Overview

The Adobe Admin Console allows a system administrator to configure domains which are used for login via Federated ID for Single Sign-On (SSO). Once ownership of a domain is demonstrated using a DNS token, the domain can be configured to allow users to log in to Creative Cloud. Users can log in using email addresses within that domain via an Identity Provider (IdP). The process is provisioned either as a software service which runs within the company network and is accessible from the Internet or a cloud service hosted by a third party that allows for the verification of user login details via secure communication using the SAML protocol.

One such IdP is Microsoft Active Directory Federation Services, or AD FS. To use AD FS, a server must be configured which is accessible from the workstations on which users will be logging-in, and which has access to the directory service within the corporate network. This document aims to describe the process necessary to configure the Adobe Admin Console and a Microsoft AD FS server to be able to log in to Adobe Creative Cloud applications and associated websites for Single Sign-On.

The IdP does not have to be accessible from outside the corporate network, but if it is not, only workstations within the network (or connected via VPN) will be able to perform authentication to activate a license or sign in after deactivating their session.

Prerequisites

Before configuring a domain for single sign-on using Microsoft AD FS, the following requirements must be met:

  • An approved domain for your Adobe organization account. The status of the domain in the Adobe Admin Console must be Configuration Required.
  • AD FS server installed with a compatible version of Microsoft Windows Server and the latest operating system updates and accessible from users' workstations (for example, via HTTPS)
  • Security certificate obtained from the AD FS server
  • All Active Directory accounts to be associated with a Creative Cloud for Enterprise account must have an email address listed within Active Directory.

Download the Signing Certificate

To download the signing certificate from AD FS 2.0 Management application, perform the below steps:

  1. On the Certificates view of the AD FS 2.0 Management application, select the Token Signing certificate. To open the certificate properties window, Click View Certificate.

  2. From the Details tab, click Copy to File, and use the wizard to save the certificate as Base-64 encoded X. 509 (.CER). This format is equivalent to a PEM format certificate.

    AD FS certificate export wizard

Configure Adobe Admin Console

To Configure Single Sign-On for your domain, enter the required information using the Set Up Domain wizard in the Adobe Admin Console.

  1. Upload the certificate that you saved in the previous step.

  2. Select HTTP-REDIRECT as the IDP binding.

  3. Leave the User Login Setting as Email address.

  4. Copy the IDP issuer URL from Federation Service Properties window on the AD FS server, under Federation Service identifier. The field must match exactly.

    For example, http://adfs.example.com/adfs/services/trust

    This address does not have to be externally accessible.

  5. Determine the IDP login URL. By default, for Microsoft AD FS, this address takes the following form:

    https://adfs.example.com/adfs/ls/

  6. Click Complete configuration.

  7. To save the SAML XML Metadata file on your computer, click Download Metadata. Use this file to configure your SAML integration with AD FS.

  8. Click Activate Domain.

    Your domain is now active.

Configure the AD FS server

To configure SAML integration with AD FS, perform the below steps:

Caution:

All subsequent steps must be repeated after any change to the values in the Adobe Admin Console for a given domain.

  1. Copy the metadata file to the AD FS server.

  2. Create a new Relying Party Trust on the AD FS server using the metadata file obtained from the Admin Console.

    Select data source
  3. Using the Edit Claim Rules wizard, add a rule using the template Send LDAP attributes as Claims for your attribute store, mapping the LDAP Attribute E-Mail-Addresses to Outgoing Claim Type E-Mail Address.

    Select rule template
    Configure rule
  4. Again, using the Edit Claim Rules wizard, add a rule using the template Transform an incoming claim to convert Incoming claims of type E-Mail Address with Outgoing Claim Type Name ID and Outgoing Name ID Format as Email, passing through all claim values.

    AD FS Transform incoming claim 1
    AD FS Transform incoming claim 2 copy
  5. Using the Edit Claim Rules wizard, add a rule using the template Send Claims Using a Custom Rule containing the following rule:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("Email", "FirstName", "LastName"), query = ";mail,givenName,sn;{0}", param = c.Value);

    Select rule template
    Configure rule
  6. Modify the properties of your Relying Party Trust entry for the domain you are using with the Adobe Admin Console and on the Advanced tab, select a Secure hash algorithm of SHA-1.

    Adobe SSO Properties

Test Single Sign-on

Create a test user with active directory. Create an entry on the Admin Console for this user and assign it a license. Then, test logging in to Adobe.com to confirm that the relevant software is listed for download.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy