Configuring Workfront with SAML 2.0 Using ADFS

As a system administrator, you can integrate Workfront with a SAML 2.0 solution for single sign-on while using ADFS.

This guide focuses on setting up ADFS without auto-provisions or attribute mappings. We recommend that you complete the setup and test it prior to setting up any Auto Provisions.  

Enabling Authentication to Workfront with SAML 2.0

To enable authentication to the Workfront web application and the Workfront mobile application with SAML 2.0:

  1. Navigate to the Setup area in the Global Navigation Bar.
  2. Expand System, then click Single Sign-On (SSO).
  3. In the Type drop-down list, Select SAML 2.0.
  4. Copy the URL in the Metadata URL field. (This URL will be different from the one shown)
    If using a Custom Refresh Sandbox the checkbox for Service Provider and change from to or
    If setting up ADFS in an on demand environment, this does not have to change.
  5. On the ADFS server, do the following:
    1. Open the ADFS Manager using the Windows server 2008 R2 (version may vary).
    2. Navigate to Start.
    3. Click Administration Tools.
    4. Click ADFS 2.0 Management.
    5. Select  ADFS and expand Trust Relationships.
    6. Right-click Relying Party Trusts, selecting Add Relying Party Trust.
    7. From the Welcome Page, select Start pasting the URL from above.
    8. Click Next.
    9. The following message appears:
    10. Select OK or Next. 
    11. Add a Display Name and Notes to distinguish the Trust.
    12. Select Permit all user to access this relying party (Or None if you want to configure this later).
    13. Select Next.
    14. Click Next on Ready to Add Trust,  then click Open to edit Claim Rules.
    15. Click to close.
    16. Click Add Rule.
    17. Select Send LDAP Attribute as Claims, then Next.
    18. Give the Claim rule a name and select Active Directory from the Active Directory Store.
    19. To work with Workfront, below is the Minimum Claim rules that must be Sent.
    20. In the screenshot above, the LDAP AttributeAccount Name is selected and sent as the Outgoing Claim: Name ID.
      The left attribute can be anything  but the right attribute must be Name ID.
      This will go in the Federation ID on the user setup and used to distinguish who is logging in.
    21.  In order to establish Auto Provisions the following Claims need to be sent:
    22. Select Finish, and OK on the next screen.
    23. Right-click the new Claim and select Properties.
    24. Select the Advanced Tab. And under Secure Hash Algorithm select SHA-1.
    25. Open a browser and navigate to https://<Your Server>/FederationMetadata/2007-06/FederationMetadata.xml.
      This should download a Metadata file FederationMetadata.xml file. 
  6. In Workfront, on the SSO configuration page, select Choose File in the Certificate section.
  7. Select the FederationMetadata.xml file that was uploaded.
  8. Click Test Connection and a page similar to the one below should show. 
  9. Select Admin Exemption to allow system administrators to log in using Workfront credentials with the bypass url. Bookmarks pointing to <Domain> bypass the redirect.
  10. Select the Enable box to enable the configuration.
  11. Click Save.

Updating Users for SSO

Following this guide, the SSO Username will be their Active Directory Username

As a system administrator, you can bulk update users for SSO. For more information about updating users for SSO, see "Updating Users for SSO."

As a system administrator, you can also manually assign a Federation ID editing the user's profile and completing the Federation ID field. For more information about editing a user, see "Editing User Accounts."

NOTE When editing users' profiles to include a Federation ID, selecting Only Allow SAML 2.0 Authentication removes the ability to log in to Workfront using the bypass url (<Domain>