see Configure Adobe Workfront with SAML 2.0.

  1. Download the identity provider metadata for your Okta instance:

    1. Log in to your Okta environment.

    2. Ensure that Classic UI is selected in the upper-left corner of the Okta interface.

    3. In the menu, click Applications > Applications.

    4. Click the Workfront app that you created, as described in the section, Create a Workfront app in Okta

    5. On the Sign On tab, click Identity Provider metadata.

      idp_okta_metadata.png

      The metadata is opened as XML in a new browser tab.

    6. Copy the URL that is displayed in the browser URL field.

  2. Log in to Workfront as a Workfront administrator.

  3. Click the Main Menu icon in the upper-right corner of Adobe Workfront, then click Setup .

  4. In the left panel, click System > Single Sign-On (SSO).

  5. (Conditional) If you see two tabs, click the New SSO Providers tab.

    sso_idp_halflife.png

    IMPORTANT

    Do not delete your existing SSO configuration settings in the Current SSO Provider tab until your account is updated to the enhanced authentication experience and the new SSO configuration is fully functional.

  6. Click New SSO Provider.

  7. Specify a name, such as Okta IDP, then specify a description.

  8. In the Populate fields from Identity Provider Metadata section, paste the URL that you copied in Step 1 into the Metadata URL field.
    Alternatively, you can click Choose File to upload an .xml file, but we recommend that you paste the URL.

  9. In the Map User Attributes section, in the Directory Attribute field, type email. (Email Address is already populated in the Workfront User Attribute field.)

  10. (Optional) Enable Make Default SSO Provider to send unathenticated users to the identity provider login screen instead of to the Workfront login screen for authentication. We recommend that you enable this option only if all users in your system access Workfront through the identity provider.

  11. Select the Enable checkbox. Before doing this, ensure that users in your system are aware of the new login experience to ensure they do not lose access to the Workfront system.

  12. Click Test Connection.
    You should see a message telling you the connection is successful.

  13. Click Save.

Using other identity providers

When using identity providers other than Okta (such as Ping or Centrify), you must re-upload the Workfront metadata to your identity provider.

On this page