The Adobe Admin Console allows a system administrator to configure domains and directories, which are used for login via Federated ID, for Single Sign-On (SSO).

Once ownership of a domain is demonstrated using a DNS token and it has been linked to a Federated ID directory, users who have email addresses within the claimed domain can log in to Creative Cloud via an Identity Provider system (IdP) after corresponding accounts have been created on the relevant Adobe Admin Console. 

The process is provisioned either as a software service that runs within the company network and is accessible from the Internet or a cloud service hosted by a third party that allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is WSO2-Ellucian Ethos, a cloud-based service which facilitates secure identity management.

The document aims to describe the process necessary to configure the Adobe Admin Console and The WSO2 Identity server to be able to log in to Adobe Creative Cloud applications and associated websites for Single Sign-On.

The IdP does not have to be accessible from outside the corporate network, but if it is not, only workstations within the network (or connected through VPN) will be able to perform authentication to activate a license or sign in after deactivating their session.


Before configuring a domain for single sign-on using WSO2 Identity Server, ensure that the following requirements are met:

  • An approved directory on your Adobe Admin Console set for Federated ID either awaiting configuration, or previously configured for another IdP
  • The relevant domain has been claimed within your federated directory
  • A WSO2 Server is installed.
  • The server is accessible from users' workstations (for example, through HTTPS)
  • Security certificate obtained from the Keystores
  • All Active Directory accounts to be associated with a Creative Cloud for Enterprise account have an email address listed within Active Directory.

Configure your directory on the Adobe Admin Console

  1. Navigate to WSO2 Identity Management Console.

  2. Save idP signing certificate (X.509) from list of Keystores.

    IDP Signing Certificate

    To configure single sign-on for your directory, enter the required information in your Adobe Admin Console.

  3. Upload the IdP certificate that you saved.

  4. In the IdP binding list, select HTTP - Redirect.

  5. In the User login setting list, select Email.

  6. Enter ethos as the IdP issuer.

    For example, ethos.xyz.edu or ethos.xyz.org or ethos.xyz.com 

  7. In the IdP login URL, enter https://ethos/<domain_name>/samlsso.

    For example, https://ethos.xyz.org/samlsso

    Configure Directory
  8. Click Save.

  9. To save the SAML XML Metadata file on your computer, click Download Metadata

  10. Select the I understand I need to complete the configuration with my identity provider check box.

  11. To finish configuration of your directory, click COMPLETE.

Register new service provider

To register a service provider, do the following steps:

  1. Go to the WSO2 Identity Server Management Console.

  2. On the WSO2 server, navigate to Identity > Service Providers > Add.

  3. In the Service Provider Name box, enter the required name.

  4. In the Description box, enter the description of the service provider.

  5. Click Register.

    WSO2 Identity Server
  6. Under Claim Configuration, do the following steps:

    Claim Configuration Bar
    1. Select the Define Custom Claim Dialect option.
    2. Add three Claim URIs attributes.
      1. Add the following Service Provider Claims values.
        • Email
        • First Name
        • Last Name
      2. Add the following Local Claim values.
        • http://wso2.org/claims/emailaddress
        • http://wso2.org/claims/givenname 
        • http://wso2.org/claims/lastname
    3. In the Subject Claim URI list, select Email.
    4. To save changes, click Update.
    Claim Configuration
  7. Open saved Adobe Metadata from Admin Console.

    Adobe Metadata
    1. Copy the entityID field value and keep it safe for the further use.
    2. Copy the Location field value and keep it safe for the further use.
  8. On the Register New Service Provider screen, navigate to Inbound Authentication Configuration > SAML2 Web SSO Configuration.

  9. To edit the service provider, in the Actions column, click the corresponding Edit link.

    SAML2 Web SSO Configuration
  10. Do the following steps:

    1. In the Issuer box, enter the entityID field value copied from the Adobe Metadata.

    2. In the Assertion Consumer URLs box, enter the location field value copied from Adobe Metadata, and click Add.

    3. In the NameID format box, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

    4. In the Response Signing Algorithm and the Response Signing Algorithm lists, ensure the selected value ends with sha1.

    5. Select the Enable Attribute Profile and Include Attributes in the Response Always checkboxes. Click Update.



This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy