Updating SAML 2.0 Metadata in Your Identity Provider When Using the Enhanced Authentication Experience

As a Workfront administrator, you can integrate Workfront single sign-on (SSO) with any Identity Provider that supports the SAML 2.0 protocol.

The following sections describe the integration process when your Workfront account has been upgraded to the enhanced authentication experience (not yet available to all organizations). For more information about the enhanced authentication experience, see "Getting Started with the Enhanced Authentication Experience." (For information about configuring SAML prior to your migration to the enhanced authentication experience, see "Updating SAML 2.0 Metadata in Your Identity Provider.")

Using Okta As Your Identity Provider

Okta is an example of an identity provider that supports SAML 2.0. This section describes how to use Okta as your identity provider. Similar steps would be required when configuring another identity provider that supports SAML 2.0.

IMPORTANT Users are mapped based on their email address. In order to log in to Workfront using Okta, you must have a user with the same (case-insensitive) email address created in your Workfront customer. [In the future, when auto-provisioning is supported, this will not be necessary.]

Complete the following sections to configure Okta as your identity provider in Workfront.

Creating a Workfront App in Okta

  1. Log in to your Okta environment. 
  2. Ensure that Classic UI is selected in the upper-left corner of the Okta interface.
  3. In the menu, click Applications > Applications.
  4. Click Add Application, then click Create New App.
  5. In the Create a New Application Integration dialog box, select SAML 2.0, then click Create.
  6. Specify a name for your Workfront app, then click Next.
    The SAML Settings page is displayed.
  7. Locate information required for the SAML Settings page:
    1. Without exiting the browser tab where the Okta interface is displayed, open a separate browser tab or window.
    2. Specify the following URL in the browser:
    3. In the resulting XML file, identify the values for entityID and Location
    4. Copy the value from the entityID field to your system clipboard. Do not close this browser tab.
  8. Go back to the SAML Settings page that you opened in Step 6. 
  9. Paste the value from the entityID field into the Audience URI (SP Entity ID) field.
  10. In the XML file in your other browser tab, copy the value from the Location field.
  11. Paste the value from the Location field into the Single sign on URL field.
  12. Scroll to the Attribute Statements (Optional) section.
  13. In the Name field, specify email.
  14. In the Value field, specify
  15. (Optional) Add any advanced values.
  16. Click Next.
  17. Select, I'm an Okta customer adding an internal app, then click Finish.

Adding Your Okta Instance as an Identity Provider in Workfront

This procedure provides essential information for configuring Okta as an identity provider in Workfront. For additional information about other mappings or configuration options, see "Configuring Workfront with SAML 2.0."

  1. Download the identity provider metadata for your Okta instance:
    1. Log in to your Okta environment. 
    2. Ensure that Classic UI is selected in the upper-left corner of the Okta interface.
    3. In the menu, click Applications > Applications.
    4. Click the Workfront app that you created, as described in the section, "Creating a Workfront App in Okta"
    5. On the Sign On tab, click Identity Provider metadata.
      The metadata is opened as XML in a new browser tab.
    6. Copy the URL that is displayed in the browser URL field.
  2. Log in to Workfront as the Workfront administrator.
  3. Go to the Setup area in the Global Navigation Bar.
  4. Click System > Single Sign-On (SSO).
  5. (Conditional) If you see two tabs, click the New SSO Providers tab.
    IMPORTANT Do not delete your existing SSO configuration settings in the Current SSO Provider tab until your account is updated to the enhanced authentication experience and the new SSO configuration is fully functional.
  6. Click New SSO Provider.
  7. Specify a name, such as Okta IDP, then specify a description.
  8. In the Populate fields from Identity Provider Metadata section, paste the URL that you copied in Step 1 into the Metadata URL field.
    Alternatively, you can click Choose File to upload an .xml file, but we recommend that you paste the URL.
  9. In the Map User Attributes section, in the Directory Attribute field, type email. (Email Address is already populated in the Workfront User Attribute field.)
  10. (Optional) Enable Make Default SSO Provider to send unathenticated users to the identity provider login screen instead of to the Workfront login screen for authentication. We recommend that you enable this option only if all users in your system access Workfront through the identity provider.
  11. Select the Enable checkbox. Before doing this, ensure that users in your system are aware of the new login experience to ensure they do not lose access to the Workfront system.
  12. Click Test Connection.
    You should see a message telling you the connection is successful. 
  13. Click Save

Using Other Identity Providers

When using identity providers other than Okta (such as Ping or Centrify), you must re-upload the Workfront metadata to your identity provider.

This article last updated on 2018-09-17 14:58:53 UTC