Follow
Single Sign-On

Introduction to SAML 2.0

Security Assertion Markup Language 2.0 (SAML 2.0) is an XML-based protocol that allows you to authorize data and exchange authentication between an identity provider and a web service.

We use this protocol to provide the Single Sign-On (SSO) capability that allows you to use your existing organization's username and password to access your Workfront Proof account.

It means that you will not authenticate against Workfront Proof's log in page, but you will actually authenticate against your own log in system.

NOTE You must have a custom sub-domain or domain set up on your Workfront Proof account to enable SAML:

NOTE Single Sign-On is only available on our Select and Premium plans.

Enabling SSO within Workfront Proof

The Single Sign-On functionality can be enabled on the Single sign-on tab of your Account settings, and it will apply to all the users on your Workfront Proof account.

Entity ID

As a Service Provider we have published our Entity ID here - https://yoursubdomain.proofhq.com/saml/module.php/saml/sp/metadata.php/phq (replace "yoursubdomain" with your account's sub domain)

Workfront Proof requires the user's email address as their unique identifier, which can be passed as one of the following attributes:

  • urn:mace:dir:attribute-def:emailAddress
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • http://schemas.xmlsoap.org/claims/EmailAddress
  • urn:oid:0.9.2342.19200300.100.1.3
  • http://axschema.org/contact/email
  • openid.sreg.email
  • mail
  • email
  • emailAddress

To configure SSO:

  • Go to the Single Sign-On tab (1)
  • Enter the SSO URL (2)
  • Enter the Login URL (3)
  • Enter the Logout URL (4)
  • Enter the Certificate fingerptint (5)
  • Switch SSO to Enabled (6)
  • Enable Automatically provision users option, if needed (7)
Enable_SSO_SAML_2.0.png

SSO URL (aka SAML Issuer / ID URL etc.) 

This is the link to your SSO server (e.g. https://sso.mycompany.com/opensso)

Login URL

The URL that will be invoked to redirect the users to your Identity Provider. 

NOTE This is not an actual URL you enter in the browser, but rather an endpoint which will process the information we send it in order to present the Login screen.

Logout URL*

This is the URL you will be returned to after you log out, for example

https://www.yourcompany.com/services/logout.asp

Certificate fingerprint

The SHA1 fingerprint of the SAML certificate provided by your SAML Identity Provider.

NOTE Please ensure to include the Key Info by setting this on your Identity Provider.

SSO

Once SSO is enabled, you and other users on your account will log in using your own authentication mechanism. What this means is that when the users accesses your Workfront Proof account login screen (for example, yourcompany.proofhq.com/login), they will be prompted with the transfer window to your own authentication login page.

Automatically provision users

Once this option is enabled the user accounts will be automatically created for people who do not have their own Workfront Proof profiles, but will access your Workfront Proof account using their Single Sign-On credentials. This will be actioned only when the user limit is not yet reached on your account.

NOTE New provisioned users will have the Manager profile permissions assigned by default.

Enabling SSO for Satellite accounts

When you have satellite accounts connected to your hub account, you can administer them from the hub account level.

Single Sign-On is a Select and Premium feature so Single Sign-On can only be enabled on satellites that are on Select and Premium plans. To do this:

  • Go to your Account settings (1)
  • Choose the satellite account from the drop down menu (2)
  • Go to the Single Sign-On tab (3)
  • Start editing the SSO configuration (4)

 Enabling_SSO_-_Satellite_Account.png

Here you will have two methods (5) of configuration:

  • Inherited - SSO with the configuration taken from your hub account *
  • Manual (default) - SSO with a different configuration (e.g. pointing to another Identity Provider)

NOTE If the satellite account is inheriting the SSO configuration from the hub account, the login screen will be that of the hub account. When the satellite account user enters their SSO login details on this page, they will be re-directed back to the satellite account.

Enabling_SSO_-_Satellite_Account_2.png

After choosing your preferred configuration, click Save button (6).

SSO settings inherited from the hub account

When you choose to inherit the settings from your hub account you'll notice that all the fields are now populated with the data from your hub account (7) and that Single Sign-On is automatically Enabled/Disabled(8) as on your main account. There are also no edit links in the fields anymore, as the whole SSO configuration for the Satellite Account is now set and managed from your hub account.

Satellite_Account_-_Inherited_SSO.png

In your hub account (9) the SSO Usage field will show that this configuration is in use by satellite accounts (10).
Hub_Account_-_Inherited_SSO.png

SSO configured manually

If Manual SSO configuration has been chosen for a satellite account (1), you will need to manually enter the data for the Single Sign-On. To do this, click Edit, populate the field and then click save (2).

After entering all the data switch the SSO field to Enabled by clicking the link (3).

Satellite_Account_-_Manual_SSO.png

SSO Log In

Make sure that you have your Workfront Proof domain/sub-domain (1) set up in the Settings tab of your Account settings and that your users access your Workfront Proof account through this customized domain/sub-domain*.

SAML_Subdomain.png

With your Single Sign-On enabled, your sub-domain login URL (e.g. yourcompany.proofhq.com/login) displays a transfer screen (2) that will take you directly to your SSO login page.
SSO_login_page.png

* If a user accesses Workfront Proof through the default log in page (https://www.proofhq.com/login) there will be two levels of authorization - first a user will be asked to log in using Workfront Proof access data (email and password) and after that - will be transferred through an SSO window (2) to the SSO login page.

Therefore, with SSO service enabled, we recommend to log in through your own Workfront Proof sub-domain/domain.

NOTE At this time, when Single Sign-On is enabled on your Workfront Proof account, you will not be able to log in to the iPhone app with those credentials.

Adding a new user

When the Single Sing-On functionality is enabled on your Workfront Proof account, new users will not receive any confirmation emails as their accounts will be automatically activated and ready to use.

From your Workfront Proof log in page, after clicking the Login button, users are taken to your SSO login page and asked to enter your Single Sign-On login credentials.

NOTE Users are identified through an email address during the authentication process, which means the email account used for your SSO login MUST be the email address of the user registered within your account.

AD FS (Active Directory Federation Services)

AD FS is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with Single Sign-On access to systems and applications located across organizational boundaries - more information can be found on the Microsoft pages.

The Workfront Proof system supports SAML 2.0 and is only compatible with AD FS version 2.0 or greater.

Please see Single Sign-on: AD FS configuration for the detailed instructions.