Follow
Updating SAML 2.0 Metadata in Your Identity Provider

Using ADFS As Your Identity Provider

You can update your ADFS metadata prior to Workfront updating the SAML 2.0 certificate or after. If you choose to update the ADFS metadata prior to Workfront updating the SAML 2.0 certificate, additional steps are required.

Updating Your ADFS Metadata 

To set your ADFS metadata to update automatically, complete the steps in this section.

By default, ADFS is configured to automatically check for updates to all of its relying party trust metadata; however, the default is set to poll only every 24 hours. You can change this value with powershell commands.

  1. Log in to the ADFS server and open the ADFS Management Console. 
  2. In the left-hand panel, expand ADFS 2.0, then expand Trust Relationships.
  3. Click the Relying Party Trusts folder.
  4. Select the relying party trust that you previously configured to be used with Workfront, then in the right-hand panel, click Update from Federation Metadata.
    If this option is dimmed and cannot be selected, complete the following:
    (The option is dimmed only when the relying party trust was previously configured using a metadata file.)
    1. In Workfront, in the Setup area, expand System, then Single Sign-On (SSO) and copy the Metadata URL from your Workfront Single Sign-On setup screen.
      To access the information for the Metadata URL:
      1. Click Setup in the Global Navigation Bar.
      2. Expand System, and select Single Sign On (SSO).
      3. Click Edit Settings.
      4. Click Edit Configuration, then select SAML 2.0 in the Type drop-down list.
      5. Copy the Metadata URL, which should be similar to the following:
      https://<yourdomain>.my.workfront.com/sso/downloadSAML2MetaData
    2. On the ADFS server, right-click on the relying party trust that you previously configured, then click Properties.
    3. Click the Monitoring tab, then paste the URL that you copied from Workfront into the Relying party's federation metadata URL field.
    4. Check the options to Monitor relying party and Automatically update relying party.
    5. Click OK.
    6. Select the relying party trust that you previously configured to be used with Workfront, then in the right-hand panel, click Update from Federation Metadata.
  5. Click OK to ignore the message about some of the content in the federation metadata not being supported by ADFS 2.0.
  6. Open Windows Powershell Modules.
  7. After all the modules load, run the following command in powershell:
    Get-ADFSProperties
  8. Look for the value next to Monitoring Interval.  It will be a number that represents the number of minutes between polls. The default should be 1440 (1440 minutes = 24 hours).
  9. Set a new value by running the following command in powershell:
    Set-ADFSProperties -MonitoringInterval 1
    This changes the monitoring interval from every 24 hours to every minute. You can change the 1 to another larger value if you want it to poll less frequently.
  10. To verify this is working correctly, use the Event Viewer to look for the following information in the ADFS2.0 logs: 
    Event ID 156 and 157

Forcing Your ADFS Metadata to Update 

To update your ADFS metadata complete the steps in the following section.

To force metadata to be exchanged between Workfront and your SAML 2.0 provider when using Active Directory Federation Services (ADFS):

NOTE Some of these changes might need to be done by your IT department.

  1. Log in to the ADFS server and open the ADFS Management Console.
  2. In the left-hand panel, expand ADFS 2.0, then expand Trust Relationships.
  3. Click the Relying Party Trusts folder.
  4. Select the relying party trust that you previously configured to be used with Workfront, then in the right-hand panel, click Update from Federation Metadata.
    If this option is dimmed and cannot be selected, complete the following:
    (The option is dimmed only when the relying party trust was previously configured using a metadata file.)
    1. In Workfront, in the Setup area, copy the Metadata URL from your Workfront Single Sign-On setup screen.
      To access the information for the Metadata URL:
      1. Click Setup in the Global Navigation Bar.
      2. Expand System, and select Single Sign On (SSO).
      3. Click Edit Settings.
      4. Click Edit Configuration, then select SAML 2.0 in the Type drop-down list.
      5. Copy the Metadata URL, which should be similar to the following:
      https://<yourdomain>.my.workfront.com/sso/downloadSAML2MetaData
    2. On the ADFS server, right-click on the relying party trust that you previously configured, then click Properties.
    3. Click the Monitoring tab, then paste the URL that you copied from Workfront into the Relying party's federation metadata URL field.
    4. Check the options to Monitor relying party and Automatically update relying party.
    5. Click OK.
    6. Select the relying party trust that you previously configured to be used with Workfront, then in the right-hand panel, click Update from Federation Metadata.
  5. Click OK to ignore the message about some of the content in the federation metadata not being supported by ADFS 2.0.
  6. Click Update to complete updating your federation metadata.

Users who are allowed to access Workfront via the native login screen using Workfront login credentials (this can be configured from each user's profile page in the Access section) can log in using their Workfront user name and password by navigating to the following URL: https://<yourdomain>.my.workfront.com/Workfront/login.cmd.

Using Other Identity Providers

When using identity providers other than ADFS (such as Ping or Okta), you must re-upload the Workfront metadata to your identity provider. For more information about how to obtain a new Workfront Metadata URL, see "Updating Your ADFS Metadata." 

For additional information about using Active Directory Federation Services (ADFS) with SAML 2.0 in Workfront, see "ADFS SAML 2.0 Considerations in Workfront."