Expand my Community achievements bar.

Got questions about Workfront Governance? Join our upcoming Ask Me Anything session on February 12th!

Workfront Fusion Service Accounts in Adobe Admin Console

Avatar

Level 2

We are migrating to Admin Console early next year. We have accounts in Workfront with admin access level that we use as Fusion connections because we can manage the logins in locally.

 

However, once we transition to Admin Console we will need actual email addresses (external or federated through my company) so that we can leverage them as service accounts in Fusion. I see three options:

  1. Create email addresses (e.g., gmail) outside my company's network and add to Admin Console as Adobe IDs and use as connections - this goes against my company's security policy
  2. Create federated email addresses that can log in via SSO and represent a service account (e.g., workfront@[companydomain].com
  3. Create OAuth2 Connections between Fusion and my Workfront instance

Does anyone have any experience with this, and a recommended approach?

6 Replies

Avatar

Level 10

We set up a service account this past year and were already moved to the admin console. When I collaborated with my IT team on this, they recommended setting up a federated email address to be added to the admin console.

 

When I was ready to use this email for my scenarios, I had to set up an OAuth 2 connection. Getting OAuth 2 to sync with the email address took some time. I ended up working in an incognito window and needed the SSO credentials for the email address from IT to make it work. Check out this community post:

https://experienceleaguecommunities.adobe.com/t5/workfront-questions/having-trouble-using-oauth2-con...

 

Overall, we have been using our service account without any issues for the last 7 months with this setup.

Avatar

Level 2

Thanks Kiersten! When you used the OAuth2 connection are you still able to use the Workfront modules with drag and drop mapping or did you have to do customized HTTPs modules for everything?

Avatar

Level 10

I want to yes because a majority of our scenarios do not have an HTTPs module in them. I attempted to look for documentation but could not find a clear answer. I would recommend checking with support to validate. 

Avatar

Community Advisor

I would recommend going with 2, this is what I typically recommend. You do need to actually be able to authenticate as that user, and once you get the connections setup it's no different than how it works today. You just have to actually be able to log in as the user to create the connection.

Avatar

Community Advisor

we use no2 as already mentioned by few.
and to reiterate, you need to be able to login using service accounts, so password is required and in our case this follows with MFA and someone has to set this up and own that.

Avatar

Level 5

We had a similar issue but had to go a different route. We've used a shared vanity email mailbox for our main service account. This isn't a separate SSO-and-MFA-verified account. Because of this, we couldn't use the standard FedID setup. Nor did we want to change this up; we've used this service account since we started with WF about four years ago.

 

When we went to AAC, we had the misfortune of not being able to log into this account to create new connections for new Fusion teams. What we ended up doing was temporarily removing the account from AAC. We then changed the account from FedID to AdobeID. We created a new Adobe ID account for the service account, which linked back up to the existing WF account. That way, we can log in as our service account to create these new connections.

 

This is an older thread, but figured I'd spread what we did in case it's useful for others.

 

-j