Workfront

Thank you for the feedback, Eric! :)

Hi We put SSO in very early in the implementation. This has been seamless even with the move to my.workfront. One comment I would make is that the two super system administrators have SSO turned off and we log in traditionally theis enables us some flexibility and control. My 2 pennies worth. Martin

Hi: I am the System Admin - I can log in traditionally or I can log in through SSO. I just use a different URL to log in traditionally. I would definitely recommend it, as we had some SSO troubles on our side once and I could get in traditionally and do my thing. All other times, I enjoy the convenience and speed of SSO. Thanks! Eric

Pros: the way we have SSO set up now restricts the user to only working in Workfront on their work laptop (which is good for us since the company I work for is security-conscious about that). It also allows for faster access to Workfront as they can bypass the login screen. Con: Every time we have an SSO-related failure, I get a spate of requests to reset passwords because nobody ever remembers their password. Our automatic password reset feature doesn't seem to work (and has never worked to my knowledge--it's just not a big priority for me to fix it). I wish I had an easy way to do a bulk reset for everyone in the system. ;-) PS: Addition of SSO also keeps us tied to our IT department, because the extra maintenance it may require is something only they can do.

We implemented SSO over a year ago with auto-provisioning and it has worked beautifully. In addition, I created a License dashboard where I check daily to see if there are any new registrants, what licenses are allocated and what department.

This is how we handle SSO here as well. It has only backfired once, which is when a user auto-created an account, but I had also set up an account, so we had two accounts for the same person, and projects submitted under both accounts. However, we were able to take care of it on the back-end relatively easily!

Beneficial! We've been using SSO for several years and have not had any problem. It makes life easier for all our users. Susan

Overall SSO I think is definitely a benefit - here's my feedback. Pros: User management is much simpler - there is no resetting of passwords, the sign on is more seamless (no more having to remember where to logon), and you have a secondary security method of users being deactivated by your organization when terminated if you happen to have forgotten (or not received adequate notice from management) Caveats: Unless you're a small company, you'll need to have your IT team get involved with WF's IT team...and that can be tedious. In addition, we had trouble getting the 'fields' to transfer over from our setup of 'manager' to WF. So since we have SSO setup, some of our fields are blank on users since WF can't figure out why it simply won't connect. Not a huge deal but...it's to be noted. Cons: If you use ProofHQ/Workfront Proof - your SSO environment is not the same. Meaning, WF SSO and ProofHQ SSO are two different setups. We spent weeks trying to understand why we couldn't get our users to connect through SSO and WF Proof before someone on the back end realized.....oh right, since we purchased ProofHQ as a separate product they aren't on our SSO server (or something to that nature). So ProofHQ and SSO don't play nicely together. I think SSO is worthwhile if you can make sure you are aware of the nuances to make it successful. The above are examples. Some others such as making sure external users are given a separate login page, and checking to be sure IDs don't have extra spaces - are just housekeeping issues. Christina Jarosz

Hi, Sarah! You'll need to create User reports and use Filters; also show them in chart form for better visual. I would strongly suggest you take the basic reporting classes Workfront provides. Example of filter: User - License - EQUAL - Plan, Work. (add Review and Requestor if need be) Example of filter: User - Home Group ID - EQUAL - (add your home group here) Does this help? Susan

I would add another caveat to this most excellent list When I setup a new person in advance of their first login I sometimes wind up with a duplicate account because of capitalization on their email address not matching the way I entered it. Therefore, to avoid this, I ask them to login for the first time so WF recognizes them, and then I go in and setup their profile, and then they can start using it. The "invite to WF"' isn't applicable which would make it much easier to setup a new user. This is because we are inconsistent with capitalization (jilla vs JillA). And then, I can't use the feature to copy an existing user profile onto another existing user profile (this may be solvable but I can't see how.) Jill Ackerman

Did you have to create a separate password for the traditional? And if so, how do you create or reset? We are having issues resetting passwords for users we have created because it is asking for our Workfront password which none of us know. We have always only used SSO. Thanks Rebecca Johnson Life Time Fitness, Inc.

If the user isn't an SSO person they have a different login area (domain.my.workfront.com/login) and you can "invite" them via the People section, and they create their own password. Jill Ackerman

Right but when they forget their password, it doesn't allow me to reset. It asks for my password to be able to reset their password and no one knows how to find what that password is. Using the SSO feature, the password isn't the same. Because of this I also can't log into Sandbox. Rebecca Johnson Life Time Fitness, Inc.

This is great feedback! I'm project manager over Enhanced Authentication and there are changes coming to the system in the next year. Particularly that ProofHQ and Workfront as well as Community, Support, Training will have a single login even if you have SSO. Admins will click a button to send users a forgot password email instead of resetting passwords (and having to remember their Workfront password) Case Sensitive email addresses will be eliminated so JOHNSMITH@abc.com, JohnSmith@ABC.com, johnSmith@AbC.com, etc. will all work equally well. In the meantime, if you have forgotten your Workfront password and have SSO you can go to mycompany.my.workfront.com/login and click the forgot password link as long as the user is not set to require SSO Melinda Layten Technical Project Manager - API and Integration Workfront

Melinda, This is great to hear that the case sensitive email addresses will be eliminated! Once we figured out the case sensitive issue it hasn't been a problem. I'm fortunate to have access to our Active Directory so I can copy a new user's username from there and paste it into Workfront so I know I have the cases correct when I set them up. The only other issue we occasionally run into with SSO is when someone changes their last name. Sometimes they will have their last name updated but either, not change their email address or IT forgets to update their user login in Active Directory. Or all the updates are made on that end, but they forget to let us know for Workfront. When I get a SSO user who says they can't get into Workfront, their username in Active Directory and their SSO ID in Workfront is the first thing I check to be sure they match.

Hi Rebecca, I've ran into this issue in the past, and if none of the admins know their Workfront password, the best option is to wait until after hours, open the SSO configuration page, uncheck the Enable button, save, in a new browser or private/incognito tab , open your Workfront URL, you'll be directed to the login page. From there, you can use Forgot Password, enter your email, reset your password, and once you're in, you can then go back and check the Enable box on the SSO configuration page. I've seen this all done in as little as 30 seconds, but it all depends on a few things... how fast you are, how fast your email servers receive and forward the email to you, and how fast your internet/browser is... Typically it takes under 2 minutes though, but that's why I also recommend doing it after normal business hours. The very worst case scenario is you may have a couple users that get to the login page and have no clue what to do for a few minutes. Once SSO is re-enabled, they just have to erase everything after the .com in the address bar, and it'll send them back through the SSO login process. Thanks! Dustin Martin Assigned Support Engineer Workfront

Hi Melinda, Great to hear about the enhancements that are coming. One I'll have to figure out is the case-sensitive email fix. We have two WF instances here, and a small population need access to both. Since we use SSO on both instances, it would not allow the same user to exist in both instances. My hack was to do an all caps version of the users' email address in the second instance. Working like a charm for now. I'd be interested if you have any information on a better way to solve for this scenario, either now or after the mentioned enhancements. Thank you Brian Brian C. Mauger Bloomberg L.P.

We are fixing the scope of the email uniqueness before the case sensitivity. In 19.2, email uniqueness will be enforced at the instance level instead of the cluster. So you can have the same email on each instance that you work with. No need for the case sensitive workarounds. This will work for everyone on existing Authentication as well as the Enhanced Authentication. You will need to ensure that you aren't using the same email address with different cases within an instance before you can roll to Enhanced Authentication. Melinda Layten Technical Project Manager - API and Integration Workfront