Expand my Community achievements bar.

Single Sign-On (SSO) Email Notifications for Non-SSO Users

Avatar

Level 3
Hello - We just implemented single sign-on last night (SAML 2.0) and we've run across one seemingly random error that I wanted to ask the community's help with. Our organization works with many users that are either freelancers or agencies - so they are not in our Active Directory and they cannot access anything using SSO, however they are given Worker licenses in Workfront in which to complete tasks we assign to them. Once we implemented SSO, it was brought to my attention that if one of these users clicks through ANY of the links in an email notification for a work item on which they've been assigned, they cannot access Workfront. They are taken to our SSO authentication page and can't go any further because they don't have a company User ID or password. Right now, they would need to log into Workfront via the non-SSO URL and access the notification in the upper right message center. The engineer I am working with on this suspects this is on purpose, but we both agree that we can't seem to think WHY it should work this way when prior to SSO, these users could hop right into their work items via a generated email (after they logged in, of course). Is anyone else dealing with this for their SSO implementations of Workfront or is there something I'm missing? Would love to hear your experiences with outside company users and SSO either way. Angela Simon CUNA Mutual Group
3 Replies

Avatar

Level 10
Hi: We have SSO and external users. The external users have to log in through the companyname.my.workfront.com/login method, then the links work. I think what happens is that if you click a link and are not already authenticated, WorkFront defaults to using the SSO method for authenticating. It doesn't know whether to use SSO or the regular login screen for this particular link click. I don't know any way around it...I'll be watching this thread carefully to see what I can learn. Thanks! Eric

Avatar

Level 10
we ran across a similar problem a couple of years ago, right after Workfront suddenly changed our certificate due to something expiring. Suddenly our external **reviewers** could not access their proofs (Workfront-integrated Proof) because they were getting hung up on the SSO page. We submitted a ticket and eventually after a long time, dev fixed it and rolled something out. We don't use external reviewers that often, so I'm unable to test and make sure this still works. Have you contacted the helpdesk to see if this is how the system was intended to be used? -skye

Avatar

Level 7
Hi Angela, It sounds like they are using the attask-ondemand.com domain instead of the my.workfront.com domain that emails are set up to use. If they log in with https:// yourcompanydomain .my.workfront.com/login their browser will cache their session based on your security settings in Setup. If they then click a link to an object from their email, and it directs to that browser, it should bypass the SSO login portal, as they already have an active Workfront session. Please reach out to our Customer Care team to open a support ticket if you have an example where this is not working correctly, and our Support team will be happy to help you out. Thanks! Dustin Martin Tier 2 Assigned Support Engineer Workfront