URL Changes to SSO with SAML Provider

Background information

In the past Workfront users accessed their instance using <domain> but this year we introduced a new url. <domain> Previously all customers that used Single Sign On with a SAML provider would have configured their systems to accept login requests from the old domain. However most Providers that saw a request coming from <domain> would not accept it like it was from the old domain and would therefore deny the request in one way or another.  

Currently all email notifications are being sent out using links to the domain but, on May 18th Workfront will switch the domain to the new <domain> links. If you have not made any changes clicking on these links will fail because the login attempt is being made from an Assertion Consumer Service URL (ACS) that is not registered in your IdP.

The URL changes will only impact customers using SAML for their SSO. AD & LDAP customers will not be affected.


What Changes We Made

In order to make this work with both URLs we have modified our SAML Metadata files to include the Assertion Consumer Service URLs (ACS) for both the older and the new URLs

Old Metadata File


New Metadata File


What Do You Need to Do?

In order to make sure your company is ready for this change on May 18th you will need to change the configuration in your identity provider. You will have a few different options for implementing these changes:

Modify your existing connection to include all ACS URLs 

This is going to be the most ideal situation. Many Identity providers will allow for multiple ACS URLs in their configuration if your Identity Provider does not allow multiple URLs you will need to use one of the options below:

Create an additional connection with the new <domain> URLs 

If your Identity provider doesn't support multiple ACS URLs this will be the next best route as it will still allow your users to login using either the old or new URL.

Swap out the <domain> URLs for the <domain> URLs

This means that any user that has an older bookmark for the URL or attempt to go to the old URL from habit, their login will fail because the ACS URL will no longer be configured.


Quick Tips for various Identity Providers: 

Here is a list of our most common SSO providers along with some quick tips to make the setup an easy and quick process

ADFS - This IdP should allow for multiple ACS URLs. All you need to do if re-upload your metadata file or put the  metadata URL  (see below image) into the Metadata URL box on the Relying Party Trust setup window.



Okta - This is one identity provider that will require two connections within Okta to work with both URLs. Workfront Support has confirmed that multiple connections will work.

Azure Active Directory - In March the Workfront Azure app was updated to accommodate the new URLs. If you change from the old AtTask app to Workfront this should work without extensive configuration.