Configuring ADFS For Sandbox 1 (Custom Refresh) Video Tutorial




  • You're logged into your Sandbox 1 or 2 environment
  • You can access ADFS 2.0 and Active Directory Users from SCAR or a customer's AD server


Steps to Duplicate

  1. Navigate to your Sandbox environment's Setup ( > System > Single Sign-On. 
  2. Select the type "SAML 2.0".
  3. Copy the Metadata URL (
  4. Screen_Shot_2017-09-16_at_9.18.28_AM.png
  5. Open the ADFS Manager using the Windows server 2008 R2 (version may vary).
  6. Navigate to Start.
  7. Click Administration Tools.
  8. Click ADFS 2.0 Management.
  9. adfs_2_management.png
  10. Select ADFS and expand Trust Relationships.
  11. Right-click Relying Party Trusts, selecting Add Relying Party Trust.
  12. add_relying_party_trust.png
  13. From the Welcome Page, select Start, pasting the Metadata URL from above ( into the "Import data about the relying party published online or on a local network" option.
  14. Screen_Shot_2017-09-16_at_9.21.28_AM.png
  15. Click Next.
  16. Select OK to acknowledge the message that "Some of the content in the federation metadata was skipped because it is not supported by AD FS 2.0. Review the properties of the trust carefully before you save the trust to the AD FS configuration database". 
  17. Add a Display Name and Notes to distinguish the Trust.
  18. Select Permit all user to access this relying party (Or None if you want to configure this later).
  19. permit_all_users.png
  20. Select Next.
  21. Click Next on Ready to Add Trust,  then select the checkbox to edit Claim Rules after closing the current window. 
  22. Click to close.
  23. Click Add Rule.
  24. Select Send LDAP Attribute as Claims.
  25. send_ldap_attributes_as_claims.png
  26. Select Next.
  27. Give the Claim rule a name and select Active Directory from the Active Directory Store.
  28. Use the attributes from the next step, which are the Minimum Claim rules that must be Sent.
  29. The LDAP Attribute: SAM-Account-Name should be selected and sent as the Outgoing Claim Type: Name ID.
  30. required_attributes.png
  31. Note: To set up auto-provisioning, follow the screen-shot below, which contains the required fields for the most basic auto-provisioning using ADFS 2.0. 
  32. auto_provisioning_attributes.png
  33. Select Finish, and OK to move to the next screen.
  34. Open another tab in your browser (containing your Sandbox 1 environment, to make it easy) and navigate to https://[your server]/FederationMetadata/2007-06/FederationMetadata.xml. For example, when using SCAR, you should navigate to This will download a Metadata file named "FederationMetadata.xml". 
  35. Navigate back into your Sandbox environment's SSO configuration. 
  36. For the "Populate fields from Identity Provider Metadata" field, select "Choose File" and upload the xml file you just downloaded. Note that the Login URL and certificate information was filled in automatically because of this action.
  37. Update the Secure Hash Algorithm field to contain "SHA-256", the same as what we configured in SCAR. 
  38. Save the changes made so far in the Workfront Sandbox SSO configuration. 
  39. In the Active Directory server, navigate into Active Directory Users and Computers.
  40. Create a new user that will match with a user in your Sandbox environment. Note: For this test, I didn't require the user to change their password at the next login, and that the password never expires, but these are not incredibly secure choices and were made for the purpose of outlining how to complete this process. 
  41. Screen_Shot_2017-09-16_at_9.29.33_AM.png
  42. In your Workfront Sandbox environment, navigate to the example user (Frodo Baggins, in this case) and edit his or her profile to have a Federation ID matching the value entered for the User Logon Name field (frodobaggins). 
  43. Screen_Shot_2017-09-16_at_9.27.40_AM.png
  44. Save the changes to the user's profile, then navigate back into the SSO configuration. 
  45. Select Test Connection. If you receive a successful message here, you've done everything correctly up to this point. If not, troubleshoot using the error message you receive. Note: Make sure to provide an exemption for system administrators, and that you know the Workfront username and password of at least one system administrator before enabling this configuration, just to be safe. 
  46. Screen_Shot_2017-09-16_at_9.30.43_AM.png
  47. With a successful "Test Connection", enable the configuration and save the changes. 
  48. In an incognito/private browsing window, navigate to your sandbox environment ( You should see a request in the browser for your SSO username and password ("frodobaggins" and "WoudntYouLikeToKnow", in this example). If the credentials match, you're home free!
  49. Screen_Shot_2017-09-16_at_9.35.24_AM.png