Overview

The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once ownership of a domain has been demonstrated by use of a DNS token, the domain can be configured to allow users to log-in to Creative Cloud using e-mail addresses within that domain via an Identity Provider (IdP), either as a software service which runs within the company network and is accessible from the internet or a cloud service hosted by a third party which allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is OneLogin, a cloud-based service which allows users and apps to be configured for access via a web-portal. This document aims to provide the necessary details to configure OneLogin for use with Adobe SSO.

Prerequesites

Before configuring a domain for single sign-on with OneLogin via the Adobe Admin Console, the following requirements should be met:

  • Domain has been claimed in the Adobe Admin Console, showing it as "Active" in the "Domain Status" column
  • A subdomain has been claimed within the OneLogin portal

Configuration

SAML Connector

1. Access the OneLogin web portal and log in with your corporate account details

2. Go to Apps > Add Apps

3. Search for “SAML Test Connector”

4. Select SAML Test Connector w/Attributes

5. Open the “SAML Test Connector” 

6. Go to the SSO menu 

7. Retrieve your certificate via X.509 Certificate  

8. Copy the Issuer URL - this will be the value for IDP Issuer 

9. Copy the SAML Endpoint URL - this will be the value for IDP Login URL

Adobe Admin Console

1. Access the Adobe Admin Console - https://adminconsole.adobe.com/enterprise

2. Go to Identity > Click on the domain to configure SSO settings 

3. Paste the Issuer URL value into IDP Issuer field 

4. Paste the SAML Endpoint value into IDP Login URL field 

5. Upload your IDP certificate 

6. Complete the remaining settings and Save 

7. Click Download Metadata file NOTE: Contains Entity ID and ACS values

OneLogin Application Details

1. Within the OneLogin application details, enter the Entity ID found in the exported Adobe Metadata file in the Audience field. 

2. Enter the Assertion Consumer Service “ACS” value found in the exported Adobe Metadata file in the Recipient and ACS (Consumer) URL field.

OneLogin parameters

1. The OneLogin standard attributes shown as Email is actually the NameID.  However you will also need to create three additional custom parameters.

2. Go to the Parameters Menu > and add the following custom parameters:

  • Email value = Email  
  • First Name value  = FirstName  
  • Last Name value = LastName  

NOTE: Syntax must be exact for the entered attribute names

3. Tick the box to force SAML assertion for each of the three fields

4. Test with newly created users and existing users

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy