So you're ready to start thinking about enabling Single Sign-On (SSO) for Workfront and launching it to the masses. Before you switch over to SSO and send your users to train in Workfront Ascent, there are a few considerations that you should be aware of:
- If you enable SAML 2.0 SSO, any users in Workfront Ascent will no longer be able to access Workfront Ascent with their Workfront credentials. You will need to work with Workfront Support to create new accounts for these users.
- There is a workaround in the Workfront user settings that allows users to log into the instance both with SSO and with a non-SSO login. This will allow your users to log in to Workfront Ascent or the Help site without going through Workfront Support, but it requires two sets of passwords for the user.
- If you would like to manage your users in Workfront Ascent, you will need to submit a CSV with your user's information to Workfront Support.
More details on these topics can be found below.
The Workfront Ascent authentication system is based on user accounts in Workfront. When you create a new account or log in, the authentication system looks to see if it can find your email address as a valid user in any Workfront instance. However, we can't pass login information from accounts with SAML 2.0 SSO. If you only allow SAML 2.0 authentication in your instance, Workfront Support will have to create new accounts for you in a non-SAML 2.0-authenticating instance of Workfront.
1. Creating new accounts for users with SAML 2.0 SSO
If you've determined that you only want to allow SSO authentication with Workfront and you want your users to log in to Workfront Ascent, you will need to work with Workfront Support to make this happen. At a minimum, the support team will need to know the user's first name, last name, and email address. Submit a ticket with this information and the support team will add the users and create generic passwords for each user listed. Once the accounts have been created, you can then communicate the login information to all of your users for them to access Ascent. For more information on logging in, see “How to Access Workfront Ascent”
If you would also like to have manager access over your users in Workfront Ascent, you will need to submit a specific CSV template for the support team to use. See note 3 below.
2. Allowing SSO to be Bypassed for Ascent Access
Workfront offers a user setting that allows users to log in with SSO in addition to a standard non-SSO password. They would control the non-SSO password directly from your Workfront instance. This can also come in handy if your SSO system happens to be down and users need to access Workfront.
Our recommendation is to first have new users create a non-SSO password and then enable SSO for that user.
It's important for users to remember that these two passwords are different. If they change their SSO password, this does not impact the non-SSO password.
The users can now access Workfront Ascent or the Help Center without having to go through the Workfront support team to add users to a different system.
3. Manage User Learning in Workfront Ascent
Workfront Ascent allows users to act in a Manager role. This means that you are able to grant access to certain users so they can view training progress and assign courses or deadlines to others. That way, managers can become more involved and gain direct insight into how your users are learning. For an overview of these extra abilities, see “Managers in Workfront Ascent.”
In order to enable this functionality, you will need to submit a user template with additional fields filled out so Workfront Ascent knows who manages each user and what training you would like to automatically assign, if any. For complete instructions and access to this template, see “How to Bulk Enroll or Edit Your Users in Workfront Ascent” on the training support site.