Configuring Workfront with SAML 1.1


IMPORTANT SAML 1.1 is now supported only in a limited capacity as a Single Sign-On (SSO) option; it will be removed from the product in the second half of 2019.

Following is the removal timeline for SAML 1.1 as an SSO option:

  • Limited support: August 2018 - January 2019
  • Deprecation: January 2019 - August 2019
  • No longer available in Workfront: August 2019

The following sections provide information about using SAML 1.1 with Workfront: 

Understanding the SAML 1.1 Single Sign-On Solution

As a system administrator, you can integrate Workfront with SAML 1.1.

Unlike other single sign-on solutions, auto-provisioning users and attribute-mapping are not available for Federated SSO configuration, including SAML 1.1. 

Configuring the SAML 1.1 Server to Communicate with Workfront

In order to have home page landing preferences honored when implementing a Federated ID (SAML) SSO environment, you need to make sure the federated server is set up to point to https://[Assigned Company Sub-domain]

Configuring Workfront with SAML 1.1

  1. Navigate to the  Setup area in the Global Navigation Bar.
  2. Expand System, then click Single Sign-On (SSO).
  3. In the Type drop-down list, select SAML 1.1.
  4. Specify the following information:
    Issuer: Specify the domain provider obtained from your SAML service provider. It is possible to provide the port instead, for example:
    Login Portal URL: Specify the login URL used to log in to all your SSO-enabled applications, including Workfront. 
    Sign-out URL: Specify the URL displayed after users log out of Workfront. 
    Change password URL: Specify the URL where users will be directed if they need to change their password.
    Since users maintain one password across multiple platforms when integrated with SAML 1.1, it is important that they are directed to a central location to change their password rather than being allowed to change their password in Workfront.
    Certificate: Upload a valid certificate for authentication of a secure connection. OnDemand clients are required to do this. The certificate is obtained from your SAML 1.1 system administrator. 
    Admin Exemption: When this box is checked, Workfront will attempt to first login through SAML for users with System Administrator Access Level. If authentication fails, Workfront will use local authentication for administrators. We recommend that you always have this option selected, to provide your system administrator a way for logging into Workfront in the event that your SAML 1.1 provider is temporarily unavailable. 
    Enable: Select this option to enable the integration with SAML 1.1. If it is not selected, SAML 1.1 will not be activated. 
  5. Click Save

Audited 6/12/2018

This article last updated on 2018-09-06 22:28:08 UTC