Understanding Workfront and SAML users
This article focuses specifically on Workfront and SAML and does not cover other SSO authentication methods such as AD and LDAP.
Workfront credentials are stored in the Workfront database where the User's email address is their Workfront username and their Workfront password is also stored. These credentials are replicated into the preview and configurable sandboxes.
SAML credentials are stored in an external SAML system, such as, Microsoft's AD FS. They are not stored in Workfront.
During user creation Workfront detects if SAML 2.0 is configured and if it is, defaults to "Only Allow SAML 2.0 Authentication." for the user.
If during user creation the box "Send an invite email to this person" is checked, Workfront disables "Only Allow SAML 2.0 Authentication" and hides this option. Once "Send an invite email to this person" is checked you are intending this to be a Workfront (non-SAML / SSO) user.
After user creation you have the option to edit the User and check "Only Allow SAML 2.0 Authentication" where the user and password are controlled by the SAML system and the user is no longer using Workfront credentials.
With this option checked the User is only allowed to login via SAML. When they go to the Workfront URL, they will be automatically redirected to the SAML system asking for their SAML username and password.