Configuring Workfront with LDAP


IMPORTANT LDAP is now supported only in a limited capacity as a Single Sign-On (SSO) option; it will be removed from the product in the second half of 2019.

Following is the removal timeline for LDAP as an SSO option:

  • Limited support: August 2018 - January 2019
  • Deprecation: January 2019 - August 2019
  • No longer available in Workfront: August 2019

To connect Workfront with an LDAP Directory Server: 

  1. Navigate to the Setup area in the Global Navigation Bar.
  2. In the Type drop-down list, select LDAP.
  3. Specify the following information:
    Server: The URL of the LDAP server where your directory service is running.
    For example, ldap://
    Or, if the LDAP server requires an SSL connection, ldaps://  
    Port: The port number used for LDAP communication. The default port number for non-secure LDAP connections is 389. The default port number for secure LDAP connections (LDAPS) is 636.
    Search Base: Specify where in the LDAP directory tree Workfront should find and synchronize initial user information from User objects. This is the container where Workfront begins searching for users on the LDAP server.
    Use the following format: ou=people,dc=example,dc=com
    SSL/TLS: Select this option to encrypt communication between the LDAP server and Workfront. This option is enforced for all OnDemand accounts.
    Auto-Provision Users: When this option is enabled, Workfront automatically creates a user in the system when a new user with an LDAP username and password attempts to log in to Workfront for the first time. In order for users to be created in Workfront, you need to map Workfront data attributes with the LDAP data attributes. 
    Attribute Synchronization: Click Map User Attributes, select the Workfront User Attribute that you want to map from the drop-down list, then specify the corresponding Directory Attribute in the Active Directory server. You can also specify a Default Value for the attribute if you want one to be set. Click Add Mapping to include additional attributes, then click Save when you are finished.
    NOTE Workfront attempts to map these attributes every time a user with these attributes logs into the system. If you have existing users in the system, make sure you are not overwriting their current access level, or any other attributes, by applying this mapping. 
    You can map the following Workfront attributes:
    - Access Level
    - Address
    - Address2
    - Billing Per Hour
    - City
    - Company
    - Cost Per Hour
    - Email Address
    - Extension
    - First Name
    - Home Group
    - Home Team
    - Job Role
    - Last Name
    - Layout Template
    - Manager
    - Mobile Phone
    - Phone Number
    - Postal Code
    - Schedule
    - State
    - Timesheet Profile
    - Title
    If a user attempts to log in without using SSO and was created using auto-provisioning, it will appear that the their login is not working, or that their username/password combination is wrong. The user will either need to log in using their email address and Workfront password, or obtain the correct credentials for logging in using LDAP.
    Change Password URL: Specify a URL that will take users to a site where they can reset their user name or password.
    This URL is used when Workfront users attempt to change their password through the Workfront interface. Because the LDAP credentials are used to access Workfront, users need to be redirected to a page where they can change their LDAP password instead of completing this activity through Workfront.
    Certificate: If SSL/TLS is selected, you must upload a valid SSL certificate to ensure a secure connection between the directory service and Workfront. For OnDemand accounts, a certificate is always required. You obtain this certificate from your LDAP system administrator. Detailed instructions on installing a valid certificate for LDAPS on LDAP can be found from Microsoft. 
    Admin Exemption: Select this option to allow system administrators to access Workfront via the native Workfront login screen with Workfront login credentials. If this option is not selected, Workfront administrators must use their LDAP user name and password.
    Workfront first attempts to log in to Workfront via LDAP for users with the Workfront System Administrator access level. If the LDAP authentication fails, Workfront uses local authentication for Workfront administrators.
    We recommend that you always have this option selected, to provide your system administrator a way for logging into Workfront in the event that your LDAP server is temporarily unavailable. 
    Enable: Select this option to activate SSO on the Workfront system. Ensure that you have communicated login instructions to your users.
    NOTE After you enable your SSO configuration in Workfront, you must update users for SSO to enable the Only Allow LDAP Authentication setting for all users.
    For more information about updating users for SSO, see "Updating Users for SSO".
    For more information about user settings, see "Editing User Accounts."

    Confirm Configuration: Verify that your Workfront account can connect to the LDAP server using the connection information and credentials provided.
    Click Test Connection, then specify the Username and Password for accessing the directory service, then click Test Connection.
    You should receive an on-screen notification that the connection was successful. 
  4. Click Save to save the LDAP configuration.
This article last updated on 2018-09-06 22:26:34 UTC