Configuring Workfront with SAML 2.0


[This needs to be updated for the improved authentication experience]

As a system administrator, you can integrate Workfront with a SAML 2.0 solution for single sign-on. 

After you have enabled SAML 2.0 in Workfront as described in the following sections, you can maintain the configuration, as described in "Maintaining the SAML 2.0 Connection in Workfront."

If you have SAML 2.0 authentication enabled, you will also have to enable SAML 2.0 to authenticate in Office add-ins, if you want to access Workfront with your SAML 2.0 credentials using Outlook for Office.

Enabling Authentication to Workfront with SAML 2.0

To enable authentication to the Workfront web application and the Workfront mobile application with SAML 2.0:

  1. Navigate to the Setup area in the Global Navigation Bar.
  2. Expand System, then click Single Sign-On (SSO).
  3. In the Type drop-down list, select SAML 2.0.
  4. Click Download SAML 2.0 Metadata and save the file to a temporary location on your computer.
    Your SAML 2.0 Identity Provider requires an XML file with information generated in your Workfront instance. After the file is downloaded, you need to go to your SAML 2.0 Identity Provider server and upload the Workfront SAML 2.0 Metadata XML file to it. 
  5. Specify the following information:
    Service Provider: This URL identifies Workfront to your identity provider, and is already populated for you. For example:
    Binding Type: Select the method for sending authentication information that is supported by your IDP server. Select from the following options:
    Populate fields from Identity Provider Metadata: In your SAML 2.0 Identity Provider solution, export a Service Provider Metadata XML file and save it to a temporary location on your computer. Select Choose File, then browse to and select the file that you saved to add it to your Workfront configuration. 
    Login Portal URL: Specify your organization's common login portal. This is the URL where users log in in order to access Workfront and all other applications integrated with SAML 2.0.
    Sign-Out URL: Specify the sign-out URL for the IDP server. Workfront sends an HTTP request to this URL before signing out of Workfront. This closes the user's session on the remote server at the time that the Workfront session is closed. 
    NOTE You are redirected to the sign-out URL only if you have the Only Allow SAML 2.0 Authentication option checked on your user profile. 
    Change Password URL: Specify the URL where users will be redirected to change their passwords. Because the SAML 2.0 credentials are used to access Workfront, users need to be redirected to a page where they can change their SAML 2.0 password instead of completing this activity through Workfront.
    Secure Hash Algorithm: Select the Secure Hash Algorithm (SHA) that your IDP supports. Select from the following options:
    - SHA-1
    - SHA-256
    Auto-Provision Users: When this option is enabled, Workfront automatically creates a user in the system when a new user with a directory username and password attempts to log in to Workfront for the first time. In order for users to be created in Workfront, you need to map Workfront data attributes with the following user data attributes in your directory provider:
    - First Name
    - Last Name
    - Email Address
    When this option is enabled, the Map User Attributes dialog box opens.
    Select the Workfront User Attribute that you want to map from the drop-down list, then specify the corresponding Directory Attribute in the user directory. The Directory Attribute field should contain the Directory Attribute Name from the User Attribute table you saved when successfully testing your SAML 2.0 configuration. You can set a Default Workfront Value in the Default Value field. You can also set rules based on the values from your SAML 2.0 Identity Provider. 
    Warning Workfront attempts to map the following attributes every time a user logs into the system. Because of this, we do not recommend mapping access levels as you can easily remove administrative access if the attribute is mapped incorrectly.
    Click Add Mapping to add additional rules.
    You can map the following Workfront attributes:
    - Access Level
    - Address
    - Address2
    - Billing Per Hour
    - City
    - Company
    - Cost Per Hour
    - Email Address
    - Extension
    - First Name
    - Home Group
    - Home Team
    - Job Role
    - Last Name
    - Layout Template
    - Manager
    - Mobile Phone
    - Phone Number
    - Postal Code
    - Schedule
    - State
    - Timesheet Profile
    - Title
    examples_of_mapping_atributes_for_saml_2.0.pngClick Save.
    : Upload a valid SSL certificate to ensure a secure connection between the authentication service and Workfront. For OnDemand accounts, a certificate is always required. You can obtain this certificate from your SAML 2.0 system administrator.
    Admin Exemption: Select this option to allow system administrators to access Workfront using their Workfront login. If this option is not selected, Workfront administrators must use their SAML 2.0 user name and password.
    Workfront first attempts to log in to Workfront via SAML 2.0 for users with the Workfront System Administrator access level. If the SAML 2.0 authentication fails, Workfront uses local authentication for Workfront administrators.
    We recommend that you always have this option selected, to provide your system administrator a way to log in to Workfront in the event that your SAML 2.0 provider is temporarily unavailable. 
    Enable: Select this option to activate SSO on the Workfront system. Ensure that you have communicated login instructions to your users.
    NOTE After you enable your SSO configuration in Workfront, you must update users for SSO to enable the Only Allow SAML 2.0 Authentication setting for all users.
    For more information about updating users for SSO, see "Updating Users for SSO".
    For more information about user settings, see "Editing User Accounts."

    Confirm Configuration: Click Test Connection to verify that Workfront and the SAML 2.0 Identity Provider can communicate with each other. This connection is successful only if you exchanged the XML files.
    After you successfully test the link between your SAML 2.0 Identity Provider and Workfront, you see a screen similar to screen below.
    NOTE This screen is displayed in a browser pop-up, so ensure that you disable pop-up blockers in your browser.
    Save the information displayed in the table for later use.
  6. Click Save to save the SAML 2.0 configuration.

Enabling Outlook to Be Used with Workfront and SAML 2.0

In order for users to be able to log in to Workfront from Outlook using their SAML 2.0 credentials you must ensure that the SAML 2.0 authentication with Office add-ins is enabled:

  1. Navigate to the Setup area in the Global Navigation Bar.
  2. Expand System, then click Preferences.
  3. In the Security section, ensure that the Allow SAML 2.0 authentication in Office 365 add-ins is enabled. 
    This option enables embedding of Workfront in an Iframe only for Office 365 add-ins. This does not open a Clickjacking breach as there is no clickable content involved.
    This option is enabled by default. 

    NOTE If you enable Allow embedding of Workfront in an iframe, the Allow SAML 2.0 authentication in Office 365 add-ins is dimmed and enabled.

  4. Click Save
    The changes that you saved here affect the experience of all the users in Workfront. 


This article last updated on 2019-03-25 17:18:55 UTC