Follow
Error Message: SAML 2.0 Error: Primary StatusCode

Problem

You are unable to establish a successful connection to ADFS.

SAML_2.0_Error_Primary_Status_Code.png

NOTE If you establish a successful test connection and you are still experiencing issues, you might have incorrect attribute mappings or issues with the federation IDs. Contact customer support with questions.

Cause 1: Secure hash algorithm is set to SHA-256
 
Solution
  1. In Windows, click Start > Administration > ADFS 2.0 Management.
    The ADFS 2.0 Management dialog box is displayed.
  2. Select Trust Relationship > Relying Party Trusts in the left-hand pane.
  3.  Right-click on the relying party trust related to Workfront, then select Properties.
  4.  Click on the Advanced tab, then select SHA-1 from the Secure hash algorithm drop-down menu.
    1.png
 
Cause 2: ADFS Signing Certificate is about to expire and has been replaced by a new Certificate with overlapping dates
 
Solution
The Workfront SSO Setup Page lists the certificate expiration date. If the certificate is about to expire, you need to manually pull the New Signing Certificate from the ADFS Server:
  1. In Windows, click Start > Administration > ADFS 2.0 Management.
    The ADFS 2.0 Management dialog box is displayed.
  2. Select Trust Relationship > Relying Party Trusts in the left-hand pane.
  3. Right-click on the relying party trust related to Workfront, and select Properties.
  4. Click on the Signature tab.
  5. Click on the name of the Signing Certificate, and click View.
  6. Click Copy to File..., and select Next.
  7. Select Base-64 encoded x.509 (CER), and click Next.
  8. Specify the file name, and click Next.
  9. Click Finish.
  10. In Workfront, navigate to Setup > System > Single Sign-On (SSO) and manually upload the Signing Certificate.
Cause 3: Certificate revocation check is failing

Solution
Run the following PowerShell Commands replacing domain with their Domain:
  1. In Windows, click Start > Administrative Tools > Windows Powershell Modules.
  2. In the Powershell window, type:
    Set-ADFSRelyingPartyTrust -TargetIdentifier "DOMAIN.my.workfront.com/SAML2" -SigningCertificateRevocationCheck None 
    1. The "DOMAIN.my.workfront.com/SAML2" will be the identifier name of your relying party trust as displayed int he ADFS Management console.
  3. Then run
    Set-ADFSRelyingPartyTrust -TargetIdentifier "DOMAIN.my.workfront.com/SAML2" -EncryptionCertificateRevocationCheck None 
This article last updated on 2018-06-12 21:47:18 UTC