Enable authentication to Workfront with SAML 2.0

To enable authentication to the Workfront web application and the Workfront mobile application with SAML 2.0, complete the following sections:

Retrieve the Workfront SSO metadata file

  1. Click the Main Menu icon Main Menu in the upper-right corner of Adobe Workfront, or (if available), click the Main Menu icon Main Menu in the upper-left corner, then click Setup Setup icon .

  2. In the left panel, click System > Single Sign-On (SSO).

  3. In the Type drop-down menu, click SAML 2.0 to display additional information and options.

  4. Copy the URL that displays after Metadata URL.

  5. Continue to the following section, Configure Relying Party Trusts.

Configure Relying Party Trusts

  1. Open the ADFS Manager using the Windows server 2008 R2 (version may vary).

  2. Go to Start.

  3. Click Administration Tools.

  4. Click ADFS 2.0 Management.

  5. Select ADFS and expand Trust Relationships.

  6. Right-click Relying Party Trusts, then select Add Relying Party Trust to launch the Add Relying Party Trust Wizard.

  7. From the Welcome Page, select Start.

  8. In the Select Date Source section, paste the metadata URL from Workfront.

  9. Click Next.

  10. Click OK to acknowledge the warning message.

  11. In the Specify Display Name section, add a Display Name and Notes to distinguish the Trust, then click Next.

  12. Select Permit all user to access this relying party (Or None if you want to configure this later).

  13. Click Next.

    This takes you to the Ready to Add Trust section.

  14. Continue to the following section Configure Claim Rules.

Configure Claim Rules

  1. Click Next in the Ready to Add Trust section, then ensure that the Open the Edit Claim Rules dialog box option is selected.

    This will allow you to edit Claim Rules in a future step.

  2. Click Close.

  3. Click Add Rule.

  4. Select Send LDAP Attribute as Claims.

  5. Click Next to display the Configure Claim Rule step.

  6. Specify the following minimum requirements to configure the claim rule: (This will go in the Federation ID on the user setup and is used to distinguish who is logging in.)

    Claim rule nameSpecify a name for the claim rule. For example, "Workfront."
    Attribute storeSelect Active Directory from the drop-down menu.
    LDAP AttributeThis can be any type of attribute. We recommend using SAM-Account-Name for this attribute.
    Outgoing Claim TypeYou must select Name ID as the outgoing claim type
  7. (Optional) In order to establish auto provisioning, add the following additional claims in both the LDAP Attribute and Outgoing Claim Type:

    • Given Name
    • Surname
    • E-Mail Address
  8. Click Finish, then click OK on the next screen.

  9. Right-click the new Relying Party Trust, then select Properties.

  10. Select the Advanced Tab. And under Secure Hash Algorithm select SHA-1 or SHA-256.

    NOTE
    The option that you select under Secure Hash Algorithm must match the Secure Hash Algorithm field in Workfront under Setup > System > Single Sign-ON (SSO).
  11. Continue to the following section Upload the metadata file and test the connection.