Managing the Renewal of the Workfront SAML 2.0 Certificate


This article has been updated last on December 15, 2017

The information on this page is intended for those customers who have SAML 2.0 enabled as their Single Sign-On type. 
For more information about setting up your Single Sign-On in Workfront, see "Understanding Single Sign-On in Workfront."

Deadline for Certificate Renewal

The Workfront servers utilize the SAML 2.0 protocol for authentication and authorization, and our SAML 2.0 security certificate will be expiring soon. We plan to update the old certificate with its replacement on January 16, 2018.

IMPORTANT You could update your certificate manually or it could be updated automatically if your IDP is set up to automatically update the metadata. 
If the metadata is updated automatically, you must take action immediately after the update has happened.
If you update the metadata manually, you must make the update before January 16, 2018. Mismatched certificates can keep your users from logging in to Workfront after the metadata has been updated automatically, or after January 16, 2018. 

Once updated, the new certificate will remain valid for three years. 

Renewing the Workfront SAML 2.0 Certificate and Acknowledging the Update of the SAML 2.0 Metadata on Your IDP Server

When the new certificate is available, you receive a warning message in Workfront on the Single Sign-On setup page that will alert you that this change must occur. 

As a system administrator, you can manage this change at the system level. 

IMPORTANT If your identity provider’s server is enabled to automatically update the metadata, your certificate will automatically update on the SAML 2.0 server of your identity provider. You must still acknowledge that the update has happened in Workfront by following the following steps. 

To review the warning message and acknowledge the update of the SAML 2.0 metadata in your identity provider:

  1. Navigate to the Setup area in your Global Navigation Bar.
  2. Expand the System drop-down menu, then click Single Sign-On.
  3. Ensure that the Type selected for your SSO provider is SAML 2.0.
    NOTE You only see the warning message if you have SAML 2.0 selected in the Type drop-down menu and if you have not yet confirmed that the new certificate has been uploaded to your identity provider. 
  4. (Conditional) If your you use Azure or Okta for your IDP server, continue with step 7. 
  5. (Conditional) If your IDP server is not set up to automatically update the metadata, click Download SAML 2.0 Metadata under the warning message and save it on your computer. This will download the renewed Workfront certificate for SAML 2.0 which contains the correct metadata for your server. 
    NOTE If your IDP server is set up to automatically update the metadata, the download and installation of the certificate on the IDP server has happened in the background. Check with your SSO administrator to verify the setup on the IDP server. 
  6. (Mandatory and conditional) If you manually downloaded the new certificate, navigate away from Workfront to your identity provider server and update the new certificate you downloaded from Workfront on that server. 
    For more information about updating SAML 2.0 metadata on the server of your identity provider, see "Updating SAML 2.0 Metadata in Your Identity Provider." 
  7. Navigate back to Workfront and select the The new Workfront certificate has already been uploaded to the Identity Provider field. 
    IMPORTANT Select this field only if you have successfully uploaded the new certificate to the server of your identity provider, or if the update has happened automatically because of the settings on the server of your identity provider. Selecting this field and saving your changes without updating the certificate on your server will result in users not being able to log in to Workfront. 
  8. Select the Admin Exemption field.
    When this field is selected, the system administrators can log in to Workfront either with their SSO credentials or with their Workfront credentials.
  9. Click Test Connection to test your configuration. You should get a confirmation that the connection has been successful. 
    NOTE If you receive an error message about an unsuccessful connection, try one of the following before you test your connection again:
    • Clear your browser cache.
    • Use another browser.
    • Use an incognito window in the same browser.
  10. Click Save.
    The warning message will not be displayed after acknowledging the renewal of the SAML 2.0 certificate on the server of your identity provider. 

NOTE For additional information, or for assistance with the manual configuration of metadata, please contact our Support Team. For more information about contacting our Support Team, see "How to Open a Support Request."


This should have been added after step 8: For more information about managing the renewal of the Workfront SAML 2.0 certificate, watch the following video. 
[video from Mariam here]


This article last updated on 2018-01-10 19:37:01 UTC