Follow
Troubleshooting ADFS Issues
Before using ADFS, you should be able to establish a successful test connection.
If you get a successful test connection and you are still experiencing issues, you might have incorrect attribute mappings, or there might be missing or incorrect federation IDs.
 
Establishing the Connection
 
NOTE If you are using IDP initiated SSO the Test connection will not work as it runs based on SP initiated. We recommend testing SP initiated before switching to IDP Initiated.
  1. Provide A Full page Screenshot of the SSO setup page from setup > SSO > Edit Settings > Edit Configuration page (Include Certificate section and Full Address bar)
  2. Run Test Connection.
  3. If you get an error at this point, it is beneficial to remove all configuration and run through the Setup located at the following URL:
    https://support.workfront.com/hc/en-us/articles/216649668-Setting-Up-Single-Sign-on-with-SAML-2-0-using-ADFS
  4. If you Still get an Error See Error message for solutions some may have multiple Causes.

Error Message Causes
You might receive the following error messages as you establish the connection to ADFS. Possible causes are explained below:
 
SAML 2.0 Error: Primary StatusCode
Cause 1 - Secure Hash Algorithm Set to SHA-256

Solution 1
  1.  On the ADFS Server, navigate to the relying party trust.
  2.  Right-click Workfront relying party, then select Properties.
  3.  Click the Advanced tab, in the Secure hash algorithm drop-down, select SHA-1.
 
Cause 2- The ADFS Signing Certificate is about to Expire and has been replaced by a new  Certificate and the dates overlap
 
Solution
You need to manually pull the New Signing Certificate from the ADFS Server:
  1. In Windows, click Start > Administration > ADFS 2.0 Management.
    The ADFS 2.0 Management dialog box is displayed.
  2. Click Certificates.
    NOTE One way to recognize this is by the expiration date Workfront SSO setup page will show a date that is either expired or about to expire. 
 
Cause 3 - Certificate Revocation Check failing


Solution
Run the following PowerShell Commands replacing domain with their Domain

  1. In Windows, click Start > Administrative Tools > Windows Powershell Modules
  2. In the Powershell window type:
    Set-ADFSRelyingPartyTrust -TargetIdentifier "DOMAIN.my.workfront.com/SAML2" -SigningCertificateRevocationCheck None 
    1. The "DOMAIN.my.workfront.com/SAML2" will be the identifier name of your relying party trust as displayed int he ADFS Management console
  3. Then run
    Set-ADFSRelyingPartyTrust -TargetIdentifier "DOMAIN.my.workfront.com/SAML2" -EncryptionCertificateRevocationCheck None 

SAML 2.0 Error: User Identifier Not Found
Cause - Claims on the ADFS server are incorrect

Solution
On the ADFS server make sure there is a claim for name ID
 
  1. In Windows, click Start > Administration > ADFS 2.0 Management.
    The ADFS 2.0 Management dialog box is displayed.
  2. Select Trust Relationship > Relying Party Trusts on the left hand pane
  3. Find the relying party trust for Workfront, Right click and select Edit Claim Rules.
  4. Verify that there is a claim that has an Outgoing Claim Type of Name ID
 
Could not validate XML digital signature
 
Cause 1 - Encryption Certificate is being used instead of Signing Certificate
The certificate pulled from the Metadata was the Encryption Certificate instead of the Signing Certificate
Note- One Sign that this is the case is the common name of the certificate in the SSO setup page will be "Common Name (CN) ADFS Encryption"

Solution 1
Select the ADFS metadata in Single-Sign On setup again and then hit save until the Signing certificate is displayed instead of Encryption
 
Solution 2
Manually get the certificate from the ADFS Server
    1. Navigate to ADFS management
    2. Select the Certificates folder on the left
    3. Export the signing certificate to base 64 encoded
    4. Manually import the certificate to Workfront

Cause 2 - The Certificate is incorrect

Solution
Manually get the certificate from the ADFS Server
    1. Navigate to ADFS management
    2. Select the Certificates folder on the left
    3. Export the signing certificate to base 64 encoded
    4. Manually import the certificate to Workfront