Workfront

Mylah · 1/23/25

If you are in a large company where different departments separately purchased products that each group manages separately, and you all enable SSO for your products, how has your Workfront migration gone or how is it going? Our migration to SSO has been fraught - to put it mildly - as the architecture of the Admin console places some serious limitations on our ability to manage our sensitive Workfront information independently --- far from the prying eyes of unrelated departments with whom we're suddenly forced to share the console.

I've already created a related submission under the Ideas forum, so I won't re-hash everything, but if you are experiencing similar pains at your company, I ask that you cast a "Like" for my idea in order for it to gain traction and help others who still have to complete their migration. And to summarize, here are our pain points with the ongoing Adobe Admin Console migration:

We've learned the following from the Adobe reps who have been working with us on the migration:

all products that require SSO must share a console if they are on the same domain

the first product team members that migrate their product over to the console arbitrarily become global admins of the console and the de-facto owners of the domain (!!)
1. they must then give approval via the console for any additional products added to the console to use the domain for SSO or any additional
2. if Workfront gets added to the console after another product, the global admins get to decide if a Workfront admin gets to become a global admin of the domain. The Workfront team in this scenario has no say in whether the global admins can create accounts for themselves to access the sensitive data inside of Workfront.

any Workfront user who will log into the console via SSO must first be created at the root or "global" level of this console before they can be added to Workfront. If Workfront admins are not granted roles as global admins (because again, this is at the discretion of the first product team who completed their migration) then the Workfront team has to request that the global admins add the new users first in their area of the console.d\

In our case, the first product owners had a really rough time with migrating to the admin console because their SSO implementation caused an outage and disruption, so they're understandably reluctant to grant the approval for Workfront to use the domain for SSO implementation. (Now that they have SSO working for them, they don't want to do anything that would destabilize their implementation. Furthermore, they don't want to proceed until my team lays out documentation of our administrative processes to essentially prove to them it's safe to share a console with us. And finally, neither of our teams really want to proceed with sharing a console until we mutually hammer out a governance plan for sharing one that includes roles, responsibilities, escalation paths and what happens when new groups on-board the console with new products or product instances.

So with all this, my Workfront team has lost agency to move forward with our own migration. We're beholden to another department that we've never had a valid business reason to collaborate with. The migration has created a great deal of work for us with no tangible benefit to our operations. Our data will soon become far less secure. The autoprovisioning user experience is going to worsen. And with the added overhead of having to coordinate with this other busy team, we do not feel we are at all close to the end of a successful console migration.

Has your company had any similar experiences? We couldn't possibly be the only company with separate groups managing their own Adobe products who suddenly got thrown into the same console. I do wonder if this scenario was at all considered when the console was designed and if somebody at Adobe decided that this likelihood would be a trivial matter for their customers to resolve. It is definitely not a trivial matter on our end.

Mylah · 1/23/25

I didn't complete my sentence in bullet point "1." above. I think what I intended to say was

they must then give approval via the console for any additional products added to the console to use the domain for SSO or and create any additional users of the products who will be using SSO if they're not yet created at the root level."

I'd also like to respond preemptively to any questions that may come up as to whether or not my company has a Global IT department that can become the "neutral" owners of the domain/admin console resources. The answer to that is yes, but in a company as large as ours, doing anything through Global IT is a long road to set up, and it will slow down my team's responsiveness to user incidents, taking us 5 times as long to resolve user issues. The original attraction to Workfront was that it would be nice and simple for my small Informatics group to manage on our own. Plus we could ensure tight information security. If we leave Workfront user administration to the folks thousands of miles away in Global IT who often outsource their staff and are impersonal to the data, there is no telling who may get their hands on our users' confidential/valuable information.

I look forward to this discussion to hear how your company's migration has gone for you if your company is as complex as ours. I realize it sounds like I'm just complaining, but we sincerely are looking for solutions at this point.

EmmaGr · 1/28/25

Hi Mylah,

It was interesting to read your thread. We are almost through the migration and it has taken a while. I feel that there has been something really amiss with the migration - where as usually Adobe are all over it.

The Adobe Console with us is managed by several system admins and as a Workfront System Admin I will also become one. We will all just do our own product (though we do have a lead).

Under advice from Adobe and our understanding - my team have provisioned everyone in the company in one Workfront group in the console so that they can access the system using SSO (as we need any one to be able to access the tool to send in requests and a much smaller number to be able to have licenses) - and once someone has accessed Workfront we can assign them to a different group if needed (i.e. Project Owner / Team Member ) WITHIN WORKFRONT (not the Adobe Console as that is too messy). In the main everyone will stay in the original group - and the smaller number will be updated. Does that help ? A big caveat is that we have not migrated our users yet - that is the next & final stage,

My concern, is that at the moment all users access the system using SSO and Workfront opens straight away to the homepage. After the migration the first time people access it they will get a log-in page which is not user friendly. There should be a button on that page that says 'click here as your organisation uses SSO' - they must be able to determine who is SSO and who isn't.

Let me know your thoughts.

Em

Mylah · 1/28/25

Thank you for sharing your experience so far. I am eager to hear (good things I hope) about when you flip the switch for your users.

Regarding the decision to provision "everyone in the company in one Workfront group in the console le so that they can access the system using SSO", were you able to set that provision globally in one setting, or did you have to add every single user by name to that Workfront group?

Since we my team does not yet have access to the Admin Console, while we wait for the other product team to feel comfortable enough to give us access to the console, would it be possible for you to share a screenshot - with your sensitive info blinded, and only if you have time - of where you set that configuration for all users? I'm curious if that will work for our users, as we have a hybrid model where some of our users are internal (SSO) and others are external partners from outside our domain.

I wish you continued success with your migration.

CR17506599 · 1/27/25

My organization hasn't migrated yet, but we're in a similar boat where we likely won't have full control of Admin Console after migration, and will be relying on another department to manage users for us. Replying to keep tabs on other's experiences. Thank you!

RAshley · 1/29/25

After two years working on this, we still haven't migrated. One of the chief issues is that Adobe keeps giving us incomplete or incorrect information.

On our first call with a migration specialist, they literally said "we can go ahead and migrate you, it will be fine." We insisted on more details and it turned out that if we had agreed it would have taken down Workfront, Marketo, and Adobe Sign for our entire company.

There has also been a long-running trend of being told about a NEW roadblock with every call we have with them. We know we are running out of runway and that eventually they will move us whether or not we are ready, but we still have zero confidence that it won't take our apps down.

Workfront

Navigating Workfront Admin Console migration in a large enterprise

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe