As a system administrator, you can integrate Workfront with a SAML 2.0 solution for single sign-on while using Active Directory Federation Services (ADFS).
This guide focuses on setting up ADFS without auto provisioning or attribute mappings. We recommend that you complete the setup and test it prior to setting up any auto provisioning.
To enable authentication to the Workfront web application and the Workfront mobile application with SAML 2.0, complete the following sections:
- Retrieving the Workfront SSO Metadata File
- Configuring Relying Party Trusts
- Configuring Claim Rules
- Uploading the Metadata File and Testing the Connection
- Navigate to the Setup area in the Global Navigation Bar.
- Expand System, then click Single Sign-On (SSO).
- In the Type drop-down menu, select SAML 2.0.
- Copy the URL in the Metadata URL field. (This URL will be different from the one shown.)
- Continue to the following section "Configuring Relying Party Trusts."
- Open the ADFS Manager using the Windows server 2008 R2 (version may vary).
- Navigate to Start.
- Click Administration Tools.
- Click ADFS 2.0 Management.
- Select ADFS and expand Trust Relationships.
- Right-click Relying Party Trusts, and select Add Relying Party Trust to launch the Add Relying Party Trust Wizard.
- From the Welcome Page, select Start. This opens the Select Date Source section.
- Paste the metadata URL from Workfront.
- Click Next.
- Click OK to acknowledge the warning message. This opens the Specify Display Name section.
- Add a Display Name and Notes to distinguish the Trust, then click Next.
- Select Permit all user to access this relying party (Or None if you want to configure this later).
- Click Next. This takes you to the Ready to Add Trust section.
- Continue to the following section "Configuring Claim Rules."
- Click Next in the Ready to Add Trust section, then ensure that the Open the Edit Claim Rules dialog box option is selected. This will allow you to edit Claim Rules in a future step.
- Click Close.
- Click Add Rule.
- Select Send LDAP Attribute as Claims.
- Click Next to display the Configure Claim Rule step.
- Specify the following minimum requirements to configure the claim rule: (This will go in the Federation ID on the user setup and is used to distinguish who is logging in.)
Claim rule name: Specify a name for the claim rule. For example, "Workfront."
Attribute store: Select Active Directory from the drop-down menu.
LDAP Attribute: This can be any type of attribute. We recommend using SAM-Account-Name for this attribute.
Outgoing Claim Type: You must select Name ID as the outgoing claim type.
- (Optional) In order to establish auto provisioning, add the following additional claims in both the LDAP Attribute and Outgoing Claim Type:
- Click Finish and then OK on the next screen.
- Right-click the new Claim, and select Properties.
- Select the Advanced Tab. And under Secure Hash Algorithm select SHA-1 or SHA-256.
NOTE What you select under Secure Hash Algorithm here must match the Secure Hash Algorithm field in Workfront under Setup > System > Single Sign-ON (SSO).
11. Continue to the following section "Uploading the Metadata File and Testing the Connection."
- Open a browser and navigate to https://<Your Server>/FederationMetadata/2007-06/FederationMetadata.xml.
This should download a Metadata file FederationMetadata.xml file.
- Click Choose File under Populate fields from Identity Provider Metadata, and select the FederationMetadata.xml file.
- (Optional) If the certificate information did not populate with the metadata file, you can upload a file separately. Select Choose File in the Certificate section.
- Click Test Connection. If set up correctly, you should see a page similar to the one shown below:
NOTE If you want to set up attribute mapping, ensure that you copy the attributes from the Test Connection into the Directory Attribute. For more information, see Mapping User Attributes.
- Select Admin Exemption to allow system administrators to log in using Workfront credentials with the bypass url. Bookmarks pointing to <Domain>.my.workfront.com/login bypass the redirect.
- Select the Enable box to enable the configuration.
- Click Save.
Following this guide, the SSO Username will be their Active Directory Username.
As a system administrator, you can bulk update users for SSO. For more information about updating users for SSO, see "Updating Users for SSO."
As a system administrator, you can also manually assign a Federation ID editing the user's profile and completing the Federation ID field. For more information about editing a user, see "Editing User Accounts."
NOTE When editing users' profiles to include a Federation ID, selecting Only Allow SAML 2.0 Authentication removes the ability to log in to Workfront using the bypass url (<Domain>.my.workfront.com/login).