Renew the Adobe Workfront SAML 2.0 metadata certificate
The Adobe Workfront servers utilize the SAML 2.0 protocol for authentication and authorization. Once updated, the new certificate remains valid for one year. When it is time for you to renew the certificate on your identity provider, you receive a warning in Workfront alerting you that this change must occur. As a Workfront administrator, you can manage this change at the system level.
Access requirements
You must have the following access to perform the steps in this article:
| table 0-row-2 1-row-2 2-row-2 layout-auto html-authored no-header | |
|---|---|
| Adobe Workfront plan | Any |
| Adobe Workfront license |
New: Standard or Current: Plan |
| Access level configurations | You must be a Workfront administrator. |
For more detail about the information in this table, see Access requirements in Workfront documentation.
Configure SAML 2.0 within Workfront
To review the warning message and acknowledge the update of the SAML 2.0 metadata in your identity provider:
-
Click the Main Menu icon
-
Click System > Single Sign-On.
-
In the Type drop-down menu, select SAML 2.0.
-
Click Download SAML 2.0 Metadata.
This downloads the renewed Workfront certificate for SAML 2.0, which contains the correct metadata for your server.
-
In your identity provider, copy your current Assertion Consumer Service (ACS) URL (also known as the Reply URL) to a safe place.
note caution CAUTION Before you upload the Workfront metadata to your Single Sign-On (SSO) provider in Step 6, copy your current Assertion Consumer Service (ACS) URL to a safe place. This URL, also known as the Reply URL, is found on your SSO provider’s Workfront configuration page. If the ACS URL changes after you upload the Workfront metadata, this means that the metadata might contain an incorrect ACS URL. You must change it back to the one you copied in order to avoid breaking your Single Sign-On connection. Your updated certificate will still be correct after you do this. -
In your identity provider server, update the new certificate you downloaded.
-
(Conditional) If the Assertion Consumer Service (ACS) URL or Reply URL has changed in your identity provider, change it back to the URL you copied in Step 5.
-
In Workfront, on the Single Sign-on (SSO) page, make sure that this option is selected: The new Workfront certificate has already been uploaded to the Identity Provider.
note note NOTE - This option is visible only if all of the following apply:
- Your organization is already set up for SAML 2.0
- The current certificate is ready to expire
- The new certificate is available
- When this field is selected, Workfront administrators can log in to Workfront with their SSO credentials or their Workfront credentials.
-
Click Save.
The warning message no longer displays because you acknowledged the renewal of the SAML 2.0 certificate on the server of your identity provider.
-
Click Test Connection to test your configuration.
You should see a message confirming that the connection was successful.
For more information, or for assistance with the manual configuration of metadata, please contact our Support Team, as explained in Contact Customer Support.