User Guide Cancel

Configure Microsoft AD FS for use with Adobe SSO

Applies to enterprise.

Overview

The document highlights the process to configure the Adobe Admin Console with a Microsoft AD FS server.

The Identity Provider does not have to be accessible from outside the corporate network, but if it is not, only workstations within the network (or connected via VPN) will be able to perform authentication to activate a license or sign in after deactivating their session.

Set up SSO with Microsoft AD FS (Watch: 17 min)
Note:

Instructions and screenshots in this document are for AD FS version 3.0, but the same menus are present in AD FS 2.0.

Prerequisites

Before creating a directory for single sign-on using Microsoft AD FS, the following requirements must be met:

  • A Microsoft Windows Server installed with Microsoft AD FS and the latest operating system updates. If you want the users to use Adobe products with macOS, ensure that your server supports TLS version 1.2 and forward secrecy. To learn more about AD FS, see the Microsoft Identity and access document.
  • The server must be accessible from users' workstations (for example, via HTTPS).
  • Security certificate obtained from the AD FS server.
  • All Active Directory accounts, to be associated with a Creative Cloud for enterprise account, must have an email address listed within Active Directory.

Create a directory in the Adobe Admin Console

To configure single sign-on for your domain, you need to do the following: 

  1. Sign in to the Admin Console and start with creating a Federated ID directory, selecting Other SAML Providers as the identity provider. Download the Adobe metadata file from the Create directory wizard.
  2. Configure AD FS specifying the ACS URL and Entity ID, and download the IdP metadata file.
  3. Return to the Adobe Admin Console and upload the IdP metadata file in the Create directory wizard. Then, select Next, set up auto-account creation, and select Done.

To learn more about the details of each step, follow the hyperlinks.

Configure the AD FS server

To configure SAML integration with AD FS, perform the below steps:

Caution:

All subsequent steps must be repeated after any change to the values in the Adobe Admin Console for a given domain.

  1. Navigate within the AD FS Management application to AD FS -> Trust Relationships -> Relying Party Trusts and click Add Relying Party Trust to start the wizard.

  2. Click Start and select Import data from a relying party from a file, then browse to the location to which you copied the metadata from your Adobe Admin Console.

  3. Name your relying party trust and enter any additional notes as required.

    Click Next.

  4. Determine if multi-factor authentication is required and select the relevant option.

    Click Next.

  5. Determine if all users can log on via AD FS.

    Click Next.

  6. Review your settings.

    Click Next.

  7. Your relying party trust has been added.

    Leave the option ticked to open the Edit Claim Rules dialog to quickly access the next steps.

    Click Close.

  8. If the Edit Claim Rules wizard has not opened automatically, you can access it from the AD FS Management application under AD FS -> Trust Relationships -> Relying Party Trusts, by selecting your Adobe SSO relying party trust and clicking Edit Claim Rules... on the right-hand-side.

  9. Click Add rule and configure a rule using the template Send LDAP attributes as Claims for your attribute store, mapping the LDAP Attribute E-Mail-Addresses to Outgoing Claim Type E-Mail Address.

    Note:

    As shown in the above screenshot, we suggest using email address as the primary identifier. You can also use the User Principal Name (UPN) field as the LDAP attribute sent in an assertion as the email address. However, we do not recommend this to configure Claim Rule.

    Often the UPN does not map to an email address, and will in many cases be different. This will most likely cause problems for notifications and sharing of assets within Creative Cloud.

  10. Click Finish to complete adding the transform claim rule.

  11. Again, using the Edit Claim Rules wizard, add a rule using the template. Transform an incoming claim to convert Incoming claims of type E-Mail Address with Outgoing Claim Type Name ID and Outgoing Name ID Format as Email, passing through all claim values.

  12. Click Finish to complete adding the transform claim rule.

  13. Using the Edit Claim Rules wizard, add a rule using the template Send Claims Using a Custom Rule containing the following rule:

    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("Email", "FirstName", "LastName"), query = ";mail,givenName,sn;{0}", param = c.Value);

  14. Click Finish to complete the custom rule wizard.

  15. Click OK on the Edit Claim Rules dialog to complete adding these three rules to your relying party trust.

    Note:

    The order of the claim rules is important; they must appear as shown here.

To avoid connectivity problems between systems where the clock differs by a small amount, set the default time skew to 2 minutes. For more information on time-skew, see the troubleshooting errors document.

Download the AD FS metadata file

  1. Open the AD FS Management application on your server, and within the folder AD FS > Service > Endpoints, select the Federation Metadata.

    Metadata location

  2. Use a browser to navigate to the URL provided against Federation Metadata and download the file. For example, https://<your AD FS hostname>/FederationMetadata/2007-06/FederationMetadata.xml.

    Note:
    • Accept any warnings if prompted.
    • To know your Microrsoft AD FS hostname on a Windows operating system:
      Open Windows PowerShell > Run as Administrator > Type Get-AdfsProperties > Press enter > Look for your Hostname in the detailed list.

Upload IdP metadata file to Adobe Admin Console

To update the latest certificate, return to Adobe Admin Console window. Upload the metadata file downloaded from AD FS to the Add SAML profile screen and click Done.

Next steps: Complete setup to assign apps to users

Once you've set up your directory, do the following to enable your organization's users to use Adobe apps and services:

  1. Add and set up domains within the Admin Console.
  2. Associate the domains with the AD FS directory.
  3. (Optional) If your domains are already established within the Admin Console in another directory, transfer them directly to the newly created AD FS directory.
  4. Add product profiles to fine-tune the usage of your purchased plans.
  5. Test your SSO setup by adding a test user.
  6. Choose you user-management strategy and tools based on your requirements. Then, add users to the Admin Console and assign them to product profiles to get users started with their Adobe apps.

To learn more about other identity-related tools and techniques, see Set up identity.

Test Single Sign-on

Create a test user with active directory. Create an entry on the Admin Console for this user and assign it a license. Then, test logging in to Adobe.com to confirm that the relevant software is listed for download.

You can also test by logging in to Creative Cloud Desktop and from within an application such as Photoshop or Illustrator.

If you encounter problems, see our troubleshooting document. If you still require assistance with your single sign-on configuration, navigate to Support in the Adobe Admin console, and open a ticket with Customer Support.

Get help faster and easier

New user?