Configuring Workfront with Active Directory


IMPORTANT Active Directory is now supported only in a limited capacity as a Single Sign-On (SSO) option; it will be removed from the product in the second half of 2019.

Following is the removal timeline for Active Directory as an SSO option:

  • Limited support: August 2018 - January 2019
  • Deprecation: January 2019 - August 2019
  • No longer available in Workfront: August 2019

To connect Workfront with an Active Directory Server:

  1. Navigate to the  Setup area in the Global Navigation Bar.
  2. Expand System, then click Single Sign-On (SSO).
  3. In the Type drop-down list, select Active Directory.
  4. Specify the following information:
    Server: The URL of the Active Directory server where your directory service is running.
    For example, ldap:// If the Active Directory server requires an SSL connection, the URL is, for example: ldaps://  
    Port: The port number used for LDAP communication with the Active Directory server. The default port number for non-secure LDAP connections is 389. The default port number for secure LDAP connections (LDAPS) is 636.
    Search Base: Specify where in the LDAP directory tree Workfront should find and synchronize initial user information from User objects. This is the container where Workfront begins searching for users on the Active Directory server.
    Use the following format: ou=people,dc=example,dc=com
    Active Directory Domain: Specify the Windows domain of the Active Directory connection. Obtain this information from your Active Directory system administrator. 
    SSL/TLS: Select this option to encrypt communication between the Active Directory server and Workfront. This option is enforced for all OnDemand accounts.
    Auto-Provision Users: When this option is enabled, Workfront automatically creates a user in the system when a new user with a user name and password in Active Directory  attempts to log in to Workfront for the first time. In order for users to be created in Workfront, you need to map Workfront data attributes with the data attributes in Active Directory. See the explanation about Attribute Synchronization below.
    Attribute Synchronization: Click Map User Attributes, select the Workfront User Attribute that you want to map from the drop-down list, then specify the corresponding Directory Attribute in the Active Directory server. You can also specify a Default Value for the attribute if you want one to be set. Click Add Mapping to include additional attributes, then click Save when you are finished.
    When a discrepancy exists between user information in Workfront and Active Directory, and Active Directory is enabled, the information in the Active Directory will update the user information in Workfront.
    NOTE Workfront attempts to map these attributes every time a user with these attributes logs into the system. If you have existing users in the system, make sure you are not overwriting their current access level, or any other attributes, by applying this mapping.
    You can map the following Workfront attributes:
    - Access Level
    - Address
    - Address2
    - Billing Per Hour
    - City
    - Company
    - Cost Per Hour
    - Email Address
    - Extension
    - First Name
    - Home Group
    - Home Team
    - Job Role
    - Last Name
    - Layout Template
    - Manager
    - Mobile Phone
    - Phone Number
    - Postal Code
    - Schedule
    - State
    - Timesheet Profile
    - Title
    Change Password URL: Specify a URL that provides the ability for users to re-set their user name or password.
    This URL is used when Workfront users attempt to change their password through the Workfront interface. Because the Active Directory credentials are used to access Workfront, users need to be redirected to a page where they can change their password in Active Directory instead of completing this activity through Workfront.
    Certificate: If SSL/TLS is selected, you must upload a valid SSL certificate to ensure a secure connection between the directory service and Workfront. For OnDemand accounts, a certificate is always required.
    Admin Exemption: Select this option to allow system administrators to access Workfront via the native Workfront login screen with Workfront login credentials. If this option is not selected, Workfront administrators must use their Active Directory user name and password.
    Workfront first attempts to log in to Workfront via LDAP for users with the Workfront System Administrator access level. If the authentication to Active Directory fails, Workfront uses Workfront authentication for system administrators.
    We recommend that you always have this option selected, to provide your system administrator a way for logging into Workfront in the event that your LDAP server is temporarily unavailable. 
    Enable: Select this option to activate SSO on the Workfront system. Ensure that you have communicated login instructions to your users.
    NOTE After you enable your SSO configuration in Workfront, you must update users for SSO to enable the Only Allow Active Directory Authentication setting for all users.
    For more information about updating users for SSO, see "Updating Users for SSO".
    For more information about user settings, see "Editing User Accounts."

    Confirm Configuration: Verify that your Workfront account can connect to the Active Directory server using the connection information and credentials provided. Click Test Connection.
    Specify the Username and Password for a user who can successfully log in to your environment using Active Directory. These are their Active Directory credentials.
    Click Test Connection to test the connection from Workfront to your Active Directory server. 
    You should receive an on-screen confirmation when the connection is successful. 
  5. Click Save to save the Active Directory configuration.
This article last updated on 2018-09-06 22:27:27 UTC