ÃÛ¶¹ÊÓƵ

Configure ÃÛ¶¹ÊÓƵ Workfront with SAML 2.0

IMPORTANT
The procedure described on this page applies only to organizations that are not yet onboarded to the ÃÛ¶¹ÊÓƵ Admin Console.
If your organization has been onboarded to the ÃÛ¶¹ÊÓƵ Admin Console, see Platform-based administration differences (ÃÛ¶¹ÊÓƵ Workfront/ÃÛ¶¹ÊÓƵ Business Platform).

As an ÃÛ¶¹ÊÓƵ Workfront administrator, you can configure the Workfront web and mobile applications to integrate with a Security Assertion Markup Language (SAML) 2.0 solution for single sign-on (SSO).

After you have configured SAML 2.0 in Workfront, as described in the following sections, you can maintain the configuration, as described in Update SAML 2.0 metadata in your identity provider.

Access requirements

Expand to view access requirements for the functionality in this article.

You must have the following access to perform the steps in this article:

table 0-row-2 1-row-2 2-row-2 layout-auto html-authored no-header
ÃÛ¶¹ÊÓƵ Workfront plan Any
ÃÛ¶¹ÊÓƵ Workfront license

New: Standard

or

Current: Plan

Access level configurations You must be a Workfront administrator.

For more detail about the information in this table, see Access requirements in Workfront documentation.

Enable authentication to Workfront with SAML 2.0

  1. Click the Main Menu icon Main Menu in the upper-right corner of ÃÛ¶¹ÊÓƵ Workfront, or (if available), click the Main Menu icon Main Menu in the upper-left corner, then click Setup Setup icon .

  2. Click System > Single Sign-On (SSO).

  3. In the Type drop-down list, select SAML 2.0.

  4. Near the top of the options that appear, click Download SAML 2.0 Metadata to download the file on your computer.

    Your SAML 2.0 Identity Provider requires an XML file with information generated in your Workfront instance. After downloading the file, you must access your SAML 2.0 Identity Provider server and upload the Workfront SAML 2.0 Metadata XML file there.

  5. Specify the following information in Workfront:

    table 0-row-2 1-row-2 2-row-2 3-row-2 4-row-2 5-row-2 6-row-2 7-row-2 8-row-2 9-row-2 10-row-2 11-row-2 layout-auto html-authored no-header
    Service Provider ID This URL, already populated for you, identifies Workfront to your identity provider. For example: <yourcompany>.com/SAML2.
    Binding Type

    Select the method supported by your IDP server for sending authentication information:

    • POST
    • REDIRECT
    Populate fields from Identity Provider Metadata In your SAML 2.0 Identity Provider solution, export a Service Provider Metadata XML file and save it to a temporary location on your computer. Select Choose File, then find and select the file you saved to add it to your Workfront configuration.
    Login Portal URL Enter your organization's common login portal. This is the URL where users log in to access Workfront and all other applications integrated with SAML 2.0.
    Sign-Out URL

    Enter the sign-out URL for the IDP server. Workfront sends an HTTP request to this URL before signing out of Workfront. This closes the user's session on the remote server when the Workfront session is closed.

    NOTE: You are redirected to the sign-out URL only if you have the option Only Allow SAML 2.0 Authentication enabled in your user profile.

    Change Password URL

    Specify the URL where users will be redirected to change their passwords.

    Because the SAML 2.0 credentials are used to access Workfront, users must be redirected to a page where they can change their SAML 2.0 password instead of completing this activity through Workfront.

    Secure Hash Algorithm

    Select the Secure Hash Algorithm (SHA) that your IDP supports:

    • SHA-1
    • SHA-256
    Auto-Provision Users

    This option automatically creates a user in the system when a new user with a directory username and password attempts to log in to Workfront for the first time.

    To create users in Workfront, you must map Workfront data attributes with the following user data attributes in your directory provider:

    • First Name
    • Last Name
    • Email Address

    When you select the check box, the following options display:

    Select the Workfront User Attribute that you want to map from the drop-down list, then specify the corresponding Directory Attribute in the user directory.

    The Directory Attribute field should contain the Directory Attribute Name from the User Attribute table you saved when successfully testing your SAML 2.0 configuration.

    You can set a Default Workfront Value in the Default Value field. You can also set rules based on the values from your SAML 2.0 Identity Provider.

    WARNING: Workfront attempts to map the attributes listed below every time a user logs into the system. Because of this, we do not recommend mapping access levels. You can easily remove administrative access if an attribute is mapped incorrectly. Click Add Mapping to add additional rules.

    You can map the following Workfront attributes:

    • Access Level

    • Address

    • Address2

    • Billing Per Hour

    • City

    • Company

    • Cost Per Hour

    • Email Address

    • Extension

    • First Name

    • Home Group

    • Home Team

    • Job Role

    • Last Name

    • Layout Template

    • Manager

    • Mobile Phone

    • Phone Number

    • Postal Code

    • Schedule

    • State

    • Timesheet Profile

    • Title

    Click Save when you are finished mapping user attributes.

    Certificate Upload a valid SSL certificate to ensure a secure connection between the authentication service and Workfront. For OnDemand accounts, a certificate is always required. You can obtain this certificate from your SAML 2.0 system administrator.
    Admin Exemption

    Allows Workfront administrators to access Workfront using their Workfront login. If this option is not selected, Workfront administrators must use their SAML 2.0 username and password.

    Workfront first attempts to log in to Workfront via SAML 2.0 for users with the Workfront System Administrator access level. If the SAML 2.0 authentication fails, Workfront uses local authentication for Workfront administrators.

    We recommend that you always have this option selected so that your Workfront administrator can log in to Workfront if your SAML 2.0 provider is ever temporarily unavailable.

    Enable

    Activates SSO on the Workfront system. Ensure that you have communicated login instructions to your users.

    After you enable your SSO configuration in Workfront, you must enable the Only Allow SAML 2.0 Authentication setting for all users so that they can use SSO.

    For more information about updating users for SSO, see Update users for single sign-on.

    For more information about user settings, see Edit a user's profile.

    Confirm Configuration

    Click Test Connection to verify that Workfront and the SAML 2.0 Identity Provider can communicate with each other. This connection is successful only if you exchanged the XML files.

    After you successfully test the link between your SAML 2.0 Identity Provider and Workfront, you will see a screen similar to the image below.

    NOTE: This screen is displayed in a browser pop-up, so ensure that you disable pop-up blockers in your browser.

    Save the information displayed in the table for later use.

  6. Click Save to save the SAML 2.0 configuration.

recommendation-more-help
5f00cc6b-2202-40d6-bcd0-3ee0c2316b43