The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once ownership of a domain has been demonstrated by use of a DNS token, the domain can be configured to allow users to log-in to Creative Cloud using e-mail addresses within that domain via an Identity Provider (IdP), either as a software service which runs within the company network and is accessible from the internet or a cloud service hosted by a third party which allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is OneLogin, a cloud-based service which allows users and apps to be configured for access via a web-portal. This document aims to provide the necessary details to configure OneLogin for use with Adobe SSO.


Before configuring a domain for single sign-on using OneLogin as the IdP, the following requirements must be met:

  • An approved domain within an existing directory on your Adobe admin console. The status of the directory in the Adobe Admin Console must be Configuration Required, or it can be an existing directory which has previously been configured.
  • An App created on the OneLogin web portal.

Download the security certificate from OneLogin

To set up SSO with OneLogin, follow the below steps:

  1. Sign in to OneLogin portal and navigate to Apps > Add Apps.

  2. Search for SAML Test Connector(Advanced), select and open SAML Test Connector (Advanced).

  3. Naviate to SSO and do the following:

    • Retrieve the X.509 Certificate.
    • Copy the Issuer URL - this will be the value for IDP Issuer.
    • Copy the SAML Endpoint URL - this will be the value for IDP Login URL.
    OneLogin SAML connector config

Configure OneLogin inside Adobe Admin Console

To Configure Single Sign-On for your domain, perform the below steps:

  1. To enter the required information for your IdP, use the Set Up Domain wizard in the Adobe Admin Console.

    • Upload the certificate that you retreived from the OneLogin portal.
    • For IdP Issuer, enter the  Issuer URL that you copied from the OneLogin portal.
    • For IdP Login URL, enter the SAML Endpoint that you copied from the OneLogin portal.
    • Set IdP Binding to HTTP - Post.
    • For User Login Setting, choose Email.
    Configure Single Sign-On
  2. Click Complete Configuration.

  3. To download the SAML XML Metadata file, click Download Metadata.

  4. In the Metadata file, locate the strings entityId and Location.

    Metadata file

Configure OneLogin

To set up SSO with OneLogin, follow the below steps:

  1. Return to SAML Test Connector (w/attr), and navigate to Configuration.

    • For Audience, enter the Entity ID copied from the metadata file.
    • For ACS URL, enter the Location copied from the metadata file.
  2. Navigate to Parameters.

    The OneLogin standard attributes shown as Email is actually the NameID.  However you will also need to create three additional custom parameters.

    OneLogin parameters
  3. Add the following custome parameters:

    • Email value = Email
    • First Name value  = FirstName
    • Last Name value = LastName


    Syntax must be exact for the entered attribute names.

    OneLogin Parameters 2
  4. Enable the check-box to force SAML assertion for each of the three fields.

  5. Return to the Adobe Admin Console, and click Activate Domain.

    Your domain is now active. You can start adding users, clicking Add Users.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy