Single Sign-On in Workfront Proof: AD FS configuration

This article refers to functionality in the standalone product Workfront Proof. For information on proofing inside Adobe Workfront, see Proofing.

If you are an administrator on your AD server, you can install and configure AD FS.

Installing and Configuring AD FS

  1. Download AD FS 2.0 to your computer.

  2. Open the downloaded AdfsSetup.exe file to start the ADFS (Active Directory Federation Services) Installation Wizard.

  3. On the Server Role screen, select one of the options (you need at a minimum a Federation Server).

  4. If you do not want to expose IIS on your AD server to the internet (ports 80 and 443 for HTTP and HTTPS), you can first set up a Federation Server behind the firewall, then build a second Federation Server Proxy that passes requests through the firewall to the Federation Server.

  5. Once you complete the AD FS setup, select Start the AD FS 2.0 Management snap-in, then click Finish. Once this is completed, the AD FS 2.0 Management window should open right away. If not, you can open it from Start > Administrative Tools > AD FS 2.0 Management. This is the main AD FS control application.

  6. Begin by clicking AD FS 2.0 Federation Server Configuration Wizard.
    This will help you to configure AD FS and connect it to both the Internet via IIS and to AD.

  7. If you are configuring a new AD FS server, select Create a new Federation Service.

  8. Select Stand-alone federation server (for testing and evaluation purposes).

  9. For high availability and load balancing, click New federation server farm.

  10. Specify your Federation Service name.
    By default the configuration wizard retrieves the SSL certificate bound to the Default Web Site in IIS and will use the subject name specified there. If you use a wildcard certificate you will need to enter the Federation Service name.
    If there is no SSL certificate configured in IIS, then the configuration wizard will search in the local computer certificate store for any valid certificates. These display in the SSL certificate drop-down. If there are no certificates found, you can use the Server Certificate Generator in IIS to create one.

  11. Continue with the configuration, and click Close once it is complete.

Configuring Workfront Proof Single Sign-On

If you are a Workfront Proof administrator, you can configure Single Sign-On on the Workfront Proof side. For more information, see Single Sign-On in Workfront Proof.

  1. Click Settings > Account Settings, then open the Single sign-on tab.

  2. In the SSO URL box, paste your Entity ID.
    The following is an example of an Entity ID:
    Your Entity ID can be found in your Federation Metadata XML file.

  3. Federation Metadata is found in the AD FS 2.0 snap-in > Service > Endpoints folder. In the Metadata section, locate the one with the Federation Metadata type. To view metadata, paste this endpoint in your browser. You can also go to this link directly: https://<>/FederationMetadata/2007-06/FederationMetadata.xml after replacing the {} with your own details.

  4. In the Login URL box, paste your SSO login.

  5. The following is an example of an SSO login:

  6. http://<>/adfs/ls.

  7. This link can be located in the Federation Metadata XML file.

  8. In the Logout URL box, enter the link and save.
    The following is an example of a Logout URL:

    1. Go to your AD FS manager > Trust Relationships > Relying Party Trusts - ProofHQ properties.

    2. Under the Endpoints, click Add and entry with the following details:

      • Endpoint Type = SAML Logout
      • Binding = POST
      • URL = https://<>/adfs/ls/?wa=wsignout1.0
      • This step can be completed after configuring the Relying Party Trust (see below) in your AD FS.
    3. In the Certificate fingerprint box, enter the data from your certificate.

    4. Go to your ADFS 2.0 snap-in navigate to Service > Certificates > Token-signing.

    5. Right-click on this entry to view the certificate.

    6. From the Certificate Details tab copy the Thumbprint, and paste it in the Workfront Proof Single Sign-On configuration tab.

    7. The fingerprint characters can be separated with colons or spaces, but we do recommend removing these. If you have any troubles with your Single Sign-On configuration, please contact the Customer Support team.

Adding a Relying Party Trust

Once configuration is complete, you need to work in the Relying Party Trusts section in your AD FS.

  1. Navigate to Trust Relationships > Relying Party Trusts folder, then click Add a Relying Party Trust to start the configuration wizard.

  2. Select your data source.
    All metadata for your ProofHQ account is located under a link like this:
    This will configures most of the Relying Party Trust.

    note note
    • If you’re having any troubles with establishing the connection from the URL, save the metadata as a file and choose to import data from a file.
    • When you have a full Custom domain (e.g., configured on your ProofHQ account replace the whole “{yoursubdomain}” part with your own domain to create your ProofHQ metadata link.

Configuring Claim Rules

Once your Relying Party Trust configuration is complete, you are ready to configure the claim rules to complete the set up. You will configure two claim rules for ProofHQ: E-mail and Name ID.

  1. Open the Edit Claim Rules dialog box.

  2. Go to ProofHQ Relying Party Trust, then click Edit Claim Rules (1).
    The pop-up should automatically open if you selected this option at the end of configuring the trust.

  3. Click Add Rule (2) to open the claim configuration window.

    • E-mail (Send LDAP Attributes as Claims rule template)
    • NameID (Transform an Incoming Claim rule template)