This article focuses specifically on Adobe Workfront and SAML and does not cover other SSO authentication methods.
In a database, Workfront stores eawch user’s email address as their Workfront username, along with their Workfront password. These credentials are replicated in the Preview and Custom Refresh Sandboxes.
During user creation, if Workfront detects that SAML 2.0 is configured, it defaults to “Only Allow SAML 2.0 Authentication”" for the user. If the “Send an invite email to this person” box is enabled, Workfront disables “Only Allow SAML 2.0 Authentication” and hides this option. Once “Send an invite email to this person” is enabled, the user becomes a non-SAML Workfront user.
After user creation, you can edit the user and enable Only Allow SAML 2.0 Authentication so that their user and password are controlled by the SAML system.
With this done, the user is can log in only via SAML. When they go to the Workfront URL, they are automatically redirected to the SAML system and prompted for their SAML username and password.
SAML credentials are stored in an external SAML system, such as Microsoft’s ADFS, not in Workfront.