Workfront

PeggySe1 · 6/7/16

According to this bit of informaiton (https://support.workfront.com/hc/en-us/articles/217194907) you can set SSO to auto-provision new users if they exist in your LDAP but not in Workfront. My questions are: Is anyone using this and what has been your experience? Pros/cons? What attribute does it check to see if the user exists or not? I'm assuming the Federation ID but I cannot confirm that anywhere in Help, anyway. Thanks! :)

EricLu2 · 6/7/16

Hi: If you have no limit to the number of licenses you have, this might be interesting. I have to believe the setup work must be done - either in LDAP or in WorkFront. I suspect even if you use auto-provision, you‚Äö√Ñ√¥ll have to go into WorkFront and add/clean-up stuff for auto-provisioned users. No, we don‚Äö√Ñ√¥t use it. We have a fixed number of licenses. It might be neat to use for Business users (REVIEW license), but I didn‚Äö√Ñ√¥t see where you could autoprovision one type of user but not another. Let‚Äö√Ñ√¥s see if anyone autoprovisions. This will be an interesting discussion topic. Eric ________________________________

PeggySe1 · 6/8/16

I saw a reply to this outside of this thread, so I'm going to reply here to see if we can keep the conversation on the thread. I would hope that auto-provision would assign the user with a collaboration/reviewer license, then if needed, the admin would assign a paid license once the account was created. This is just an option that we're exploring at this point.

EricLu2 · 6/8/16

Hi: You can map an attribute in your LDAP to WorkFront. You edit the SSO settings, scroll down and select Attribute Mapping. You have to have loaded the XML DDL (I think that is what it is called) so that you can map the WorkFront Attribute Access Level to the attribute in your LDAP. You should map as many attributes as you can to reduce the admin work required after the ID is created. [cid:image001.jpg@01D1C160.070515D0] I‚Äö√Ñ√¥m sure you‚Äö√Ñ√¥ve already seen this help file entry, but for everyone else, the mapping of attributes is described here: https://support.workfront.com/hc/en-us/articles/217194907-Configuring-Workfront-with-SAML-2-0 They have examples of mapping attributes too. Hope this helps. Eric

NateBa · 6/8/16

Peggy, for some reason Eric's posts were posting outside the thread. I've moved them back in so that you (and others reading the conversation) don't get lost. Not sure why that happened. I'll keep an eye out for it as/if the conversation continues. In Reply to Peggy Settel:

I saw a reply to this outside of this thread, so I'm going to reply here to see if we can keep the conversation on the thread. I would hope that auto-provision would assign the user with a collaboration/reviewer license, then if needed, the admin would assign a paid license once the account was created. This is just an option that we're exploring at this point.

-Nate Bagley --- Workfront Community Manager - Work Smart, Work Happy Message me directly at:

EricLu2 · 6/8/16

I‚Äö√Ñ√¥m just hitting reply. Let me know if I need to do something different‚Äö√Ñ¬∂ Thanks, Eric

PeggySe1 · 6/9/16

Thanks Nate!

MeredithLa2 · 4/27/17

We're setting up SSO SAML 2.0 and I want to make it so that all users get a "reviewer" license by default but can't find any guidance on what this rule is looking for. How did you set up your rule?

SusanPf · 4/27/17

I just checked with this through Workfront Help and it is not possible. Response below: This feature is working per system design. If the Auto-provisioning is enabled the system is creating "Request" License type Users and no other License type. This is designed to prevent any actions which can change the workflow by new users. Thus it won't be possible to change it to be "Reviewers".

DillonFi · 4/27/17

We have this setup on our instance, we have licenses configured by job title giving everyone a reviewer license unless job title matches those that will need a plan/work license.

EricLu2 · 4/28/17

You would think that there would be a way to pass in an attribute that determines the license type. I think their code is designed without considering the real world use case. Pity. Eric

EricLu2 · 4/28/17

Since posting my comment below, I see another post by someone who has it figured out. Ahhh, very nice. Eric

PeggySe1 · 4/28/17

Responding my own thread here. :) We just (finally!) turned on auto-provision! We only map first and last names, and the email address of the user. It does set the user with a Request license, Requestor access level. I have a daily report of any new people with Requestor access level, and manually change them to Reviewer and put them in appropriate groups. This seemed the easiest why to do this and not overwrite an existing user's access level.

Workfront

Auto-provision users via SSO using SAML 2.0

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe