Here are my notes:
Workfront considers the host SSO system to have the correct information. If information is maintained in both systems, the SSO system will always overwrite Workfront information on every log-in.
To prevent needing to set up all of users' groups and access levels you can set up your groups and access levels so that the first alphabetically becomes the default. For access levels this is the first REQUEST access level that in your list. This listing doesn't seem to update right away. So set up these groups/access levels at least a day before doing testing.
For groups it's the first public group (not subgroup). All Requestors, All Employees should be good names, make sure everything else is later alphabetically.
Make sure this group defaults to a very simple layout template for requesters. You do not want the first impression of Workfront to be overwhelming. 1 request queues that should exist is -> Request More Access with an option on, where did all of my Workfront information go. This is for any user that accidentally gets a new account created.
First Name is another tricky field. There are 4-5 common codings for first name, like First Name, firstname, givenname, name. If your mapping isn't correct, the first name is likely to be filled in with the username, which is often a mix of alphanumeric characters. Like mlay0001 or h100120 and most people don't respond well to that
🙂 If you see this happen have the access administrator check exactly what field is being sent to Workfront.
Less is more with mappings. If possible only map first name, last name, email address and leave everything else as defaults. Each new mapped field increases the possibilities for errors. If however you have access to a good, accurate directory, map away! But remember everything mapped overwrites everything in Workfront. Since first name is required this removes any nicknames!
When auto provisioning is on, users that have a misspelling or other error in their user ID will have a new account created. It may even happen with capitalization changes. If an existing user suddenly gets a blank/reset account; check for a duplicate account! This is one case you will want to delete the new account and fix the user id in the old account. Log in as can be misleading here as you might be looking at a different accounts. This is a great time to use zoom and verify!
Admin exemption should be maintained for at least one administrator and probably a backup! Things happen with SSO and someone needs to be able to fix any settings if a certificate accidentally expires or SSO error occurs. Remember that if user can't log in to the system, verify if they can log into other SSO systems before assuming its a Workfront problem.
Once SSO is on, the domain.my.workfront.com URL will resolve to the SSO system. domain.my.workfront.com/login will provide backdoor access for those with the admin exemption or specifically excluded from SSO such as vendors. -- Melinda Layten, Senior Consultant Work Management Improvement CapabilitySource - 2018 Workfront Services Partner of the Year Phone: (484) 505-6855 site:
www.capabilitysource.com email: melinda.layten@capabilitysource.com - we simplify your work so you can run your business -
