Configure Adobe Workfront with SAML 2.0 using ADFS

The procedure described on this page applies only to organizations that are not yet onboarded to the Adobe Admin Console.
If your organization has been onboarded to the Adobe Admin Console, see Platform-based administration differences (Adobe Workfront/Adobe Business Platform).

As an Adobe Workfront administrator, you can integrate Workfront with a Security Assertion Markup Language (SAML) 2.0 solution for single sign-on while using Active Directory Federation Services (ADFS).

This guide focuses on setting up ADFS without auto provisioning or attribute mappings. We recommend that you complete the setup and test it prior to setting up any auto provisioning.

Access requirements

You must have the following access to perform the steps in this article:

Adobe Workfront plan
Adobe Workfront license
Access level configurations

You must be a Workfront administrator.

NOTE: If you still don't have access, ask your Workfront administrator if they set additional restrictions in your access level. For information on how a Workfront administrator can modify your access level, see Create or modify custom access levels.

Enable authentication to Workfront with SAML 2.0

To enable authentication to the Workfront web application and the Workfront mobile application with SAML 2.0, complete the following sections:

Retrieve the Workfront SSO metadata file retrieve-the-workfront-sso-metadata-file

  1. Click the Main Menu icon in the upper-right corner of Adobe Workfront, then click Setup .
  2. In the left panel, click System > Single Sign-On (SSO).
  3. In the Type drop-down menu, click SAML 2.0 to display additional information and options.
  4. Copy the URL that displays after Metadata URL.
  5. Continue to the following section, Configure Relying Party Trusts.

Configure Relying Party Trusts configure-relying-party-trusts

  1. Open the ADFS Manager using the Windows server 2008 R2 (version may vary).

  2. Go to Start.

  3. Click Administration Tools.

  4. Click ADFS 2.0 Management.

  5. Select ADFS and expand Trust Relationships.

  6. Right-click Relying Party Trusts, then select Add Relying Party Trust to launch the Add Relying Party Trust Wizard.

  7. From the Welcome Page, select Start.

  8. In the Select Date Source section, paste the metadata URL from Workfront.

  9. Click Next.

  10. Click OK to acknowledge the warning message.

  11. In the Specify Display Name section, add a Display Name and Notes to distinguish the Trust, then click Next.

  12. Select Permit all user to access this relying party (Or None if you want to configure this later).

  13. Click Next.

    This takes you to the Ready to Add Trust section.

  14. Continue to the following section Configure Claim Rules.

Configure Claim Rules configure-claim-rules

  1. Click Next in the Ready to Add Trust section, then ensure that the Open the Edit Claim Rules dialog box option is selected.

    This will allow you to edit Claim Rules in a future step.

  2. Click Close.

  3. Click Add Rule.

  4. Select Send LDAP Attribute as Claims.

  5. Click Next to display the Configure Claim Rule step.

  6. Specify the following minimum requirements to configure the claim rule: (This will go in the Federation ID on the user setup and is used to distinguish who is logging in.)

    table 0-row-2 1-row-2 2-row-2 3-row-2 html-authored no-header
    Claim rule name Specify a name for the claim rule. For example, "Workfront."
    Attribute store Select Active Directory from the drop-down menu.
    LDAP Attribute This can be any type of attribute. We recommend using SAM-Account-Name for this attribute.
    Outgoing Claim Type You must select Name ID as the outgoing claim type
  7. (Optional) In order to establish auto provisioning, add the following additional claims in both the LDAP Attribute and Outgoing Claim Type:

    • Given Name
    • Surname
    • E-Mail Address
  8. Click Finish, then click OK on the next screen.

  9. Right-click the new Relying Party Trust, then select Properties.

  10. Select the Advanced Tab. And under Secure Hash Algorithm select SHA-1 or SHA-256.

    note note
    The option that you select under Secure Hash Algorithm must match the Secure Hash Algorithm field in Workfront under Setup > System > Single Sign-ON (SSO).
  11. Continue to the following section Upload the metadata file and test the connection.

Upload the metadata file and test the connection upload-the-metadata-file-and-test-the-connection

  1. Open a browser and navigate to https://<yourserver>/FederationMetadata/2007-06/FederationMetadata.xml .

    This should download a Metadata file FederationMetadata.xml file.

  2. Click Choose File under Populate fields from Identity Provider Metadata, and select the FederationMetadata.xml file.

  3. (Optional) If the certificate information did not populate with the metadata file, you can upload a file separately. Select Choose File in the Certificate section.

  4. Click Test Connection. If set up correctly, you should see a page similar to the one shown below:

    note note
    If you want to set up attribute mapping, ensure that you copy the attributes from the Test Connection into the Directory Attribute. For more information, see Mapping User Attributes.
  5. Select Admin Exemption to allow Workfront administrators to log in using Workfront credentials with the bypass url.

    Bookmarks pointing to <yourdomain> bypass the redirect.

  6. Select the Enable box to enable the configuration.

  7. Click Save.

About updating users for SSO

Following this guide, the SSO Username will be their Active Directory Username.

As a Workfront administrator, you can bulk update users for SSO. For more information about updating users for SSO, see Update users for single sign-on.

As a Workfront administrator, you can also manually assign a Federation ID editing the user’s profile and completing the Federation ID field. For more information about editing a user, see Edit a user’s profile.

When editing users’ profiles to include a Federation ID, selecting Only Allow SAML 2.0 Authentication removes the ability to log in to Workfront using the bypass url (<yourdomain>