Expand my Community achievements bar.

Using Active Directory to map users into WF

Avatar

Level 3
Level 3
1/30/19 11:36:00 AM
My organization has thousands of potential clients who may need to submit requests to our marketing production unit. We are using SSO to authenticate our users. We would like to define 2 Active Directory groups to manage our users. AD Group 1: All production staff, product managers, system admins, leadership, etc. This group has a variety of Access Levels to which anyone could be assigned. We would like to manually manage these Access Level assignments. AD Group 2: Everyone else. This group would authenticate into WF and automatically map Access Level = Reviewer. Though not a networking expert, my goal is a process such as... User visits domain.workfront.com. If they are found in AD Group 1, they are authenticated into WF without any Access Level mapping . They are assigned whatever Access Level we have manually assigned in WF. If they are NOT in AD Group 1, they are passed to AD Group 2. If there, they are authenticated into WF and mapped to Access Level=Reviewer . They can then navigate WF with Reviewer access. My IT contact suggests this isn't possible, because AD can either map EVERYONE or NO ONE. I'd like a second opinion. Has anyone configured their SSO/AD as I hope to do so? Steve Teitelbaum Federal National Mortgage Association (Fannie Mae)

Views

202

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Reply

Avatar

Level 5
Level 5
1/31/19 12:40:00 PM
Yep, you don't map the Access Level at all. If no Access Level is mapped in an autoprovision situation the new user is given the first Alphabetical requestor Access Level. They are also mapped into the first Alphabetical top level group. I usually create an All Requestors Access Level and Group to be that first alphabetically and assign that group a very simple layout with very limited visibility to only the public request queues. One oddity I've seen is that there is some type of delay in updating the group/access level list. In that a new/renamed group is not always picked with an immediate login test, but it works fine the next day. This is an observation from my consultant days and I haven't investigated the code behind it. So results may vary. Users with existing access Access Levels are unchanged. So no need to do anything in AD. Note that SAML 2.0 is the preferred SSO communication protocol. Melinda Layten Technical Project Manager - API and Integration Workfront

Views

202

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Communication of Navigational Bar Changes & Access to Adobe Products - did I miss it? Solved

Views

80

Likes

0

Replies

2
New Functionality Causing Reporting Issues For Users Solved

Views

125

Likes

0

Replies

5
How to change how Statuses are synchronized on Resolving and Resolvable Objects (Requests and Projects) Solved

Views

175

Likes

0

Replies

12
Lost updates to a Custom Form

Views

80

Likes

0

Replies

2
Adobe contract/professional services - Can you still hire someone at Adobe Workfront to be your System Admin?

Views

69

Likes

0

Replies

2