The procedure described on this page applies only to organizations that have not yet been onboarded to the Admin Console. If your organization has been onboarded to the Adobe Admin Console, no action is necessary.
For a list of procedures that differ based on whether your organization has been onboarded to the Adobe Admin Console, see Platform-based administration differences (Adobe Workfront/Adobe Business Platform).
The Adobe Workfront servers utilize the SAML 2.0 protocol for authentication and authorization. Once updated, the new certiﬁcate remains valid for one year. When it is time for you to renew the certiﬁcate on your identity provider, you receive a warning in Workfront alerting you that this change must occur. As a Workfront administrator, you can manage this change at the system level.
This is not available if your organization’s Workfront instance is enabled with Adobe IMS. See your network or IT administrator if you need more information.
You must have the following access to perform the steps in this article:
|Adobe Workfront plan||Any|
|Adobe Workfront license||Plan|
|Access level configurations||
You must be a Workfront administrator.
NOTE: If you still don't have access, ask your Workfront administrator if they set additional restrictions in your access level. For information on how a Workfront administrator can modify your access level, see Create or modify custom access levels.
To review the warning message and acknowledge the update of the SAML 2.0 metadata in your identity provider:
Click the Main Menu icon in the upper-right corner of Adobe Workfront, then click Setup .
Click System > Single Sign-On.
In the Type drop-down menu, select SAML 2.0.
Click Download SAML 2.0 Metadata.
This downloads the renewed Workfront certiﬁcate for SAML 2.0, which contains the correct metadata for your server.
Before you upload the Workfront metadata to your Single Sign-On (SSO) provider in Step 5, copy your current Assertion Consumer Service (ACS) URL to a safe place. This URL, also known as the Reply URL, is found on your SSO provider’s Workfront configuration page.
If the ACS URL changes after you upload the Workfront metadata, this means that the metadata might contain an incorrect ACS URL. You must change it back to the one you copied in order to avoid breaking your Single Sign-On connection. Your updated certificate will still be correct after you do this.
Go to your identity provider server and update the new certiﬁcate you downloaded.
In Workfront, on the Single Sign-on (SSO) page, make sure that this option is selected: The new Workfront certificate has already been uploaded to the Identity Provider.
When this ﬁeld is selected, Workfront administrators can log in to Workfront with their SSO credentials or their Workfront credentials.
The warning message no longer displays because you acknowledged the renewal of the SAML 2.0 certiﬁcate on the server of your identity provider.
Click Test Connection to test your conﬁguration.
You should see a message confirming that the connection was successful.
For more information, or for assistance with the manual conﬁguration of metadata, please contact our Support Team, as explained in Contact Customer Support.