Renew the Adobe Workfront SAML 2.0 metadata certificate


The procedure described on this page applies only to organizations that have not yet been onboarded to the Admin Console. If your organization has been onboarded to the Adobe Admin Console, no action is necessary.

For a list of procedures that differ based on whether your organization has been onboarded to the Adobe Admin Console, see Platform-based administration differences (Adobe Workfront/Adobe Business Platform).

The Adobe Workfront servers utilize the SAML 2.0 protocol for authentication and authorization. Once updated, the new certificate remains valid for one year. When it is time for you to renew the certificate on your identity provider, you receive a warning in Workfront alerting you that this change must occur. As a Workfront administrator, you can manage this change at the system level.


This is not available if your organization’s Workfront instance is enabled with Adobe IMS. See your network or IT administrator if you need more information.

Access requirements

You must have the following access to perform the steps in this article:

Adobe Workfront plan Any
Adobe Workfront license Plan
Access level configurations

You must be a Workfront administrator.

NOTE: If you still don't have access, ask your Workfront administrator if they set additional restrictions in your access level. For information on how a Workfront administrator can modify your access level, see Create or modify custom access levels.

Configure SAML 2.0 within Workfront

To review the warning message and acknowledge the update of the SAML 2.0 metadata in your identity provider:

  1. Click the Main Menu icon in the upper-right corner of Adobe Workfront, then click Setup .

  2. Click System > Single Sign-On.

  3. In the Type drop-down menu, select SAML 2.0.

  4. Click Download SAML 2.0 Metadata.

    This downloads the renewed Workfront certificate for SAML 2.0, which contains the correct metadata for your server.


    Before you upload the Workfront metadata to your Single Sign-On (SSO) provider in Step 5, copy your current Assertion Consumer Service (ACS) URL to a safe place. This URL, also known as the Reply URL, is found on your SSO provider’s Workfront configuration page.

    If the ACS URL changes after you upload the Workfront metadata, this means that the metadata might contain an incorrect ACS URL. You must change it back to the one you copied in order to avoid breaking your Single Sign-On connection. Your updated certificate will still be correct after you do this.

  5. Go to your identity provider server and update the new certificate you downloaded.

  6. In Workfront, on the Single Sign-on (SSO) page, make sure that this option is selected: The new Workfront certificate has already been uploaded to the Identity Provider.

    When this field is selected, Workfront administrators can log in to Workfront with their SSO credentials or their Workfront credentials.

  7. Click Save.

    The warning message no longer displays because you acknowledged the renewal of the SAML 2.0 certificate on the server of your identity provider.

  8. Click Test Connection to test your configuration.

    You should see a message confirming that the connection was successful.

For more information, or for assistance with the manual configuration of metadata, please contact our Support Team, as explained in Contact Customer Support.

On this page